model checking for counterexamples: testing and security paul ammann ise department may 1, 2002
TRANSCRIPT
Model Checking for Counterexamples: Testing and
Security
Paul Ammann
ISE Department
May 1, 2002
May 1, 2002 © Paul Ammann 2
Overview
• Problem Overview
• What’s a Model Checker?
• What’s a Counterexample?
• Test Criteria and Temporal Logic
• Some Examples– Testing– Security
May 1, 2002 © Paul Ammann 3
Contributors
• NIST – Paul Black, Vadim Okun• GMU Faculty – Jeff Offutt, Duminda
Wijesekera, CSIS (Sushil Jajodia, Roger Alexander, Chuck Hutchinson, Steve Noel, Brian O’Berry)
• GMU Students – Aynur Abdurazik, Elina Blank, Wei Ding, Ron Ritchey, Lingya Sun, Linda Xu
May 1, 2002 © Paul Ammann 4
Problem Overview: Specification-Based Testing
• Testing is Expensive, so try to reduce cost:– Reuse other development artifacts
• In this case, a finite state machine description
– Automate
• Formalization of Test Objectives• Test Generation/Recognition
– Create a new test set with some property– Analyze an existing test set for some property
• This is Not a Model Checking Talk!
May 1, 2002 © Paul Ammann 5
Specification-Based Testing
Abstraction:Define/Analyze Tests
Actual System:Execute Tests
May 1, 2002 © Paul Ammann 6
What’s a Model Checker?
• Finite State Model– States, Transitions, Labels– Variety of ways to specify
• Constraint– Some formula in a suitable logic
• Model Checker– Verifies formula (we don’t care how), or– Finds a counterexample…
May 1, 2002 © Paul Ammann 7
Example
aa, c
b
12
3
b => AX a true… a => AX b
false!Counter: 1, 3, 2, 1
May 1, 2002 © Paul Ammann 8
What’s a Counterexample?
• Appears to be a sequence of states– This looks a lot like a test case – Great!
• In Computational Tree Logic (CTL)– Root of some computational tree that shows formula
does not hold
– Usually decorated with path information to reach this root
• Return to counterexample / test case relation later
May 1, 2002 © Paul Ammann 9
Test Criteria
• Test Coverage Criteria Widely Used– Control Flow Criteria
• Statement Coverage, Branch Coverage, etc.
– Data Flow Criteria• All def-use associations, All defs, All uses, etc.
– Mutation Coverage• Comprehensive set of syntactic mutations
– Predicate Coverage• Condition Coverage, MC/DC Coverage, etc.
• Applicable to Both Code and Specifications
May 1, 2002 © Paul Ammann 10
Test Requirements
• Given a Coverage Criterion and an Artifact
… Generate a Set of Test Requirements.
“State” coverage on model with N states:
Requirement 1: Some test must visit state 1
Requirement 2: Some test must visit state 2
…
Requirement N: Some test must visit state N
May 1, 2002 © Paul Ammann 11
Test Criteria and Temporal Logic
• Express Test Requirements with Temporal Formulae … and Let Model Checker Find the Tests For You:
! EF (state = 1)! EF (state = 2)…! EF (state = N)
May 1, 2002 © Paul Ammann 12
Advantages of Using a Model Checker
• Some test requirements are infeasible– Example: Maybe State x is unreachable.
– Model checker identifies these
• A single test may satisfy multiple requirements– Straightforward to identify
• Additional payoff from modeling effort– Modeling is expensive, so amortize the cost
• Very expressive mechanism
May 1, 2002 © Paul Ammann 13
Example
• Test the case where the North South traffic flows, traffic from the South stops for left turning traffic from the North, and then traffic from the South resumes, all without East West traffic flowing: ! EF(NtoS.light = G & StoN.light = G &
E(EW.light = R U NtoE.light = G &
E(EW.light = R U StoN.light = G)))
May 1, 2002 © Paul Ammann 14
Traffic Light Example
Note Intermediate States Not Specified, But…
... … EW.light = R EW.light = R
NtoE.light = GNtoS.light = GStoN.light = G StoN.light = G
Counterxample includes All states needed in test
May 1, 2002 © Paul Ammann 15
Counterexample for Traffic Light
State 1: NtoS.light = R, StoN.light = R, NtoE.light = R, EW.light = R
State 2: NtoS.light = G, StoN.ligtht = GState 4: StoN.light = Y -- not explicitly specifiedState 5: StoN.light = R -- not explicitly specifiedState 6: NtoE.light = GState 7: NtoE.light = Y -- not explicitly specifiedState 8: NtoE.light = R -- not explicitly specifiedState 9: NtoS.light = G
May 1, 2002 © Paul Ammann 16
What about Existing Test Sets?
• Regression Test Suites are a Fact of Life– What is missing?– What is redundant?
• For First Question– Transform Test Suite to (subset of) finite state
model• Keep states and transitions test suite traverses
– Evaluate against test requirements
May 1, 2002 © Paul Ammann 17
Existing Test Set Example
1 2
3 4 5
76
May 1, 2002 © Paul Ammann 18
First Test Case: 3, 1, 2, 4, 7
1 2
3 4
7
May 1, 2002 © Paul Ammann 19
Second Test Case: 3, 4, 7, 6
3 4
76
May 1, 2002 © Paul Ammann 20
Third Test Case: 3, 4, 7, 2, 4
2
3 4
7
May 1, 2002 © Paul Ammann 21
Resulting State Machine
1 2
3 4
76
Evaluate TestRequirementsAgainst This Finite StateMachine
May 1, 2002 © Paul Ammann 22
Example: MC/DC Coverage
• Criterion Used in Certification of Certain Commercial Avionics Software
• Idea: Test a decision with N conditions without using 2^N tests (Use N+1 instead)
• Example: A and (B or C)– 2 tests with respect to A, where B, C set so that A
determines value of decision: A true in one test, false in other test. B, C have same values in both tests.
– Similar for B, C (This looks like 2N tests, but its not…)
May 1, 2002 © Paul Ammann 23
So, What’s the Problem?
• Is the counterexample/test relation 1 to 1?
• If so (this is traditional model checking), we have a problem: How do I make B and C keep the same values on two separate tests?– !EF ( A & (B | C)) -- first test req for A– !EF ( !A & (B | C)) -- second test req for A
• If not, what is the relation?
May 1, 2002 © Paul Ammann 24
Possible Counterexample
AB!C
!AB!C
…
…
This is two tests, notone, but it is only 1counterexample.
!(EF ( A & B & !C) & EF (!A & B & !C))
Details: See Duminda’spaper with Lingya and me.
May 1, 2002 © Paul Ammann 25
Another Example: Safety Testing
Specification-Based Testing Tuned to Safety Properties
• Notion of dangerous actions - Test these!
• Based on a mutation model
• Two types of tests: failing tests and passing tests
• Family of coverage criteria based on temporal operators
• Model checker (SMV) automates test generation
• Note: Use “safety” in the sense of Leveson
May 1, 2002 © Paul Ammann 26
Dangerous Traces
• D(Dangerous)-trace:A trace from original state Machine (M), whose last state can be extended, first with a transition from M’-M, and possibly further with transitions from M+ in such a way that safe predicate P is violated
• Traces can be dangerous in a variety of interesting ways: AX, EX, AF, EF
Moriginal state machine
M’-MIn mutant but not in original machine
M+Union of M and M’
A dangerous trace
Turn point
P is violated
May 1, 2002 © Paul Ammann 27
Testing Network Security
• Idea: Finite State Model for Network– Attributes are vulnerabilities, attacker acccess,
connectivity– Transition relation defined by possible exploits
• Basis of TVA project in CSIS lab• Original paper, Ritchey and Ammann
(Oakland 2000)• Closely related work at CMU
May 1, 2002 © Paul Ammann 28
Results of Approach
• Model Checker needs some work– Counterexample is single attack path– Really want all attack paths
• Special case of relating counterexamples to test cases. Basically, “and” operators (logical or temporal) require multiple tests to “cover”
– Also sets of key exploits
May 1, 2002 © Paul Ammann 29
Status of TVA Approach
• Fairly decent scaling so far, at least for model checking
• Looking at alternative computation engines
• Looking at monotonic analysis