Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002.

Published byMaria Julie Benson Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002."— Presentation transcript:

1 Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002

2 © Paul Ammann2 Overview Problem Overview What’s a Model Checker? What’s a Counterexample? Test Criteria and Temporal Logic Some Examples –Testing –Security

3 May 1, 2002© Paul Ammann3 Contributors NIST – Paul Black, Vadim Okun GMU Faculty – Jeff Offutt, Duminda Wijesekera, CSIS (Sushil Jajodia, Roger Alexander, Chuck Hutchinson, Steve Noel, Brian O’Berry) GMU Students – Aynur Abdurazik, Elina Blank, Wei Ding, Ron Ritchey, Lingya Sun, Linda Xu

4 May 1, 2002© Paul Ammann4 Problem Overview: Specification-Based Testing Testing is Expensive, so try to reduce cost: –Reuse other development artifacts In this case, a finite state machine description –Automate Formalization of Test Objectives Test Generation/Recognition –Create a new test set with some property –Analyze an existing test set for some property This is Not a Model Checking Talk!

5 May 1, 2002© Paul Ammann5 Specification-Based Testing Abstraction: Define/Analyze Tests Actual System: Execute Tests

6 May 1, 2002© Paul Ammann6 What’s a Model Checker? Finite State Model –States, Transitions, Labels –Variety of ways to specify Constraint –Some formula in a suitable logic Model Checker –Verifies formula (we don’t care how), or –Finds a counterexample…

7 May 1, 2002© Paul Ammann7 Example a a, c b 1 2 3 b => AX a true… a => AX b false! Counter: 1, 3, 2, 1

8 May 1, 2002© Paul Ammann8 What’s a Counterexample? Appears to be a sequence of states –This looks a lot like a test case – Great! In Computational Tree Logic (CTL) –Root of some computational tree that shows formula does not hold –Usually decorated with path information to reach this root Return to counterexample / test case relation later

9 May 1, 2002© Paul Ammann9 Test Criteria Test Coverage Criteria Widely Used –Control Flow Criteria Statement Coverage, Branch Coverage, etc. –Data Flow Criteria All def-use associations, All defs, All uses, etc. –Mutation Coverage Comprehensive set of syntactic mutations –Predicate Coverage Condition Coverage, MC/DC Coverage, etc. Applicable to Both Code and Specifications

10 May 1, 2002© Paul Ammann10 Test Requirements Given a Coverage Criterion and an Artifact … Generate a Set of Test Requirements. “State” coverage on model with N states: Requirement 1: Some test must visit state 1 Requirement 2: Some test must visit state 2 … Requirement N: Some test must visit state N

11 May 1, 2002© Paul Ammann11 Test Criteria and Temporal Logic Express Test Requirements with Temporal Formulae … and Let Model Checker Find the Tests For You: ! EF (state = 1) ! EF (state = 2) … ! EF (state = N)

12 May 1, 2002© Paul Ammann12 Advantages of Using a Model Checker Some test requirements are infeasible –Example: Maybe State x is unreachable. –Model checker identifies these A single test may satisfy multiple requirements –Straightforward to identify Additional payoff from modeling effort –Modeling is expensive, so amortize the cost Very expressive mechanism

13 May 1, 2002© Paul Ammann13 Example Test the case where the North South traffic flows, traffic from the South stops for left turning traffic from the North, and then traffic from the South resumes, all without East West traffic flowing: ! EF(NtoS.light = G & StoN.light = G & E(EW.light = R U NtoE.light = G & E(EW.light = R U StoN.light = G)))

14 May 1, 2002© Paul Ammann14 Traffic Light Example Note Intermediate States Not Specified, But…...… EW.light = R NtoE.light = G NtoS.light = G StoN.light = G Counterxample includes All states needed in test

15 May 1, 2002© Paul Ammann15 Counterexample for Traffic Light State 1: NtoS.light = R, StoN.light = R, NtoE.light = R, EW.light = R State 2: NtoS.light = G, StoN.ligtht = G State 4: StoN.light = Y -- not explicitly specified State 5: StoN.light = R -- not explicitly specified State 6: NtoE.light = G State 7: NtoE.light = Y -- not explicitly specified State 8: NtoE.light = R -- not explicitly specified State 9: NtoS.light = G

16 May 1, 2002© Paul Ammann16 What about Existing Test Sets? Regression Test Suites are a Fact of Life –What is missing? –What is redundant? For First Question –Transform Test Suite to (subset of) finite state model Keep states and transitions test suite traverses –Evaluate against test requirements

17 May 1, 2002© Paul Ammann17 Existing Test Set Example 12 3 4 5 76

18 May 1, 2002© Paul Ammann18 First Test Case: 3, 1, 2, 4, 7 12 3 4 7

19 May 1, 2002© Paul Ammann19 Second Test Case: 3, 4, 7, 6 3 4 76

20 May 1, 2002© Paul Ammann20 Third Test Case: 3, 4, 7, 2, 4 2 3 4 7

21 May 1, 2002© Paul Ammann21 Resulting State Machine 12 3 4 76 Evaluate Test Requirements Against This Finite State Machine

22 May 1, 2002© Paul Ammann22 Example: MC/DC Coverage Criterion Used in Certification of Certain Commercial Avionics Software Idea: Test a decision with N conditions without using 2^N tests (Use N+1 instead) Example: A and (B or C) –2 tests with respect to A, where B, C set so that A determines value of decision: A true in one test, false in other test. B, C have same values in both tests. –Similar for B, C (This looks like 2N tests, but its not…)

23 May 1, 2002© Paul Ammann23 So, What’s the Problem? Is the counterexample/test relation 1 to 1? If so (this is traditional model checking), we have a problem: How do I make B and C keep the same values on two separate tests? –!EF ( A & (B | C)) -- first test req for A –!EF ( !A & (B | C)) -- second test req for A If not, what is the relation?

24 May 1, 2002© Paul Ammann24 Possible Counterexample A B !C !A B !C … … This is two tests, not one, but it is only 1 counterexample. !(EF ( A & B & !C) & EF (!A & B & !C)) Details: See Duminda’s paper with Lingya and me.

25 May 1, 2002© Paul Ammann25 Another Example: Safety Testing Specification-Based Testing Tuned to Safety Properties Notion of dangerous actions - Test these! Based on a mutation model Two types of tests: failing tests and passing tests Family of coverage criteria based on temporal operators Model checker (SMV) automates test generation Note: Use “safety” in the sense of Leveson

26 May 1, 2002© Paul Ammann26 Dangerous Traces D(Dangerous)-trace: A trace from original state Machine (M), whose last state can be extended, first with a transition from M’-M, and possibly further with transitions from M+ in such a way that safe predicate P is violated Traces can be dangerous in a variety of interesting ways: AX, EX, AF, EF M original state machine M’-M In mutant but not in original machine M+ Union of M and M’ A dangerous trace Turn point P is violated

27 May 1, 2002© Paul Ammann27 Testing Network Security Idea: Finite State Model for Network –Attributes are vulnerabilities, attacker acccess, connectivity –Transition relation defined by possible exploits Basis of TVA project in CSIS lab Original paper, Ritchey and Ammann (Oakland 2000) Closely related work at CMU

28 May 1, 2002© Paul Ammann28 Results of Approach Model Checker needs some work –Counterexample is single attack path –Really want all attack paths Special case of relating counterexamples to test cases. Basically, “and” operators (logical or temporal) require multiple tests to “cover” –Also sets of key exploits

29 May 1, 2002© Paul Ammann29 Status of TVA Approach Fairly decent scaling so far, at least for model checking Looking at alternative computation engines Looking at monotonic analysis

Download ppt "Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
Paul Ammann & Jeff Offutt

Paul Ammann & Jeff Offutt
(c) 2007 Mauro Pezzè & Michal Young Ch 9, slide 1 Test Case Selection and Adequacy Criteria.

(c) 2007 Mauro Pezzè & Michal Young Ch 9, slide 1 Test Case Selection and Adequacy Criteria.
(c) 2007 Mauro Pezzè & Michal Young Ch 9, slide 1 Test Case Selection and Adequacy Criteria.

(c) 2007 Mauro Pezzè & Michal Young Ch 9, slide 1 Test Case Selection and Adequacy Criteria.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Predicate Complete Testing * Thomas Ball * Thomas Ball, A Theory of Predicate-Complete Test Coverage and Generation, Technical Report MSR-TR-2004- 28,

Predicate Complete Testing * Thomas Ball * Thomas Ball, A Theory of Predicate-Complete Test Coverage and Generation, Technical Report MSR-TR ,
Introduction to Software Testing Chapter 2.1, 2.2 Overview Graph Coverage Criteria Paul Ammann & Jeff Offutt

Introduction to Software Testing Chapter 2.1, 2.2 Overview Graph Coverage Criteria Paul Ammann & Jeff Offutt
© Katz, 2007CS236368 Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS236368 Shmuel Katz The Technion.

© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.

1 Today Another approach to “coverage” Cover “everything” – within a well-defined, feasible limit Bounded Exhaustive Testing.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
Department of CIS University of Pennsylvania 1/31/2001 Specification-based Protocol Testing Hyoung Seok Hong Oleg Sokolsky CSE 642.

Department of CIS University of Pennsylvania 1/31/2001 Specification-based Protocol Testing Hyoung Seok Hong Oleg Sokolsky CSE 642.

Similar presentations

Ads by Google