symbolic passive testing - application to an industrial case study (diamonds project)

Institut Mines-Télécom

Pramila Mouttappa, Stephane Maag and Ana Cavalli Institut Mines-Télécom/Télécom SudParis

RCIS 2013 Industrial Day - 31st May, 2013 Paris, France

Work supported by DIAMONDS (ITEA 2) Project


OverviewMotivationOur approachIOSTS based modelsParametric trace slicingFormal property evaluationPrototype resultsConclusions

Symbolic Passive Testing


Conformance Testing

Télécom SudParis Modèle de présentation

Active Tester Verdict

Test CasesSpecification / Requirements

IUT

Test generation

ACTIVE TESTING

IUT

Specification / Requirements

Passive Tester Verdict

User PASSIVE TESTING

Trace

P.O.


Problem Statement

Limitation of Passive Testing- For checking both the data and control part of the

protocol.- Enumeration of data values.


(i) ONLY CONTROL PART Invariant : Req / Ack Verdict = True


Problem Statement (contd.)


(ii) CONTROL + DATA PART

Invariant : Req(A) / Ack(B) Verdict = False or Inconclusive


Motivations

■To reduce false positive verdicts

■To avoid data enumeration

■To model eventual behavior deviations

■To study the scalability of very long traces (i.e., if the traffic collection is continuous)

Télécom SudParis Modèle de présentation


Our approach ...

■ Functional and Security attacks can be modeled – IOSTS

■ Enumeration of data values is not required – SYMBOLIC

■ Data relationship between messages – REDUCES FALSE POSITIVE VERDICTS

■ New Passive Testing Technique - INTEGRATION of Parametric Trace Slicing and Symbolic Execution



Framework of our approach – Automotive case study


Bluetooth trace

Symbolic execution trace and state

details

Symbolic execution tree

1 2 3

5

6

Specification / Requirement’s

IOSTS model - Functional/Security property

Symbolic Passive Testing Tool : TestSym-P

Verdicts Pass / Fail / Attack – Pass / Inconclusive

7

?

4 Guard-conditions table


Sequence diagram - Bluetooth Connectivity & Bluestabbing attack


[1] “Bluetooth specification version 2.0 + edr [vol 0],” 1999.[2] D. Browning and G. Kessler, “Bluetooth hacking: A case study,” in Proceedings of the Conference on Digital Forensics, Security and Law, 2009, pp. 20–22.


IOSTS Model


S3

S3.1

! hci-change-local-name (loc_name0)

G2:{loc_name ≠vloc_name}

A3: {vloc_name:=loc_name0}


Symbolic Execution (SE) of IOSTS



Parametric Trace Slicing

Trace Monitoring technique

Trace slices – Each parameter instance observed in the trace.

The events corresponding to a particular parameter instance are grouped in the order they appear in the trace in a particular trace slice.



Parametric Trace Slicing - Example

Consider a sample Bluetooth trace,

■ !hci-inquiry ?hci-inquiry-complete !hci-create-connection(bd addr1 ) !hci-create-connection(bd addr2 ) ?hci-connect-complete(bd addr1 )


Slices Data Portion Control Portion

Slice 1 bdaddr1 !hci-inquiry?hci-inquiry-complete!hci-create-connection ?hci-connect-complete

Slice 2 bdaddr2 !hci-inquiry?hci-inquiry-complete!hci-create-connection


Integration of SE and Parametric Trace Slicing

■Symbolic Execution (SE):

The path of the symbolic execution tree – represents the property to be tested on the trace.

Valuation of the parameters – symbolic values.

■Parametric Trace Slicing:

Trace analysis Valuation of the parameters – concrete values. Trace slices put together constitutes the implementation

trace. Path of the SE tree – checked against each trace slice to

obtain the Verdict.



Evaluation - IOSTS property on the trace slices

1. Control portion : Control portion(SE) = Control portion(slice) goto 2.2. Data portion:

• Substitute concrete data values in place of symbolic values.• Satisfiability of each state in path of the SE - Guard condition check.• AttackSeq : 0 (Property Sequence), 1 (Attack Sequence)


AttackSeq Control Portion Data Portion Verdicts Comments

0 Y Y Pass Property satisfied.

0 Y N Fail Property not satisfied.

1 Y Y Attack Pass Attack sequence satisfied.

0 or 1 N - Inconclusive Trace length insufficient to decide.

else≠


Final Evaluation – Property on the Implementation trace

■ PASS● if (Every (Verdict(tsi) = Pass))

■ Attack-PASS● if (Exists(Verdict(tsi) = Attack-Pass))

■ FAIL● if [(Exists(Verdict(tsi) = Fail)) ^ (Exists(Verdict(tsi)≠ Attack-

Pass))]

■ INCONCLUSIVE, otherwise.



Prototype Model – TestSym-P



Prototype – Trace Parsing



Prototype - Trace Slicing



Prototype – Evaluation Output



Evaluation Results


[3] Pramila Mouttappa, Stephane Maag and Ana Cavalli, "IOSTS based Passive Testing approach for the Validation of data-centric Protocols", 12th International Conference on Quality Software (QSIC 2012), Xi’an, China, 27-29 August 2012.

[4] Pramila Mouttappa, Stephane Maag and Ana Cavalli, “Improving Protocol Validation by an IOSTS-based Passive Testing approach”, 9th Workshop on System Testing and Validation (STV 2012), Paris, France, 24th October 2012.[5] Pramila Mouttappa and Stephane Maag and Ana Cavalli, “Monitoring based on IOSTS for testing functional and security properties: Application to an Automotive case study”. To be published, 37th Annual International Conference on Computers, Software and Applications (COMPSAC 2013), 22-26 July 2013, Kyoto, Japan

Trace No. Messages No. Slices Trace output without errors Trace output with errors & attacks

P F I Verdict P F I AP Verdict

1 81 2 1 - 1 I - 1 1 - F

2 89 3 1 - 2 I - - 2 1 AP

3 81 2 1 - 1 I - 1 1 - F

4 81 2 1 - 1 I - - 1 1 AP

5 81 2 1 - 1 I - 1 1 - F

6 81 2 1 - 1 I - - 1 1 AP

7 81 2 1 - 1 I - - 1 1 AP

8 81 2 1 - 1 I - - 1 1 AP

9 81 2 1 - 1 I - 1 1 - F

10 81 2 1 - 1 I - - 1 1 AP

P - PassF - Fail AP - Attack Pass I - Inconclusive


Innovations with respect to STOA

■ From our knowledge, there are currently no works tackling Passive testing/Monitoring based on IOSTS without any awareness on the states of the execution traces, moreover,

the integration of symbolic execution of IOSTS and Slicing technique for Passive Testing,

dealing with symbolic values eliminates the necessity

of enumeration of all data values,

the approach enables testing functional and vulnerability / attack patterns by passive testing.



Future Works

■Online testing - i.e., evaluation of properties as the implementation is being run.

■Time constraints - that are needed in the definition of several properties.


symbolic passive testing - application to an industrial case study (diamonds project)

Documents