DE102021005227A1 - File generator for checking a file for a security system for a vehicle - Google Patents

Abstract

The invention relates to a file generator (11) for generating an output file (22) for checking an input file (21) for a security system (9) of a vehicle (1), the file generator (11) having a file generation module (12) and a database with reference files (14) that have formal features, wherein the file generation module (12) has parameters for generating formal features and is designed and set up, depending on the input file (21) and values of the parameters, the output file (22) with functional features and at least to generate a formal feature which is adapted to at least one formal feature of at least one of the reference files (14), the input file (21) and the output file (22) each forming at least part of a respective computer program for controlling the security system (9) and functional characteristics of the input file (21) in their entirety the same functions as the functional Have characteristics of the output file (22).

Description

The invention relates to a file generator for generating an output file for checking a file for a security system for a vehicle and a method for generating an output file for checking a file for a security system for a vehicle.

Assistance systems for autonomous driving of vehicles can have algorithms that can generate program parts for controlling a safety system of a vehicle. In order to be able to check such newly generated parts of a program code, these program parts can be decompiled.

A file generator for generating an output file for checking an input file for a security system of a vehicle is proposed. The file generator has a file generation module and a database with reference files. The reference files have formal characteristics. The file generation module has parameters for generating formal features and is designed and set up to generate the output file with functional features and at least one formal feature, which is adapted to at least one formal feature of at least one of the reference files, depending on the input file and values of the parameters . The input file and the output file each form at least part of a respective computer program for controlling the security system. Overall, functional features of the input file have the same functions as the functional features of the output file.

The input file preferably completely forms the computer program for controlling the security system. The reference files preferably include programs or parts of programs, in particular subfunctions and/or subroutines. In particular, the reference files include text in a high-level language such as C, C++, Matlab, Matlab-Simulink or Fortran, or in a description language such as VHDL-x or Verilog. The reference files are preferably programmed by a human. A further variant also includes an embodiment in which the reference files are machine-programmed. The reference files preferably also have functional features.

The term "file" means in particular a series of characters that can be stored or is stored on a data carrier or a storage medium. In particular, the input and output files can each form a text with characters. The characters include letters and numbers. In a special embodiment, the characters can also have images or diagrams, in particular symbols such as are used in flow charts.

The input file and/or the output file each preferably have a machine-readable format. The input and output files each preferably form a computer program that can be compiled. Accordingly, it is possible in particular to generate a first executable program or a second executable program by compiling the input file and the output file.

A processor of the security system is designed and set up in particular to process the first and second executable programs, in particular to read them in and to execute commands contained in the first and second executable programs.

The functional characteristics of the input file preferably include a textual description of all operations performed by the processor when executing the first executable file. Similarly, the functional features of the output file preferably include a description in text form of all operations that the processor performs when processing the second executable file.

In particular, the functional characteristics of the input file have, in their entirety, the same functions as the functional characteristics of the output file if a first result of executing the first executable file using the processor is always the same as a second result of executing the second executable file using the processor is. For example, the input file can provide for first integrating values into an integral and then calculating a function value as a function of the integral and a function, while the output file can provide for first calculating and calculating a plurality of function values, each depending on the individual values and the function then perform an integration of the function values. In both cases, depending on the property of the function, the same result can be obtained. "Always" means in particular that the first result is independent of the values of variables of the input or output file is equal to the second result.

According to a further development, the functional features of the input file have in particular the same functions as the functional features of the output file when the processor is Running the second and first executable runs the same commands.

The formal features include, for example, a way in which line spacing, naming of variables and/or a subdivision of the functional features into sub-functions are implemented in the input file, reference file or output file. According to one variant, the formal features can be features that have no influence on the functioning of the processor when processing the first or second executable file. If, for example, there is a different division of the functional features into subfunctions in the input file or output file, the first and second executable program can still be identical after the input file or output file has been compiled.

According to a further variant, the formal characteristics of the input file can differ from the formal characteristics of the output file in such a way that a way in which the first result when executing the first executable file and the second result when executing the second executable file using the processor is achievable is different, but the first result is equal to the second result. This applies in particular to all possible combinations of values of the variables in the input or output file.

For example, a first concatenation of specifications, which initially provides for the integration described above to be carried out and then for a calculation of the function value, to be a first formal feature of the input or output file. In the same way, a second concatenation of specifications, which first provides for a calculation of the individual function values and then for the implementation of the integration, can be a second formal feature of the input or output file. The first concatenation prescribes a different order of calculation steps compared to the second concatenation. If a result is the same after applying the first or second chaining of the regulations, the respective order of the first or second chaining can form a respective formal feature of the input or output file. The calculation steps of the first and second linking of the regulations, taken together, each indicate a respective example of a functional feature of the input or output file.

The processor can be part of a control unit of the security system. The safety system can be an ABS, ESP, airbag or ASR system, for example. Control of the safety system also includes regulation of the safety system.

The output file has at least one formal feature that is at least matched to the one formal feature of the at least one reference file. The output file preferably has a number of formal features which are adapted to a number of features of at least one of the reference files and preferably of a number of reference files. All formal features of the original file are advantageously adapted to formal features of the reference files, in particular to formal features of an individual reference file.

Because at least one formal feature of the original file is adapted to at least one formal feature of the at least one reference file, the original file is easier to read for a person, in particular a programmer, who is supposed to check the original file. This makes it easier to check the input file, in particular when the input file is generated by an artificial intelligence (AI) algorithm. For example, an "unrolled" loop in the first generated executable may exist in the output file as a "normal" loop. Furthermore, designations of variables in the input file can be adapted to variable names that are frequently used in the reference files. Due to the fact that the functional features of the input file have the same functions as the functional features of the output file in their entirety, it is sufficient to check the input file only to check the output file.

Furthermore, the proposed file generator can also be used in software development in which several different programmers program programs. In particular, it is possible to standardize names for variables in an automated manner. Furthermore, it is possible to unify a structural configuration of various programs programmed by different programmers. A respective structural design of the input file, the reference file and the output file can belong to the formal features of the input file, reference file or output file within the meaning of the invention.

A further embodiment provides that the file generator has a first checking module that is designed and set up to carry out a first check as to whether the functional features of the input file have the same functions as the functional features of the output file.

This can automatically verify that the first result is equal to the second result, regardless of whether the processor is running the first or second executable.

A further configuration provides that the first checking module has a SAT solver and is designed and set up to carry out the first check using the SAT solver. The SAT solver means a solver that can check, for example, whether the input file and the output file can be fulfilled as part of the respective computer program or as the respective computer program as a whole. “Achievable” means in particular whether an executable application of the first or second executable file can be provided on the processor by selecting a combination of values of the variables contained in the input file or in the output file. The term SAT solver is derived from the English "satisfiability", whereby the term can be translated as "satisfiability".

In this sense, the SAT solver can solve a decision problem. In particular, the SAT solver is designed and set up to check whether a propositional logic formula can be satisfied. The SAT solver is advantageously designed and set up to generate a first propositional formula for the input file and a second propositional formula for the output file and to check whether they can be fulfilled. According to an advantageous development, the SAT solver is designed and set up to generate a third propositional logic formula that compares values of variables in the input file with values of variables in the output file.

The third propositional formula is in particular in the form of a connected Boolean expression. The boolean expression can have the value 0 or 1, depending on the values that the variables of the input file or the output file take. The SAT solver preferably forms the third propositional logic formula in such a way that its Boolean expression assumes the value 1 if the functional features of the input file have the same functions as the functional features of the output file. This applies in particular if the third propositional formula always has the value “1” regardless of the values of the variables, in particular of any combination of the values of the variables. If this is the case, it can be ensured in particular that the processor achieves the same result when processing the first and second executable file.

A further configuration provides that the first checking module has an SMT solver and is designed and set up to carry out the first check using the SMT solver. The SMT solver means a solver that is trained and set up to apply methods of the "satisfiability modulo theory". Compared to the SAT solver, the SMT solver may preferably have expressions that summarize complex expressions, particularly Boolean expressions used in the SAT solver. This allows the SMT solver to work at a more abstract level, allowing the use of higher mathematics theories. In particular, theories about the real numbers, integers, theories about data structures such as lists, arrays and bit vectors can be applied using the SMT solver.

A further embodiment provides that the file generator has a second checking module that is designed and set up to evaluate a similarity between the formal feature of the original file and the at least one formal feature of the at least one reference file. The second verification module is preferably designed and set up to determine a metric that indicates a degree of similarity between the formal feature of the output file and the at least one formal feature of the at least one reference file. In particular, the metric can indicate a similarity between a total of all formal features of the output file and a number of formal features of the at least one reference file, in particular a number of reference files.

The second verification module can advantageously be used to regenerate the output file as a function of the input file, but changing the values of the parameters. This makes it possible to further adapt the formal characteristics of the source file to the formal characteristics of the reference files.

In a further refinement, it is provided that the file generator has an adaptation module which is designed and set up to adapt the values of the parameters to an output value of the second checking module. The adaptation module allows the values of the parameters to be adapted as a function of the output value of the second checking module, in particular in an automated manner.

In a further refinement, it is provided that the second checking module is in the form of a discriminator which is designed and set up to output the output value as a binary to output the output value and to determine the binary output value depending on the formal characteristic of the output file. For example, the binary output value can assume the value “1” if the formal feature of the output file is similar to at least one formal feature of the at least one reference file. Otherwise, the binary output value preferably assumes the value "0". With the help of the binary output value, it is possible to easily decide whether the values of the parameters should be further adjusted or not.

A further embodiment provides that the file generation module and the second verification module form a generative adversarial network (GAN). This refinement can be implemented particularly easily if the second checking module is designed in the form of a discriminator. The generative adversarial network can allow the formal features of the reference files to be learned by training the GAN using the reference files in unsupervised learning. As a result, it may be possible to dispense with manually specifying the formal characteristics.

The term "module" as used herein describes any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic or combination of hardware, software, firmware, artificial intelligence and/or fuzzy logic, capable of performing the functionality associated with each "module".

Furthermore, a method for generating an output file for checking an input file of a safety system for a vehicle is proposed. The procedure has the following steps. In a first step, the input file is read. In a second step, the output file is generated using a file generation module depending on the input file. The input file and the output file each form at least part of a respective computer program for controlling the security system. Furthermore, functional characteristics of the input file have, in their entirety, the same functions as the functional characteristics of the output file. In a third step, at least one formal feature of the original file is adapted to at least one formal feature of a reference file. The numbering of the steps does not determine the order in which the steps are processed. In particular, the third step can be carried out simultaneously with the second step. The formal feature of the reference file can be used in particular when formulating a boundary condition when generating the output file.

Furthermore, a computer program product is proposed. The computer program comprises a program which, when executed by a computer, causes the computer to carry out the proposed method.

• 1 ein Fahrzeug mit einem Steuergerät, einem Sensorsystem und einer Kl-Einheit;
• 2 einen Dateigenerator zum Erzeugen einer Ausgangsdatei zur Überprüfung einer Eingangsdatei für ein Sicherheitssystem des in 1 gezeigten Fahrzeugs;
• 3 den in 2 gezeigten Dateigenerator mit einem zweiten Überprüfungsmodul;
• 4 den in 2 gezeigten Dateigenerator mit einem Dateigenerierungsmodul mit einem Kompilierer und einem Dekompilierer;
• 5 Schritte eines Verfahrens zum Erzeugen einer Ausgangsdatei zur Überprüfung einer Eingangsdatei für ein Sicherheitssystem des in 1 gezeigten Fahrzeugs.

Advantageous developments of the invention are specified in the dependent claims. Preferred exemplary embodiments are explained in more detail with reference to the following figures. It shows schematically

• 1 a vehicle with a control unit, a sensor system and an AI unit;
• 2 a file generator for generating an output file for checking an input file for a security system of the in 1 vehicle shown;
• 3 the in 2 shown file generator with a second verification module;
• 4 the in 2 shown file generator with a file generation module with a compiler and a decompiler;
• 5 Steps of a method for generating an output file for checking an input file for a security system of the in 1 shown vehicle.

1 shows a vehicle 1 with a control unit 6, a sensor system 3 and an AI unit 2. The sensor system 3 preferably includes several different types of sensors, such as a lidar, a radar, and a wheel speed sensor. The sensor system 3 is designed and set up in particular to detect a traffic situation in which the vehicle 1 is located. The traffic situation can be described, for example, by an arrangement and in particular a movement of vehicles 4 around vehicle 1 . Furthermore, the traffic situation can be described using respective speed values and acceleration values of the surrounding vehicles 4 and a speed and an acceleration of the vehicle 1 . The respective speed and acceleration values of vehicles 4 and vehicle 1 can be referred to as traffic data and can be generated using sensor system 3 .

The traffic data are preferably stored and preferably processed during the traffic situation by means of an evaluation unit 5 of the vehicle 1 . As a result, the traffic situation can be recorded and documented, in particular stored, in the form of a reference traffic situation. Analogous to the reference traffic situation tion, further reference traffic situations can be recorded, in particular stored, at several different points in time using further traffic data, which can be generated analogously to the traffic data using the sensor system 3 .

The AI unit 2 is advantageously designed and set up to generate executable files or parts of executable files for controlling, in particular rules, a safety system 9 of the vehicle 1 as a function of the traffic data and/or the additional traffic data.

The files generated in this way can be transferred from the AI unit 2 to the control device 6 . The AI unit 2 is preferably designed and set up to store a first generated executable file 10 in a memory 7 of the control unit 6 . The first generated executable file 10 can in particular have commands for controlling or regulating the security system 9 using the control device 6 . The commands of the first generated executable file 10 can be used in particular to control or regulate the safety system 9 in new traffic situations that are each similar to one of the reference traffic situations. After detecting one of the new traffic situations as a traffic situation similar to one of the reference traffic situations, the control device 6 can execute the commands of the first generated executable file 10 in order to control or regulate the security system 9 . Generating first executable file 10 can thus be regarded as training or adapting safety system 9 while vehicle 1 is in operation.

A processor 8 of control device 6 can load first executable file 10 into a cache of processor 8 and process it. Processing within the meaning of the invention is understood to mean executing commands contained in the first executable file 10 by means of the processor 8 . If the processor 8 executes the commands of the first executable file 10, then the security system 9 of the vehicle 1 is controlled, in particular regulated.

2 shows a file generator 11 for generating an output file 22 for checking an input file 21 for the security system 9 of the vehicle 1. According to a variant of the file generator 11, the first executable file 10 can be the input file 21.

The first executable file 10 can be converted into a first text file using a decompiler. The first text file represents, for example, program code in a high-level language such as C++. According to a further exemplary embodiment, the first text file is the input file 21. It goes without saying that the first text file can be converted into a program that the processor 8 can run by compiling. The input file 21 in the form of the first text file is therefore suitable for the security system 9. The file generator 11 advantageously has the compiler. The first text file is also referred to below as the input text.

The output file 22 is preferably a second text in a high-level language such as C++. The second text is referred to below as the source text. It is possible that the language of the input text differs from the language of the source text. The input text can be written in the high-level language C and the source text in the high-level language C++.

The file generator 11 has a file generation module 12 and a database 13 with reference files 14 . The reference files 14 have formal features. The file generation module 12 has parameters for generating formal features and is designed and set up to generate the output file 22 with functional features and at least one formal feature depending on the input file 21 and values of the parameters. The formal feature of the output file 22 is adapted to at least one formal feature of at least one reference file 14.1 of the reference files 14.

The input file 21 and the output file 22 each form at least part of a respective computer program, in particular a respective computer program, for controlling the security system 9 . Furthermore, the functional features of the input file 21 have the same functions as the functional features of the output file 22 in their entirety.

The formal feature can be, for example, a line spacing, a font size, an indication of a program structure or a type of a function or sub-function, such as this or these are used in the reference file 14.1 or in the reference files 14. Correspondingly, by changing a respective value of a first, second, third and/or fourth parameter of the file generation module 12, a line spacing, a font size, an indication of a program structure or a type of a function or sub-function of the output file can be changed. The values of the first, second, third and/or fourth parameters are preferably changed in such a way that the formal feature of the output file is as similar as possible to the forma len feature of the reference file 14.1 or the reference files 14 is. Such a change or adjustment of the values of the parameters can be done manually in a simple variant.

The file generator can have a decompiler to generate the output file 22 depending on the input file 21 . In this case, the first executable file 10 is preferably the input file 21. In this embodiment, the first, second, third and/or fourth parameters can be degrees of freedom of the decompiler.

2 also shows a possible embodiment in which the file generator 11 has a first checking module 15 . The first checking module 15 is designed and set up to carry out a first check. When the first check is carried out, the first check module 15 checks whether the functional features of the input file 21 have the same functions as the functional features of the output file 22 in their entirety. The first checking module 15 advantageously has an SMT solver and is designed and set up to carry out the first check using the SMT solver.

According to a preferred embodiment, the first checking module 15 is designed and set up to convert the input text into a first translated text and the source text into a second translated text. The first and second translated text advantageously describes the input text or the output text in a first-order predicate logic. The SMT solver is advantageously designed and set up to use the first and second translated text to check whether the functional features of the input file 21 have the same functions as the functional features of the output file 22 in their entirety.

The file generation module 12 preferably has at least one first interface 17, which can be used for entering the values of the parameters. Information about the formal characteristics of the reference files 14 can preferably be entered via the interface 17 or another interface. This information can contain, for example, information about the line spacing, the font size, information about the program structure or the type of function or sub-function of the reference file 14.1.

3 shows a further embodiment of the file generator 11. Components of the in 3 File generator 11 shown, which has the same reference numbers as components of the in 2 shown file generator 11 have the same functions as those in 2 shown components. In addition to the in 2 shown embodiment, the file generator 11 according to 3 a second verification module 18 on.

The second verification module 18 is designed and set up to evaluate a similarity between the formal feature of the output file 22 and the at least one formal feature of the at least one reference file 14.1.

The second checking module 18 is advantageously designed in the form of an AI module. The second checking module 18 can in particular have a neural network, such as a multilayer perceptron, and/or a convolutional neural network (CNN). The second verification module 18 is preferably trained in such a way that it can detect at least the formal feature of the reference file 14.1, in particular the formal features of the reference files 14. A single training data record for training the second checking module advantageously includes one of the reference files 14 or is generated using at least one of the reference files 14 . The reference files 14 can be created manually or automatically. A respective training data record is advantageously generated for all reference files 14 .

The formal features of the respective reference files can each be described by means of a training data vector, for example. Values of the respective training data vector can have the font size and/or the type of the function of the corresponding reference file 14, for example. Analogously, the formal feature or formal features of the output file 22 can be described using a test data vector. Values of the respective test data vector can have the font size and/or the type of the function of the output file 22, for example.

The second verification module 18 can evaluate the similarity between the formal feature of the output file 22 and the at least one formal feature of the at least one reference file 14.1, for example by the second verification module 18 determining the smallest distance between the test data vector and the respective training data vectors. For this purpose, the second checking module 18 preferably calculates a norm of a respective difference vector. The respective difference vectors can be formed as respective differences between the test data vector and the respective training vectors. The respective distance can be calculated as the norm of the difference vectors. The smallest distance only gives a very simple example of how the second verification module 18 can determine a metric that is a measure of the similarity between the formal feature of the Aus transition file 22 and the at least one formal feature of the at least one reference file 14.1.

Conveniently, the AI module can be trained using a learning vector quantization. Here, so-called codebook vectors can be created using the training data vectors. A number of codebook vectors can be formed for each one formal feature of the reference files 14 . In an application of the second verification module 18, the test data vector can be compared to the codebook vectors. The codebook vector that most closely resembles the test data vector can activate a neuron in the verification module 18, thereby initiating a calculation of the metric.

Depending on a result of an evaluation of the similarity, the values of the parameters of the file generation module 12 can be changed, in particular adjusted. According to a simple configuration, this can also be implemented manually. The second checking module 18 outputs the result of the assessment in the form of an output value. For example, the smallest distance can be the output value of the second checking module 18 .

In a special embodiment, complementary reference files can also be used for training the second checking module 18 . The complementary reference files can be designed similarly to the reference files, with the difference that they do not have the formal characteristics of the reference files. The complementary reference files can include, for example, programs or parts of programs, in particular subfunctions and/or subroutines. With the aid of the reference files 14 and the complementary reference files, the second checking module 18 can be trained in such a way that it works like a discriminator in a trained state. The complementary reference files preferably have formal features that are different from all of the formal features of the reference files 14 .

According to an advantageous embodiment, the file generator 11 has an adaptation module 19 . The adaptation module 19 can be integrated in the file generation module 12 . The adaptation module 19 is preferably designed and set up to adapt the values of the parameters depending on the output value of the second checking module 18 in such a way that the formal feature of the output file is as similar as possible to the formal feature of the input file. The adaptation module 19 can have an algorithm, for example, which can carry out a gradient method for adapting the values of the parameters depending on the output value of the second checking module 18 . The output value of the second checking module 18 can be sent from the second checking module 18 via the interface 17 to the adaptation module 19 .

The second checking module 18 is advantageously designed in the form of a discriminator. The discriminator is designed and set up to output a binary output value and to determine the binary output value depending on the formal feature of the output file 22 . For example, the binary output value can assume the value “1” if the second checking module 18 recognizes the formal feature of the output file 22 as the at least one formal feature of the reference file 14.1. In particular, the binary output value can assume the value "1" if the metric calculated as a function of the formal feature as a measure of similarity exceeds a threshold value. If the metric is greater than the threshold value, this can be equivalent to “recognition” of one of the formal features of the reference files 14 using the second verification module 18 . If the second checking module 18 does not recognize any of the formal features of the reference files 14 in the output file 22, then the binary output value preferably assumes the value “0”.

In the event that the second verification module 18 is designed in the form of the discriminator, the second verification module 18 can preferably be trained using the reference files 14 and the complementary reference files. A respective "label", i.e. a respective target value of the output value of the second checking module 18, is preferably set to "1" during training of the second checking module 18 if the second checking module 18 uses the output value as a function of one of the reference files 14 as the input variable of the second verification module 18 is calculated. In the event that the second checking module 18 calculates the output value as a function of one of the complementary reference files as the input variable of the second checking module 18, the target value of the output value is set to “0” during the training.

A respective actually calculated output value of the second checking module 18 is always compared with the corresponding target value of the output value, in each case for the case that one of the reference files or the complementary reference files is present at an input of the second checking module 18 . Values of parameters of the second checking module 18 can be changed depending on a deviation of the respective actually calculated output value from the corresponding target value. These values are preferably changed in such a way that a sum of the deviations, in particular a mean square error sum of the deviations, is minimized. The training of the second verification module 18 is preferably carried out until the mean error sum of squares is below a predetermined limit.

The file generation module 12 can be trained using the second verification module 18 . When training the file generation module 12, further training files can be used which are the same as the input file 21 in terms of format. For example, if the input file 21 is the first executable file 10 generated, then the further training files are also executable files on the processor. For example, if the input file 21 is the first text file, then the further training files are preferably also text files, which preferably have the same format as the first text file.

When training the file generation module 12, the file generation module 12 advantageously generates a respective initial training file depending on one of the further training files. The second checking module 18 preferably generates a respective initial training value for each initial training file. The respective output training values are calculated by the second verification module 18 in the form of the above-mentioned metric as a measure of the similarity between the formal feature of the respective output training file and the at least one formal feature of the at least one reference file 14.1 or to the formal features of the reference files 14. The corresponding metric can be calculated according to one of the variants mentioned above. The same calculation variant is preferably used here as when determining the metric as a measure of the similarity between the formal feature of the output file 22 and the at least one formal feature of the at least one reference file 14.1.

Following this, the values of the parameters of the file generation module 12 can be adapted to the initial training values. If, for example, the second checking module 18 is in the form of the discriminator, the values of the parameters of the file generation module 12 are advantageously adjusted in such a way that the initial training values assume values close to “1” in a repeated run of a calculation of the initial training values.

In order to calculate a change in the values of the parameters of the file generation module 12, respective partial derivations of respective deviations of the initial training values from the value “1” can be formed according to the corresponding values of the parameters of the file generation module 12. In this sense, a backpropagation method can be applied, in which values of the partial derivatives are calculated using the values of the parameters of the second verification module 18 and the values of the parameters of the file generation module 12 . The values of the second checking module 18 preferably remain unchanged in this step. The values of the parameters of the file generation module 12 are preferably recalculated depending on the values of the partial derivatives. The training of the file generation module 12 is advantageously carried out until the average initial training values exceed a second threshold value, for example 0.8.

The second checking module 18 is preferably in the form of a neural network, for example a multilayer perceptron. Furthermore, the file generation module 12 can also have a neural network, in particular a multilayer perceptron.

The file generation module 12 preferably interacts with the second verification module 18 in such a way that the file generation module 12 and the second verification module 18 in the form of the discriminator together form a generative adversarial network (GAN).

4 FIG. 12 also shows a further embodiment of the file generator 11, in which the file generation module 12 has a compiler 41 and a decompiler 42. In this configuration, the file generation module 12 is designed and set up to generate a compiled file 23 using the compiler 41 and depending on the input file 21 and to generate the output file 22 using the decompiler 42 and depending on the compiled file 23 . This refinement can advantageously be used when the input file 21 is a program code in a high-level language such as C++. The input file 21 can in particular be programmed by a programmer, ie a human being. The decompiler may be a state of the art degrees of freedom decompiler. In this embodiment, as described above, the first, second, third and/or fourth parameters of the file generation module 12 can be a corresponding first, second, third and fourth parameter of the decompiler, respectively. Using the compiler 41 makes it possible to use the decompiler 42 when the input file 21 is text in a high-level language. It is possible for the decompiler 42 and the compiler 41 to form an autoencoder for training the decompiler 42 and/or the compiler 41 . In this In this case, the degrees of freedom of the decompiler 42 are not used during the training of the decompiler 42 and/or the compiler 41 . This means that values of parameters that realize these degrees of freedom preferably remain constant during this training.

In a further development of this embodiment, the file generator advantageously has a third checking module 43 . The third verification module 43 is designed and set up to carry out a third verification. When the third check is carried out, the third check module 43 checks whether the functional features of the input file 21 have the same functions as the functional features of the compiled file 23 in their entirety. The third checking module 43 advantageously has an SMT solver and is designed and set up to carry out the third check using the SMT solver.

According to a preferred embodiment, the third checking module 43 is designed and set up to convert the input file 21 into a further first translated text and the compiled file 23 into a further second translated text. The further first and second translated text advantageously describes a text of the input file 21 or a content of the compiled file 23 in a first-order predicate logic. The SMT solver is advantageously designed and set up to use the further first and second translated text to check whether the functional features of the input file 21 have the same functions as the functional features of the compiled file 23 in their entirety.

5 shows steps of a method for generating the output file 22 for checking the input file 21 of the security system 9 for the vehicle 1. The method has the following steps. In a first step 501, the input file 21 is read. In a second step 502, the output file 22 is generated using the file generation module 12 as a function of the input file 21. The input file 21 and the output file 22 each form at least part of a respective computer program for controlling the security system 9 . Furthermore, functional features of the input file 21 have the same functions as the functional features of the output file 22 in their entirety. In a third step 503, at least one formal feature of the output file 22 is adapted to at least one formal feature of the reference file 14.1.

Claims (10)

File generator (11) for generating an output file (22) for checking an input file (21) for a security system (9) of a vehicle (1), the file generator (11) having a file generation module (12) and a database with reference files (14), which have formal features, wherein the file generation module (12) has parameters for generating formal features and is designed and set up to assign the output file (22) with functional features and at least one formal feature as a function of the input file (21) and values of the parameters that is adapted to at least one formal feature of at least one of the reference files (14), the input file (21) and the output file (22) each forming at least part of a respective computer program for controlling the security system (9) and functional features of the input file (21) have the same overall functionality as the functional characteristics of the source file (22) have. File generator (11) after claim 1 , wherein the file generator (11) has a first checking module (15) which is designed and set up to carry out a first check as to whether the functional features of the input file (21) have the same functions as the functional features of the output file (22). File generator (11) after claim 2 , wherein the first verification module (15) has a SAT solver and is designed and set up to carry out the first check using the SAT solver. File generator (11) after claim 2 or 3 , wherein the first verification module has an SMT solver and is designed and set up to carry out the first check using the SMT solver. File generator (11) according to one of the preceding claims, wherein the file generator (11) has a second checking module (18) which is designed and set up to determine a similarity between the formal feature of the output file (22) and the at least one formal feature of the at least one Evaluate reference file (14.1). File generator (11) according to one of the preceding claims, wherein the file generator (11) has an adaptation module (19) which is designed and set up to adapt the values of the parameters to an output value of the second checking module (18). File generator (11) after claim 5 , wherein the file generation module (12) and the second verification module (18) form a generative adversarial network. File generator (11) according to one of the preceding claims, wherein the file generation module (12) has a compiler (41) and a decompiler (42) and is designed and set up using the compiler (41) and depending on the input file (21) a to generate the compiled file (23) and to generate the output file (22) using the decompiler (42) and depending on the compiled file (23). Method for generating an output file (22) for checking an input file (21) for a security system (9) of a vehicle (1) with the following steps: - Reading in the input file (21); - Generating the output file (22) using a file generation module (12) depending on the input file (21), the input file (21) and the output file (22) each forming at least part of a respective computer program for controlling the security system (9) and functional features of the input file (21) as a whole have the same functions as the functional features of the output file (22); - Adapting at least one formal feature of the output file (22) to at least one formal feature of a reference file (14.1). A computer program product comprising a program which, when executed by a computer, causes the computer to perform a method claim 9 to perform.

Images