Designing reliable cyber-physical systems overview associated to the special session at FDL’16

CPS, that consist of a cyber part – a computing system – and a physical part – the system in the physical environment – as well as the respective interfaces between those parts, are omnipresent in our daily lives. The application in the physical environment drives the overall requirements that must be respected when designing the computing system. Here, reliability is a core aspect where some of the most pressing design challenges are: • monitoring failures throughout the computing system, • determining the impact of failures on the application constraints, and • ensuring correctness of the computing system with respect to application-driven requirements rooted in the physical environment. This paper provides an overview of techniques discussed in the special session to tackle these challenges throughout the stack of layers of the computing system while tightly coupling the design methodology to the physical requirements.</p

Synthesizing Adaptive Test Strategies from Temporal Logic Specifications

Constructing good test cases is difficult and time-consuming, especially if the system under test is still under development and its exact behavior is not yet fixed. We propose a new approach to compute test strategies for reactive systems from a given temporal logic specification using formal methods. The computed strategies are guaranteed to reveal certain simple faults in every realization of the specification and for every behavior of the uncontrollable part of the system's environment. The proposed approach supports different assumptions on occurrences of faults (ranging from a single transient fault to a persistent fault) and by default aims at unveiling the weakest one. Based on well-established hypotheses from fault-based testing, we argue that such tests are also sensitive for more complex bugs. Since the specification may not define the system behavior completely, we use reactive synthesis algorithms with partial information. The computed strategies are adaptive test strategies that react to behavior at runtime. We work out the underlying theory of adaptive test strategy synthesis and present experiments for a safety-critical component of a real-world satellite system. We demonstrate that our approach can be applied to industrial specifications and that the synthesized test strategies are capable of detecting bugs that are hard to detect with random testing

A toolkit for model checking of electronic contracts

PhD ThesisIn the business world, contracts are used to regulate business interactions between trading parties. In this context, an electronic contracting systems can be used to monitor business–to–business interactions to ensure that they comply with the rights (permissions), obligations and prohibitions stipulated in contract clauses. Such an electronic contracting system will require an executable version of the contract (e-contract) for compliance checking. It is important to be verify the correctness properties of an e- contract before deploying it for compliance checking. Model checkers are widely used for automatic verification of concurrent systems. However, such tools for e-contracts with means for expressing directly and intu- itively key concepts that appear recurrently in contracts, such as execu- tions of business operations, granting (cancellation, suspension, fulfilment, violation, etc.) of rights, obligations and prohibitions to role players are not yet available. This thesis rectifies the situation by developing a high-level e-contract verification toolkit using the Spin model checker. A formal Contractual Business-To-Business interaction (CB2B) model based on the concepts of contract compliance checking developed earlier at Newcastle university has been constructed. Further, Promela, the input language of the Spin model checker, has been extended in a manner that enables specification of contract clauses in terms of contract entities: role players, business operations, rights, obligations and prohibitions. A given contract can now be expressed using extended Promela as a set of declarations and a set of Event-Condition-Action rules. In addition, the designer can specify the correctness requirements to be verified in Linear-Temporal-Logic directly in terms of the contract entities. A notable feature is that the CB2B model automatically checks for contract independent properties: properties that must hold for all contracts. For example, at run time, a contract should not simultaneously grant a role player a right to perform an operation and also prohibit it. Thus, the toolkit hides much of the intricate details of dealing with Promela processes communicating through channels and enables a designer to build verifiable abstract models directly in terms of contract entities. The usefulness of the toolkit is demonstrated by trying out a number of contract examples used by researchers working on contract verification. The thesis also shows how the toolkit can be used for generating test cases for testing an implemented system

A Hybrid Framework for the Systematic Detection of Software Security Vulnerabilities in Source Code

In this thesis, we address the problem of detecting vulnerabilities in software where the source code is available, such as free-and-open-source software. In this, we rely on the use of security testing. Either static or dynamic analysis can be used for security testing approaches, yet both analyses have their advantages and drawbacks. In fact, while these analyses are different, they are complementary to each other in many ways. Consequently, approaches that would combine these analyses have the potential of becoming very advantageous to security testing and vulnerability detection. This has motivated the work presented in this thesis. For the purpose of security testing, security analysts need to specify the security properties that they wish to test software against for security violations. Accordingly, we firstly propose a security model called Team Edit Automata (TEA), which extends security automata. Using TEA, security analysts are capable of precisely specifying the security properties under concerns. Since various code instrumentations are needed at different program points for the purpose of profiling the software behavior at run-time, we secondly propose a code instrumentation profiler. Furthermore, we provide an extension to the GCC compiler to enable such instrumentations. The profiler is based on the pointcut model of Aspect-Oriented Programming (AOP) languages and accordingly it is capable of providing a large set of instrumentation capabilities to the analysts. We particularly explore the capabilities and the current limitations of AOP languages as tools for security testing code instrumentation, and propose extensions to these languages to allow them to be used for such purposes. Thirdly, we explore the potential of static analysis for vulnerability detection and illustrate its applicability and limitations. Fourthly, we propose a framework that reduces security vulnerability detection to a reachability problem. The framework combines three main techniques: static analysis, program slicing, and reachability analysis. This framework mainly targets software applications that are generally categorized as being safety/security critical, and are of relatively small sizes, such as embedded software. Finally, we propose a more comprehensive security testing and test-data generation framework that provides further advantages over the proposed reachability model. This framework combines the power of static and dynamic analyses, and is used to generate concrete data, with which the existence of a vulnerability is proven beyond doubt, hence mitigating major drawbacks of static analysis, namely false positives. We also illustrate the feasibility of the elaborated frameworks by developing case studies for test-data generation and vulnerability detection on various-size software

A Hybrid Framework for the Systematic Detection of Software Security Vulnerabilities in Source Code

In this thesis, we address the problem of detecting vulnerabilities in software where the source code is available, such as free-and-open-source software. In this, we rely on the use of security testing. Either static or dynamic analysis can be used for security testing approaches, yet both analyses have their advantages and drawbacks. In fact, while these analyses are different, they are complementary to each other in many ways. Consequently, approaches that would combine these analyses have the potential of becoming very advantageous to security testing and vulnerability detection. This has motivated the work presented in this thesis. For the purpose of security testing, security analysts need to specify the security properties that they wish to test software against for security violations. Accordingly, we firstly propose a security model called Team Edit Automata (TEA), which extends security automata. Using TEA, security analysts are capable of precisely specifying the security properties under concerns. Since various code instrumentations are needed at different program points for the purpose of profiling the software behavior at run-time, we secondly propose a code instrumentation profiler. Furthermore, we provide an extension to the GCC compiler to enable such instrumentations. The profiler is based on the pointcut model of Aspect-Oriented Programming (AOP) languages and accordingly it is capable of providing a large set of instrumentation capabilities to the analysts. We particularly explore the capabilities and the current limitations of AOP languages as tools for security testing code instrumentation, and propose extensions to these languages to allow them to be used for such purposes. Thirdly, we explore the potential of static analysis for vulnerability detection and illustrate its applicability and limitations. Fourthly, we propose a framework that reduces security vulnerability detection to a reachability problem. The framework combines three main techniques: static analysis, program slicing, and reachability analysis. This framework mainly targets software applications that are generally categorized as being safety/security critical, and are of relatively small sizes, such as embedded software. Finally, we propose a more comprehensive security testing and test-data generation framework that provides further advantages over the proposed reachability model. This framework combines the power of static and dynamic analyses, and is used to generate concrete data, with which the existence of a vulnerability is proven beyond doubt, hence mitigating major drawbacks of static analysis, namely false positives. We also illustrate the feasibility of the elaborated frameworks by developing case studies for test-data generation and vulnerability detection on various-size software

Modellbasierte Generierung und Reduktion von Testsuiten für Software-Produktlinien

Software-Produktlinienentwicklung ist ein Paradigma zur kostengünstigen Entwicklung vieler individueller aber sich ähnelnder Softwareprodukte aus einer gemeinsamen Softwareplattform heraus. Beispielsweise umfasst im Automotive-Bereich eine Software-Produktlinie (SPL) für ein Auto der Oberklasse typischerweise mehrere hunderttausend Softwaresystemvarianten. Um sicherzustellen, dass jede einzelne Produktvariante einer SPL in ihrer Funktionalität der Spezifikation entspricht, kann Testen verwendet werden. Da separates Testen jeder einzelnen Produktvariante meistens zu aufwändig ist, versuchen SPL-Testansätze die Gemeinsamkeiten der Produktvarianten beim Testen auszunutzen. So versuchen diese Ansätze geeignete Testartefakte wiederzuverwenden oder nur eine kleine repräsentative Menge von Produktvarianten stellvertretend für die ganze SPL zu testen. Da Software-Produktlinienentwicklung erst seit einigen Jahren verstärkt eingesetzt wird, sind im SPL-Test noch einige praxisnahe Probleme ungelöst. Beispielsweise existiert bisher kein Testansatz, mit dem sich eine gewisse Abdeckung bezüglich eines gewählten Überdeckungskriteriums auf allen Produktvarianten einer SPL effizient erreichen lässt. In dieser Arbeit wird ein Black-Box-Testfallgenerierungsansatz für Software-Produktlinien vorgestellt. Mit diesem Ansatz lassen sich für alle Produktvarianten einer SPL eine Menge von Testfällen aus einer formalen Spezifikation (Testmodell), die mit Variabilität angereichert wurde, effizient generieren. Diese Testfallmenge, im Folgenden als vollständige SPL-Testsuite bezeichnet, erreicht auf jeder Produktvariante der SPL eine vollständige Abdeckung bzgl. eines strukturellen Modell-Überdeckungskriteriums. Die Effizienz des Ansatzes beruht auf der Generierung von Testfällen, die variantenübergreifend wiederverwendbar sind. Dadurch müssen mit dem neuen Ansatz weniger Testfälle generiert werden als wenn dies für jede Produktvariante separat geschieht. Um bei Bedarf die Anzahl der generierten Testfälle reduzieren zu können, werden außerdem drei Algorithmen zur Testsuite-Reduktion vorgestellt. Die Neuerung der vorgestellten Algorithmen liegt im Vergleich zu existierenden Reduktionsalgorithmen für Testsuiten von Einzel-Softwaresystemen darin, dass die Existenz von variantenübergreifend verwendbaren Testfällen in einer SPL-Testsuite berücksichtig wird. Dadurch wird sichergestellt, dass trotz Testsuite-Reduktion die vollständige Testmodellabdeckung einer jeden Produktvariante durch die SPL-Testsuite erhalten bleibt. Sollte es aufgrund limitierter Ressourcen nicht möglich sein jede Produktvariante mit den in der vollständigen SPL-Testsuite enthaltenen Testfällen zu testen, kann mittels einer SPL-Testsuite eine kleine repräsentative Produktmenge aus der SPL bestimmt werden, deren Testergebnis (im begrenzten Rahmen) Rückschlüsse auf die Qualität der restlichen Produktvarianten zulässt. Zur Evaluation des Ansatzes wurde dieser prototypisch implementiert und auf zwei Fallbeispiele angewendet

Model Checking and Model-Based Testing : Improving Their Feasibility by Lazy Techniques, Parallelization, and Other Optimizations

This thesis focuses on the lightweight formal method of model-based testing for checking safety properties, and derives a new and more feasible approach. For liveness properties, dynamic testing is impossible, so feasibility is increased by specializing on an important class of properties, livelock freedom, and deriving a more feasible model checking algorithm for it. All mentioned improvements are substantiated by experiments