model checking for counterexamples: testing and security paul ammann ise department may 1, 2002
TRANSCRIPT
![Page 1: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/1.jpg)
Model Checking for Counterexamples: Testing and
Security
Paul Ammann
ISE Department
May 1, 2002
![Page 2: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/2.jpg)
May 1, 2002 © Paul Ammann 2
Overview
• Problem Overview
• What’s a Model Checker?
• What’s a Counterexample?
• Test Criteria and Temporal Logic
• Some Examples– Testing– Security
![Page 3: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/3.jpg)
May 1, 2002 © Paul Ammann 3
Contributors
• NIST – Paul Black, Vadim Okun• GMU Faculty – Jeff Offutt, Duminda
Wijesekera, CSIS (Sushil Jajodia, Roger Alexander, Chuck Hutchinson, Steve Noel, Brian O’Berry)
• GMU Students – Aynur Abdurazik, Elina Blank, Wei Ding, Ron Ritchey, Lingya Sun, Linda Xu
![Page 4: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/4.jpg)
May 1, 2002 © Paul Ammann 4
Problem Overview: Specification-Based Testing
• Testing is Expensive, so try to reduce cost:– Reuse other development artifacts
• In this case, a finite state machine description
– Automate
• Formalization of Test Objectives• Test Generation/Recognition
– Create a new test set with some property– Analyze an existing test set for some property
• This is Not a Model Checking Talk!
![Page 5: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/5.jpg)
May 1, 2002 © Paul Ammann 5
Specification-Based Testing
Abstraction:Define/Analyze Tests
Actual System:Execute Tests
![Page 6: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/6.jpg)
May 1, 2002 © Paul Ammann 6
What’s a Model Checker?
• Finite State Model– States, Transitions, Labels– Variety of ways to specify
• Constraint– Some formula in a suitable logic
• Model Checker– Verifies formula (we don’t care how), or– Finds a counterexample…
![Page 7: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/7.jpg)
May 1, 2002 © Paul Ammann 7
Example
aa, c
b
12
3
b => AX a true… a => AX b
false!Counter: 1, 3, 2, 1
![Page 8: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/8.jpg)
May 1, 2002 © Paul Ammann 8
What’s a Counterexample?
• Appears to be a sequence of states– This looks a lot like a test case – Great!
• In Computational Tree Logic (CTL)– Root of some computational tree that shows formula
does not hold
– Usually decorated with path information to reach this root
• Return to counterexample / test case relation later
![Page 9: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/9.jpg)
May 1, 2002 © Paul Ammann 9
Test Criteria
• Test Coverage Criteria Widely Used– Control Flow Criteria
• Statement Coverage, Branch Coverage, etc.
– Data Flow Criteria• All def-use associations, All defs, All uses, etc.
– Mutation Coverage• Comprehensive set of syntactic mutations
– Predicate Coverage• Condition Coverage, MC/DC Coverage, etc.
• Applicable to Both Code and Specifications
![Page 10: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/10.jpg)
May 1, 2002 © Paul Ammann 10
Test Requirements
• Given a Coverage Criterion and an Artifact
… Generate a Set of Test Requirements.
“State” coverage on model with N states:
Requirement 1: Some test must visit state 1
Requirement 2: Some test must visit state 2
…
Requirement N: Some test must visit state N
![Page 11: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/11.jpg)
May 1, 2002 © Paul Ammann 11
Test Criteria and Temporal Logic
• Express Test Requirements with Temporal Formulae … and Let Model Checker Find the Tests For You:
! EF (state = 1)! EF (state = 2)…! EF (state = N)
![Page 12: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/12.jpg)
May 1, 2002 © Paul Ammann 12
Advantages of Using a Model Checker
• Some test requirements are infeasible– Example: Maybe State x is unreachable.
– Model checker identifies these
• A single test may satisfy multiple requirements– Straightforward to identify
• Additional payoff from modeling effort– Modeling is expensive, so amortize the cost
• Very expressive mechanism
![Page 13: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/13.jpg)
May 1, 2002 © Paul Ammann 13
Example
• Test the case where the North South traffic flows, traffic from the South stops for left turning traffic from the North, and then traffic from the South resumes, all without East West traffic flowing: ! EF(NtoS.light = G & StoN.light = G &
E(EW.light = R U NtoE.light = G &
E(EW.light = R U StoN.light = G)))
![Page 14: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/14.jpg)
May 1, 2002 © Paul Ammann 14
Traffic Light Example
Note Intermediate States Not Specified, But…
... … EW.light = R EW.light = R
NtoE.light = GNtoS.light = GStoN.light = G StoN.light = G
Counterxample includes All states needed in test
![Page 15: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/15.jpg)
May 1, 2002 © Paul Ammann 15
Counterexample for Traffic Light
State 1: NtoS.light = R, StoN.light = R, NtoE.light = R, EW.light = R
State 2: NtoS.light = G, StoN.ligtht = GState 4: StoN.light = Y -- not explicitly specifiedState 5: StoN.light = R -- not explicitly specifiedState 6: NtoE.light = GState 7: NtoE.light = Y -- not explicitly specifiedState 8: NtoE.light = R -- not explicitly specifiedState 9: NtoS.light = G
![Page 16: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/16.jpg)
May 1, 2002 © Paul Ammann 16
What about Existing Test Sets?
• Regression Test Suites are a Fact of Life– What is missing?– What is redundant?
• For First Question– Transform Test Suite to (subset of) finite state
model• Keep states and transitions test suite traverses
– Evaluate against test requirements
![Page 17: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/17.jpg)
May 1, 2002 © Paul Ammann 17
Existing Test Set Example
1 2
3 4 5
76
![Page 18: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/18.jpg)
May 1, 2002 © Paul Ammann 18
First Test Case: 3, 1, 2, 4, 7
1 2
3 4
7
![Page 19: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/19.jpg)
May 1, 2002 © Paul Ammann 19
Second Test Case: 3, 4, 7, 6
3 4
76
![Page 20: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/20.jpg)
May 1, 2002 © Paul Ammann 20
Third Test Case: 3, 4, 7, 2, 4
2
3 4
7
![Page 21: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/21.jpg)
May 1, 2002 © Paul Ammann 21
Resulting State Machine
1 2
3 4
76
Evaluate TestRequirementsAgainst This Finite StateMachine
![Page 22: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/22.jpg)
May 1, 2002 © Paul Ammann 22
Example: MC/DC Coverage
• Criterion Used in Certification of Certain Commercial Avionics Software
• Idea: Test a decision with N conditions without using 2^N tests (Use N+1 instead)
• Example: A and (B or C)– 2 tests with respect to A, where B, C set so that A
determines value of decision: A true in one test, false in other test. B, C have same values in both tests.
– Similar for B, C (This looks like 2N tests, but its not…)
![Page 23: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/23.jpg)
May 1, 2002 © Paul Ammann 23
So, What’s the Problem?
• Is the counterexample/test relation 1 to 1?
• If so (this is traditional model checking), we have a problem: How do I make B and C keep the same values on two separate tests?– !EF ( A & (B | C)) -- first test req for A– !EF ( !A & (B | C)) -- second test req for A
• If not, what is the relation?
![Page 24: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/24.jpg)
May 1, 2002 © Paul Ammann 24
Possible Counterexample
AB!C
!AB!C
…
…
This is two tests, notone, but it is only 1counterexample.
!(EF ( A & B & !C) & EF (!A & B & !C))
Details: See Duminda’spaper with Lingya and me.
![Page 25: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/25.jpg)
May 1, 2002 © Paul Ammann 25
Another Example: Safety Testing
Specification-Based Testing Tuned to Safety Properties
• Notion of dangerous actions - Test these!
• Based on a mutation model
• Two types of tests: failing tests and passing tests
• Family of coverage criteria based on temporal operators
• Model checker (SMV) automates test generation
• Note: Use “safety” in the sense of Leveson
![Page 26: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/26.jpg)
May 1, 2002 © Paul Ammann 26
Dangerous Traces
• D(Dangerous)-trace:A trace from original state Machine (M), whose last state can be extended, first with a transition from M’-M, and possibly further with transitions from M+ in such a way that safe predicate P is violated
• Traces can be dangerous in a variety of interesting ways: AX, EX, AF, EF
Moriginal state machine
M’-MIn mutant but not in original machine
M+Union of M and M’
A dangerous trace
Turn point
P is violated
![Page 27: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/27.jpg)
May 1, 2002 © Paul Ammann 27
Testing Network Security
• Idea: Finite State Model for Network– Attributes are vulnerabilities, attacker acccess,
connectivity– Transition relation defined by possible exploits
• Basis of TVA project in CSIS lab• Original paper, Ritchey and Ammann
(Oakland 2000)• Closely related work at CMU
![Page 28: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/28.jpg)
May 1, 2002 © Paul Ammann 28
Results of Approach
• Model Checker needs some work– Counterexample is single attack path– Really want all attack paths
• Special case of relating counterexamples to test cases. Basically, “and” operators (logical or temporal) require multiple tests to “cover”
– Also sets of key exploits
![Page 29: Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002](https://reader035.vdocument.in/reader035/viewer/2022062421/56649d055503460f949d8ff9/html5/thumbnails/29.jpg)
May 1, 2002 © Paul Ammann 29
Status of TVA Approach
• Fairly decent scaling so far, at least for model checking
• Looking at alternative computation engines
• Looking at monotonic analysis