Dianxiang Xu

State-based incremental testing of aspect-oriented programs

Taking aspects as incremental modifications to their base classes, this paper presents an incremental approach to testing whether or not aspect-oriented programs and their base classes conform to their respective behavior models. We exploit a rigorous aspect-oriented extension to state models for capturing the impact of aspects on the state transitions of base class objects as well as an explicit weaving mechanism for composing aspects into their base models. We generate abstract tests for base classes and aspect-oriented programs from their state models. As base class tests are not necessarily valid for aspect-oriented programs, we identify several rules for maximizing reuse of concrete base class tests for aspects according to the state-based impact of aspects on their base classes. To illustrate our approach, we use two examples that indicate distinctive types of aspect-oriented applications and exhibit fundamental features in complex applications: aspects removing state transitions from base classes and aspects adding and modifying state transitions in base classes. Our results show that majority of base class tests can be reused for aspects, but subtle modifications to some of them are necessary. In particular, positive (or negative) base class tests can become negative (or positive) aspect tests. We also discuss how several types of aspect-specific faults can be revealed by the state-based testing.

A formal architectural model for logical agent mobility

The process of agent migration is the major difference between logical code mobility of software agents and physical mobility of mobile nodes in ad hoc networks. Without considering agent transfer, it would make little sense to mention the modeling of strong code mobility, which aims to make a migrated agent restarted exactly from the state when it was stopped before migration. From the perspective of systems architecture, this paper proposes a two-layer approach for the formal modeling of logical agent mobility (LAM) using predicate/transition (PrT) nets. We view a mobile agent system as a set of agent spaces and agents could migrate from one space to another. Each agent space is explicitly abstracted to be a component, consisting of an environmental part and an internal connector dynamically binding agents with their environment. We use a system net, agent nets, and a connector net to model the environment, agents, and the connector, respectively. In particular, agent nets are packed up as parts of tokens in system nets, so that agent transfer and location change are naturally captured by transition firing (token game) in Petri nets. Agent nets themselves are active only at specific places and disabled at all the other places in a system net. The semantics of such a two-layer LAM model is defined by transforming it into a PrT net. This facilitates the analysis of several properties about location, state, and connection. In addition, this paper also presents a case study of modeling and analyzing an information retrieval system with mobile agents.

Compositional schedulability analysis of real-time systems using time Petri nets

This paper presents an approach to the schedulability analysis of real-time systems modeled in time Petri nets by separating timing properties from other behavioral properties. The analysis of behavioral properties is conducted based on the reachability graph of the underlying Petri net, whereas timing constraints are checked in terms of absolute and relative firing domains. If a specific task execution is schedulable, we calculate the time span of the task execution, and pinpoint nonschedulable transitions to help adjust timing constraints. A technique for compositional timing analysis is also proposed to deal with complex task sequences, which not only improves efficiency but also facilitates the discussion of the reachability issue with regard to schedulability. We identified a class of well-structured time Petri nets such that their reachability can be easily analyzed.

Automated Security Test Generation with Formal Threat Models

Security attacks typically result from unintended behaviors or invalid inputs. Security testing is labor intensive because a real-world program usually has too many invalid inputs. It is highly desirable to automate or partially automate security-testing process. This paper presents an approach to automated generation of security tests by using formal threat models represented as Predicate/Transition nets. It generates all attack paths, i.e., security tests, from a threat model and converts them into executable test code according to the given Model-Implementation Mapping (MIM) specification. We have applied this approach to two real-world systems, Magento (a web-based shopping system being used by many online stores) and FileZilla Server (a popular FTP server implementation in C++). Threat models are built systematically by examining all potential STRIDE (spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege) threats to system functions. The security tests generated from these models have found multiple security risks in each system. The test code for most of the security tests can be generated and executed automatically. To further evaluate the vulnerability detection capability of the testing approach, the security tests have been applied to a number of security mutants where vulnerabilities are injected deliberately. The mutants are created according to the common vulnerabilities in C++ and web applications. Our experiments show that the security tests have killed the majority of the mutants.

Security of Software Defined Networks

Software Defined Networking (SDN) has emerged as a new network architecture for dealing with network dynamics through software-enabled control. While SDN is promoting many new network applications, security has become an important concern. This paper provides an extensive survey on SDN security. We discuss the security threats to SDN according to their effects, i.e., Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, and Elevation of Privilege. We also review a wide range of SDN security controls, such as firewalls, IDS/IPS, access control, auditing, and policy management. We describe several pathways of how SDN is evolving. We presented an extensive survey on Software Defined Networks with focus on security.We majorly divided survey in two categories or perspectives; security attacks and controls or countermeasures.We presented our own vision on how security may evolve in future based on SDN.

Modeling and verifying multi-agent behaviors using predicate/transition nets

In a multi-agent system, how agents accomplish a goal task is usually specified by multi-agent plans built from basic actions (e.g. operators) of which the agents are capable. A critical problem with such an approach is how can the designer make sure the plans are reliable. To tackle this problem, this paper presents a formal approach for modeling and analyzing multi-agent behaviors using Predicate/Transition (PrT) nets, a high-level formalism of Petri nets. We construct a multi-agent model by representing agent capabilities as transitions. To verify a multi-agent PrT model, we adapt the planning graphs as a compact structure for the reachability analysis. We also demonstrate that, based on the PrT model, whether parallel actions specified in multi-agent plans can be executed in parallel and whether the plans guarantee the achievement of the goal can be verified by analyzing the dependency relations among the transitions.

Modeling mobile agent systems with high level Petri nets

The paper presents a Petri net based approach for architectural modeling of mobile agent systems. An agent template (net) is proposed to model a changing number of autonomous and communicative software agents. An agent space is explicitly abstracted as a component, consisting of mobility environment (system net), agent templates (agent nets), and internal connector (net). Agent transfer is naturally captured by transition firing. To assure the strong mobility, the agents state is delivered during migration. Agent mobility in OMGs MASIF is also examined by formalizing the interoperable agent system architecture.

Towards Better Fault Localization: A Crosstab-Based Statistical Approach

It is becoming prohibitively expensive and time consuming, as well as tedious and error-prone, to perform debugging manually. Among the debugging activities, fault localization has been one of the most expensive, and therefore, a large number of fault-localization techniques have been proposed over the recent years. This paper presents a crosstab-based statistical technique that makes use of the coverage information of each executable statement and the execution result (success or failure) with respect to each test case to localize faults in an effective and efficient manner. A crosstab is constructed for each executable statement, and a statistic is computed to determine the suspiciousness of the corresponding statement. Statements with a higher suspiciousness are more likely to contain bugs and should be examined before those with a lower suspiciousness. Case studies are performed on both small- (the Siemens and Unix suites) and large-sized programs (space, grep, gzip, and make), and results suggest that the crosstab-based technique (CBT) is more effective (in terms of a smaller percentage of executable statements that have to be examined until the first statement containing the fault is reached) than other techniques, such as Tarantula. Further studies using the Siemens suite reveal that the proposed technique is also more effective at locating faults than other statistically oriented techniques, such as SOBER and Liblit05. Additional experiments evaluate the CBT from other perspectives, such as its efficiency in terms of time taken, its applicability to object-oriented languages (on a very large Java program: Ant), and its sensitivity to test suite size, and demonstrate its superior performance.

A tool for automated test code generation from high-level petri nets

Automated software testing has gained much attention because it is expected to improve testing productivity and reduce testing cost. Automated generation and execution of tests, however, are still very limited. This paper presents a tool, ISTA (Integration and System Test Automation), for automated test generation and execution by using high-level Petri nets as finite state test models. ISTA has several unique features. It allows executable test code to be generated automatically from a MID (Model-Implementation Description) specification - including a high-level Petri net as the test model and a mapping from the Petri net elements to implementation constructs. The test code can be executed immediately against the system under test. It supports a variety of languages of test code, including Java, C/C++, C#, VB, and html/Selenium IDE (for web applications). It also supports automated test generation for various coverage criteria of Petri nets. ISTA is useful not only for function testing but also for security testing by using Petri nets as threat models. It has been applied to several industry-strength systems.

Misuse case-based design and analysis of secure software architecture

This paper presents an approach to the architectural design and analysis of secure software systems based on the system requirements elicited in the form of use cases and misuse cases. We identify architectural components and their connections and analyze whether or not a candidate architecture can address security concerns. This provides a smooth transition from requirements specification to high-level design for engineering secure software systems, and greatly improves the traceability of security concerns, which allows a system developer to know what requirement an architectural component references back to. We demonstrate our approach through a case study on a security-intensive hospital information system.