Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.

Published bySuzan Gardner Modified over 8 years ago

Similar presentations

Presentation on theme: "Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin."— Presentation transcript:

1 Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin

2 State Machines Used to model software behaviour load exit close edit save as ok Documentation Inspection / review Model-based testing Model checking

3 State Machines Used to model software behaviour load exit close edit save as ok Documentation Inspection / review Model-based testing Model checking Only useful if complete and up-to-date Usually not the case due to time constraints and software evolution

4 Reverse Engineering State Machines Static analysis – analysis of source code – symbolic execution, flow analyses,... – Inevitably considers executions that are infeasible in practice Dynamic analysis – infer model from sample executions – Favoured for accuracy – States considered equal if subsequent trace is similar – Variants of the k-tails algorithm [Biermann, Feldman- 1972] most common reverse engineering algorithm

5 Traditional Approach For any point in a trace, its k-tail is the following sequence of k events or functions – Point x is considered equivalent to y if the k-tails are equal load edit save_as ok edit

6 load edit save_as ok edit Traditional Approach For any point in a trace, its k-tail is the following sequence of k events or functions – Point x is considered equivalent to y if the k-tails are equal K=2

7 load edit save_as ok edit Traditional Approach For any point in a trace, its k-tail is the following sequence of k events or functions – Point x is considered equivalent to y if the k-tails are equal K=2 load edit save_as edit ok

8 load edit save_as ok edit Traditional Approach For any point in a trace, its k-tail is the following sequence of k events or functions – Point x is considered equivalent to y if the k-tails are equal K=2 load edit save_as edit ok Remove Non determinism load save_as edit ok

9 Problems Too expensive if result is to be correct and complete: – Need complete set of executions up to certain length – Passive – all executions need to be presented at once If provided traces only partial (probable for non- trivial system) the resulting model is untrustworthy – Difficult to tell how complete the model is – what’s missing? load save_as edit ok load exit close edit save as ok

10 Regular Grammar Inference Given a set of valid and (optionally) invalid sentences from a language, infer its grammar. Regular grammars can be represented as deterministic finite state machines Problem of regular grammar inference equivalent to that of reverse engineering state machines Several sophisticated grammar inference techniques – Effectively address many problems that arise with current reverse-engineering approaches

11 Benefits of Adapting Grammar Inference Techniques Active techniques – Do not require set of executions to be presented at once – Interact with an oracle to identify missing information More efficient – Can efficiently process large sample sets. Reasonably accurate given sparse sets of executions – More sophisticated heuristics to accurately identify equivalent states

12 Query-Driven State Merging (QSM) Devised by Dupont et al. Combines benefits mentioned on previous slide – Active, efficient, reasonably accurate for sparse sets of sample executions Guaranteed to produce correct machine if set of sample executions is characteristic: – Must cover every transition in the target grammar – Enough positive and negative samples to differentiate between different states (to prevent false merges) – Questions aim to elicit characteristic sample from oracle

13 Query-Driven State Merging (QSM) load close exit edit save_as ok close exit edit close exit Generate “Prefix Tree Acceptor”

14 Query-Driven State Merging (QSM) load close exit edit save_as ok close exit edit close exit Attempt merge Produce questions (executions valid in this machine, but not in unmerged version) ?

15 Query-Driven State Merging (QSM) Attempt merge Produce questions (executions valid in this machine, but not in unmerged version) If all questions answered yes, merge nodes Else add negative questions to graph load close exit edit save_as ok close exit edit close exit close, edit Active Efficient Accepts negative information about model

16 Implementation Use Eclipse TPTP to record traces – Sequence of method calls → Questions can either be answered manually – OR as tests directly to the system – Can vary number of questions generated QSM component accepts simple text files of strings (prefixed with “+” and “-”)

17

18 Evaluation Used traces to generate JHotDraw case study – Described in paper Generated random state machines – Subject to certain constraints – minimal, deterministic etc. – Three sets of 10 random machines (5, 25, 50 states) – Random paths over these machines = initial set of traces – Measured accuracy of final machine, and number of questions required

19

20

21 Current and Future Work Identify data constraints associated with states – Can use tools such as Daikon Automatically answer queries – Static analysis – using call graph analysis to automatically propose negative / impossible executions – Automated test generation Heuristics – can certain questions be safely ignored?

22 Conclusions Preliminary results show technique is reasonably accurate and efficient Can potentially be almost entirely automated – Automatically generates tests (questions), many of which can be eliminated by static analysis anyway Grammar Inference is useful source of ideas for dynamic analysis and reverse engineering

Download ppt "Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin."

Similar presentations

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
Configuration management

Configuration management
Configuration management

Configuration management
University of Sheffield NLP Module 4: Machine Learning.

University of Sheffield NLP Module 4: Machine Learning.
A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.

A System to Generate Test Data and Symbolically Execute Programs Lori A. Clarke September 1976.
Model Based Testing Course Software Testing & Verification 2013/14 Wishnu Prasetya.

Model Based Testing Course Software Testing & Verification 2013/14 Wishnu Prasetya.
Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.

Mahadevan Subramaniam and Bo Guo University of Nebraska at Omaha An Approach for Selecting Tests with Provable Guarantees.
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.

SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Grey Box testing Tor Stålhane. What is Grey Box testing Grey Box testing is testing done with limited knowledge of the internal of the system. Grey Box.

Grey Box testing Tor Stålhane. What is Grey Box testing Grey Box testing is testing done with limited knowledge of the internal of the system. Grey Box.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Alternate Software Development Methodologies

Alternate Software Development Methodologies
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.

CMSC 345, Version 11/07 SD Vick from S. Mitchell Software Testing.
Proof System HY-566. Proof layer Next layer of SW is logic and proof layers. – allow the user to state any logical principles, – computer can to infer.

Proof System HY-566. Proof layer Next layer of SW is logic and proof layers. – allow the user to state any logical principles, – computer can to infer.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.

Michael Ernst, page 1 Improving Test Suites via Operational Abstraction Michael Ernst MIT Lab for Computer Science Joint.
Hierarchical GUI Test Case Generation Using Automated Planning Atif M. Memon, Student Member, IEEE, Martha E. Pollack, and Mary Lou Soffa, Member, IEEE.

Hierarchical GUI Test Case Generation Using Automated Planning Atif M. Memon, Student Member, IEEE, Martha E. Pollack, and Mary Lou Soffa, Member, IEEE.
Testing an individual module

Testing an individual module
Testing Components in the Context of a System CMSC 737 Fall 2006 Sharath Srinivas.

Testing Components in the Context of a System CMSC 737 Fall 2006 Sharath Srinivas.

Similar presentations

Ads by Google