9 research outputs found
Designing reliable cyber-physical systems overview associated to the special session at FDL’16
CPS, that consist of a cyber part – a computing system – and a physical part – the system in the physical environment – as well as the respective interfaces between those parts, are omnipresent in our daily lives. The application in the physical environment drives the overall requirements that must be respected when designing the computing system. Here, reliability is a core aspect where some of the most pressing design challenges are: • monitoring failures throughout the computing system, • determining the impact of failures on the application constraints, and • ensuring correctness of the computing system with respect to application-driven requirements rooted in the physical environment. This paper provides an overview of techniques discussed in the special session to tackle these challenges throughout the stack of layers of the computing system while tightly coupling the design methodology to the physical requirements.</p
Synthesizing Adaptive Test Strategies from Temporal Logic Specifications
Constructing good test cases is difficult and time-consuming, especially if
the system under test is still under development and its exact behavior is not
yet fixed. We propose a new approach to compute test strategies for reactive
systems from a given temporal logic specification using formal methods. The
computed strategies are guaranteed to reveal certain simple faults in every
realization of the specification and for every behavior of the uncontrollable
part of the system's environment. The proposed approach supports different
assumptions on occurrences of faults (ranging from a single transient fault to
a persistent fault) and by default aims at unveiling the weakest one. Based on
well-established hypotheses from fault-based testing, we argue that such tests
are also sensitive for more complex bugs. Since the specification may not
define the system behavior completely, we use reactive synthesis algorithms
with partial information. The computed strategies are adaptive test strategies
that react to behavior at runtime. We work out the underlying theory of
adaptive test strategy synthesis and present experiments for a safety-critical
component of a real-world satellite system. We demonstrate that our approach
can be applied to industrial specifications and that the synthesized test
strategies are capable of detecting bugs that are hard to detect with random
testing
A toolkit for model checking of electronic contracts
PhD ThesisIn the business world, contracts are used to regulate business interactions
between trading parties. In this context, an electronic contracting systems
can be used to monitor business–to–business interactions to ensure that
they comply with the rights (permissions), obligations and prohibitions
stipulated in contract clauses. Such an electronic contracting system will
require an executable version of the contract (e-contract) for compliance
checking. It is important to be verify the correctness properties of an e-
contract before deploying it for compliance checking. Model checkers are
widely used for automatic verification of concurrent systems. However,
such tools for e-contracts with means for expressing directly and intu-
itively key concepts that appear recurrently in contracts, such as execu-
tions of business operations, granting (cancellation, suspension, fulfilment,
violation, etc.) of rights, obligations and prohibitions to role players are
not yet available.
This thesis rectifies the situation by developing a high-level e-contract
verification toolkit using the Spin model checker. A formal Contractual
Business-To-Business interaction (CB2B) model based on the concepts of
contract compliance checking developed earlier at Newcastle university
has been constructed. Further, Promela, the input language of the Spin
model checker, has been extended in a manner that enables specification
of contract clauses in terms of contract entities: role players, business
operations, rights, obligations and prohibitions. A given contract can now
be expressed using extended Promela as a set of declarations and a set of
Event-Condition-Action rules. In addition, the designer can specify the
correctness requirements to be verified in Linear-Temporal-Logic directly
in terms of the contract entities. A notable feature is that the CB2B model
automatically checks for contract independent properties: properties that
must hold for all contracts. For example, at run time, a contract should
not simultaneously grant a role player a right to perform an operation
and also prohibit it. Thus, the toolkit hides much of the intricate details
of dealing with Promela processes communicating through channels and
enables a designer to build verifiable abstract models directly in terms of
contract entities.
The usefulness of the toolkit is demonstrated by trying out a number of
contract examples used by researchers working on contract verification.
The thesis also shows how the toolkit can be used for generating test
cases for testing an implemented system
A Hybrid Framework for the Systematic Detection of Software Security Vulnerabilities in Source Code
In this thesis, we address the problem of detecting vulnerabilities in software where the source code is available, such as free-and-open-source software. In this, we rely on the use of security testing. Either static or dynamic analysis can be used for security testing approaches, yet both analyses have their advantages and drawbacks. In fact, while these analyses are different, they are complementary to each other in many ways. Consequently, approaches that would combine these analyses have the potential of becoming very advantageous to security testing and vulnerability detection. This has motivated the work presented in this thesis.
For the purpose of security testing, security analysts need to specify the security properties that they wish to test software against for security violations. Accordingly, we firstly propose a security model called Team Edit Automata (TEA), which extends security automata. Using TEA, security analysts are capable of precisely specifying the security properties under concerns. Since various code instrumentations are needed at different program points for the purpose of profiling the software behavior at run-time, we secondly propose a code instrumentation profiler. Furthermore, we provide an extension to the GCC compiler to enable such instrumentations. The profiler is based on the pointcut model of Aspect-Oriented Programming (AOP) languages and accordingly it is capable of providing a large set of instrumentation capabilities to the analysts. We particularly explore the capabilities and the current limitations of AOP languages as tools for security testing code instrumentation, and propose extensions to these languages to allow them to be used for such purposes. Thirdly, we explore the potential of static analysis for vulnerability detection and illustrate its applicability and limitations. Fourthly, we propose a framework that reduces security vulnerability detection to a reachability problem. The framework combines three main techniques: static analysis, program slicing, and reachability analysis. This framework mainly targets software applications that are generally categorized as being safety/security critical, and are of relatively small sizes, such as embedded software. Finally, we propose a more comprehensive security testing and test-data generation framework that provides further advantages over the proposed reachability model. This framework combines the power of static and dynamic analyses, and is used to generate concrete data, with which the existence of a vulnerability is proven beyond doubt, hence mitigating major drawbacks of static analysis, namely false positives. We also illustrate the feasibility of the elaborated frameworks by developing case studies for test-data generation and vulnerability detection on various-size software
A Hybrid Framework for the Systematic Detection of Software Security Vulnerabilities in Source Code
In this thesis, we address the problem of detecting vulnerabilities in software where the source code is available, such as free-and-open-source software. In this, we rely on the use of security testing. Either static or dynamic analysis can be used for security testing approaches, yet both analyses have their advantages and drawbacks. In fact, while these analyses are different, they are complementary to each other in many ways. Consequently, approaches that would combine these analyses have the potential of becoming very advantageous to security testing and vulnerability detection. This has motivated the work presented in this thesis.
For the purpose of security testing, security analysts need to specify the security properties that they wish to test software against for security violations. Accordingly, we firstly propose a security model called Team Edit Automata (TEA), which extends security automata. Using TEA, security analysts are capable of precisely specifying the security properties under concerns. Since various code instrumentations are needed at different program points for the purpose of profiling the software behavior at run-time, we secondly propose a code instrumentation profiler. Furthermore, we provide an extension to the GCC compiler to enable such instrumentations. The profiler is based on the pointcut model of Aspect-Oriented Programming (AOP) languages and accordingly it is capable of providing a large set of instrumentation capabilities to the analysts. We particularly explore the capabilities and the current limitations of AOP languages as tools for security testing code instrumentation, and propose extensions to these languages to allow them to be used for such purposes. Thirdly, we explore the potential of static analysis for vulnerability detection and illustrate its applicability and limitations. Fourthly, we propose a framework that reduces security vulnerability detection to a reachability problem. The framework combines three main techniques: static analysis, program slicing, and reachability analysis. This framework mainly targets software applications that are generally categorized as being safety/security critical, and are of relatively small sizes, such as embedded software. Finally, we propose a more comprehensive security testing and test-data generation framework that provides further advantages over the proposed reachability model. This framework combines the power of static and dynamic analyses, and is used to generate concrete data, with which the existence of a vulnerability is proven beyond doubt, hence mitigating major drawbacks of static analysis, namely false positives. We also illustrate the feasibility of the elaborated frameworks by developing case studies for test-data generation and vulnerability detection on various-size software
Modellbasierte Generierung und Reduktion von Testsuiten fĂĽr Software-Produktlinien
Software-Produktlinienentwicklung ist ein Paradigma zur kostengünstigen Entwicklung vieler individueller aber sich ähnelnder Softwareprodukte aus einer gemeinsamen Softwareplattform heraus. Beispielsweise umfasst im Automotive-Bereich eine Software-Produktlinie (SPL) für ein Auto der Oberklasse typischerweise mehrere hunderttausend Softwaresystemvarianten. Um sicherzustellen, dass jede einzelne Produktvariante einer SPL in ihrer Funktionalität der Spezifikation entspricht, kann Testen verwendet werden. Da separates Testen jeder einzelnen Produktvariante meistens zu aufwändig ist, versuchen SPL-Testansätze die Gemeinsamkeiten der Produktvarianten beim Testen auszunutzen. So versuchen diese Ansätze geeignete Testartefakte wiederzuverwenden oder nur eine kleine repräsentative Menge von Produktvarianten stellvertretend für die ganze SPL zu testen. Da Software-Produktlinienentwicklung erst seit einigen Jahren verstärkt eingesetzt wird, sind im SPL-Test noch einige praxisnahe Probleme ungelöst. Beispielsweise existiert bisher kein Testansatz, mit dem sich eine gewisse Abdeckung bezüglich eines gewählten Überdeckungskriteriums auf allen Produktvarianten einer SPL effizient erreichen lässt.
In dieser Arbeit wird ein Black-Box-Testfallgenerierungsansatz für Software-Produktlinien vorgestellt. Mit diesem Ansatz lassen sich für alle Produktvarianten einer SPL eine Menge von Testfällen aus einer formalen Spezifikation (Testmodell), die mit Variabilität angereichert wurde, effizient generieren. Diese Testfallmenge, im Folgenden als vollständige SPL-Testsuite bezeichnet, erreicht auf jeder Produktvariante der SPL eine vollständige Abdeckung bzgl. eines strukturellen Modell-Überdeckungskriteriums. Die Effizienz des Ansatzes beruht auf der Generierung von Testfällen, die variantenübergreifend wiederverwendbar sind. Dadurch müssen mit dem neuen Ansatz weniger Testfälle generiert werden als wenn dies für jede Produktvariante separat geschieht. Um bei Bedarf die Anzahl der generierten Testfälle reduzieren zu können, werden außerdem drei Algorithmen zur Testsuite-Reduktion vorgestellt. Die Neuerung der vorgestellten Algorithmen liegt im Vergleich zu existierenden Reduktionsalgorithmen für Testsuiten von Einzel-Softwaresystemen darin, dass die Existenz von variantenübergreifend verwendbaren Testfällen in einer SPL-Testsuite berücksichtig wird. Dadurch wird sichergestellt, dass trotz Testsuite-Reduktion die vollständige Testmodellabdeckung einer jeden Produktvariante durch die SPL-Testsuite erhalten bleibt. Sollte es aufgrund limitierter Ressourcen nicht möglich sein jede Produktvariante mit den in der vollständigen SPL-Testsuite enthaltenen Testfällen zu testen, kann mittels einer SPL-Testsuite eine kleine repräsentative Produktmenge aus der SPL bestimmt werden, deren Testergebnis (im begrenzten Rahmen) Rückschlüsse auf die Qualität der restlichen Produktvarianten zulässt. Zur Evaluation des Ansatzes wurde dieser prototypisch implementiert und auf zwei Fallbeispiele angewendet
Model Checking and Model-Based Testing : Improving Their Feasibility by Lazy Techniques, Parallelization, and Other Optimizations
This thesis focuses on the lightweight formal method of model-based testing for checking safety properties, and derives a new and more feasible approach.
For liveness properties, dynamic testing is impossible, so feasibility is increased by specializing on an important class of properties, livelock freedom, and deriving a more feasible model checking algorithm for it.
All mentioned improvements are substantiated by experiments