Igor Burdonov

KVEST: Automated Generation of Test Suites from Formal Specifications

KVEST - Kernel VErification and Specification Technology - is based on automated test generation from formal specifications in the RAISE specification language. The technology was developed under contract with Nortel Networks. As of 1999, the methodology and toolset have been applied in three industrial project dealing with verification of large-scale telecommunication software. The first project, the Kernel Verification project, gives its name to the methodology and the toolset as a whole. Results of this project are available from the Formal Methods Europe Application database [13]. It is one of the biggest formal method application presented in the database. This paper provides a brief description of the approach, comparison to related works, and statistics on completed projects.

The UniTesK Approach to Designing Test Suites

Principles of the UniTesK test development technology based on the use of formal models of target software are presented. This technology was developed by the RedVerst group in the Institute for System Programming, Russian Academy of Sciences (ISPRAS) [1], which obtained rich experience in testing and verification of complex commercial software.

Virtualization-based separation of privilege: working with sensitive data in untrusted environment

Contemporary commodity operating systems are too big and do not inspire trust in their security and reliability. Still they are used for processing sensitive data due to the vast amount of legacy software and good support for virtually all hardware devices. Common approaches used to ensure sensitive data protection are either too strict or not reliable. In this article we propose virtualization-based approach for preventing sensitive data leaks from a computer running untrusted commodity OS without sacrificing public network connectivity, computer usability and performance. It is based on separating privileges between two virtual machines: public VM that has unlimited network access and private (isolated) VM that is used for processing sensitive data. Virtual machine monitor uses public VM to provide transparent access to Internet for selected trusted applications running inside the private VM on a system call level. Proposed security architecture allows using one and the same untrusted OS on both virtual machines without necessity to encrypt sensitive data. However it poses a challenge of enforcing dynamic protection over the trusted applications running in the potentially compromised OS. We investigate this problem and provide our solution for it.

Application of finite automatons for program testing

The application of the finite automaton theory to the problem of program testing is discussed. The problem is reduced to testing a finite automaton. Testing of automatons using their state graphs, factor graphs, testing using factor graphs, and methods for factor graphs construction are discussed.

The CLOS project: Towards an object-oriented environment for application development

The CLuster Operating System (CLOS) is based on the asynchronous cluster concept. A very simple and small CLOS kernel with a fully machine independent interface provides CLOS with openness and portability. CLOS is intended as an object-oriented environment for the design and development of complex applications with internal parallelism particularly in advanced information systems.

Deriving complete finite tests based on state machines

Many state machine based strategies return complete but infinite test suites. A usual approach to guarantee the fault coverage with respect to some kind of faults is to limit the number of faults, i.e., to consider a finite fault domain. In this paper, we summarize some results on deriving complete test suites w.r.t. infinite faults domains but w.r.t. special types of the specification machine.

Building direct and back spanning trees by automata on a graph

The paper presents a parallel graph exploration algorithm. Automaton on a graph is an analogue of the Turing machine — tape cells correspond to graph vertices, where the automaton can store some data, and moves along the tape correspond to moves along graph arcs. This system can be considered also as an aggregate of finite automatons located in graph vertices and interacting by message sending. Each automaton changes its state according to the data stored in the corresponding vertex, and moves along graph arcs are replaced with messages sent by the automaton of the arc’s starting vertex to the one of the ending vertex. The suggested parallel graph exploration algorithm has worst case working time bound O(n/k+D), where n is the number of vertices, and D is the graph diameter, the maximum length of simple path (non-self intersecting path). As a result the algorithm builds two spanning trees of the graph: the direct spanning tree, which has the root vertex as its tree root and is directed from the root, and the back spanning tree, directed to the root.

Parallel calculations by automata on direct and back spanning trees of a graph

The paper presents a parallel computation algorithm of an arbitrary function value on a multiset of values distributed on directed graph vertices. The computation is performed by message passing executed by automata distributed on the graph vertices. The key idea of the algorithm is to use a structural information on the graph that can be extracted by its parallel exploration and encoded into structures of direct and back spanning trees of the graph, which require only finite number of bits in each graph vertex, and to represent the function calculated as a composition of so called aggregate function and another one. Aggregate functions are characterized by possibility to calculate their value on a union of multisets by aggregating their values on separate multisets, that makes them easy for parallel computation.

Conformance theory development: semantics, formal models, algorithms

The paper covers theoretical and practical works on conformance testing performed in ISP RAS since 1994 till now. The conformance theory development was done in various directions and, in the whole, was characterized by generalization of the interaction semantics, models and conformances in use. The necessity of such generalization was imposed, first of all, by requirements of testing practice. It is true for such system properties as nondeterminism, partial specified, asynchronous behavior, diversity of test stimuli and observations of the implementation behavior etc. It was always focused on testing effectiveness defined both by optimization of tests suites and by test generation algorithms including on-the-fly. We consider the main milestones on this way in a brief and informal discussion, paying attention not to details, but to the main problems and their solutions trying to reveal the common tendency of the development

Error dependencies on classes of implementations under testing

The paper discusses the problem of dependency between errors defined by specification and the related problem of test optimization. There is a dependency between errors if a strict subset of errors exists such that any nonconforming implementation (i.e. an implementation containing an error) contains an error from this subset. Accordingly, it is sufficient for the tests to detect errors only from this subset. The most general formal model of test interaction and the reduction type of conformance are suggested, for which dependency between errors is almost absent. Most of the known conformances in various interaction semantics are demonstrated to be special cases of this general model. In this general model, the dependency between errors may occur when any strict subset of the class of all implementations is chosen as a class of implementations under testing. Particular interaction semantics and/or various hypotheses on implementations (specifically, the safety hypothesis), in fact, assume that the implementation under testing should belong to some subclass of (safe) implementations.