Pierre-Alain Masson

Generating security tests in addition to functional tests

This paper is about generating security tests, in addition to functional tests previously generated by a model-based testing approach. The method that we present re-uses the functional model and the adaptation layer developed for the functional testing, and relies on an additional security model. We propose to compute the tests by using some test purposes as guides for the tests to be extracted from the models. We see a test purpose as the combination of a security property and a test need issued from the know-how of a security engineer. We propose a language based on regular expressions for the expression of such test purposes. We illustrate our approach with experiments on IAS.

Modular Verification for a Class of PLTL Properties

The verification of dynamic properties of a reactive systems by model-checking leads to a potential combinatorial explosion of the state space that has to be checked. In order to deal with this problem, we define a strategy based on local verifications rather than on a global verification. The idea is to split the system into subsystems called modules, and to verify the properties on each module in separation. We prove for a class of PLTL properties that if a property is satisfied on each module, then it is globally satisfied. We call such properties modular properties. We propose a modular decomposition based on the B refinement process. We present in this paper an usual class of dynamic properties in the shape of □(p ⇒ Q), where p is a proposition and Q is a simple temporal formula, such as ○q, ⋄q or qUr (with q and r being propositions). We prove that these dynamic properties are modular. For these specific patterns, we have exhibited some syntactic conditions of modularity on their corresponding Buchi automata. These conditions define a larger class which contains other patterns such as □(p ⇒ ○(qUr)). Finally, we show through the example of an industrial Robot that this method is valid in a practical way.

Automatic generation of model based tests for a class of security properties

This paper is a contribution to the problem of getting confident in the fact that an implementation correctly meets a security policy assigned to it. To do so, we compute tests that exercise security properties issued from the security policy. We proceed by model based testing. Classically, we use a functional model that formalizes the functional specification. But we also use a second model, in the shape of security properties, that formalize a part of the security policy. Tests are computed from the security properties, with the formal functional model as an oracle. We first formalize the informal security requirements as regular expressions. Then we introduce mutations in the regular expressions as to reflect the specific situations in which we intend to test the security properties. These mutated regular expression are unfolded into abstract test sequences. We present a set of four mutation rules that apply to a class of properties that we call sequencing properties, and we experiment our method on a standard in the smart card domain named IAS, for Identification, Authentication and electronic Signature.

Modular Verification of Dynamic Properties for Reactive Systems

Reachability analysis has been one of the most successful methods for automated analysis of concurrent and reactive systems. It is based on an exhaustive enumeration of states and implemented in several tools of verification. However, the major problem in applying this technique is the potential combinatorial explosion of the states space. To deal with this problem, various reduction and symbolic techniques have been developed. In this paper, we first present an extension of the B language in order to express dynamic properties using logic formulas in LTL. After this, we introduce an approach of verification performed on modules obtained by refinement rather than on the full specification. The number of states on which the verification is performed is then grandly reduced. Some patterns of properties are discussed and verified using the model-checking on each module. To illustrate the idea we give the known BRP example (Bounded Retransmission Protocol) described with B. We then show that under some considerations we are able to decide whether a given property is false or true, or should have been established at a higher level of abstraction.

PLTL-partitioned model checking for reactive systems under fairness assumptions

We are interested in verifying dynamic properties of finite state reactive systems under fairness assumptions by model checking. The systems we want to verify are specified through a top-down refinement process.In order to deal with the state explosion problem, we have proposed in previous works to partition the reachability graph and to perform the verification on each part separately. Moreover, we have defined a class, called B<inf><i>mod</i></inf>, of dynamic properties that are <i>verifiable by parts</i>, whatever the partition. We decide if a property <i>P</i> belongs to B<inf><i>mod</i></inf> by looking at the form of the Büchi automaton that accepts ¬<i>P</i>. However, when a property <i>P</i> belongs to B<inf><i>mod</i></inf>, the property <i>f</i> ⇒ <i>P</i>, where <i>f</i> is a fairness assumption, does not necessarily belong to B<inf><i>mod</i></inf>.In this paper, we propose to use the refinement process in order to build the parts on which the verification has to be performed. We then show that with such a partition, if a property <i>P</i> is verifiable by parts and if <i>f</i> is the expression of the fairness assumptions on a system, then the property <i>f</i> ⇒ <i>P</i> is still verifiable by parts.This approach is illustrated by its application to the chip card protocol T = 1 using the <i>B</i> engineering design language.

Generating tests from B specifications and dynamic selection criteria

This paper is about generating tests from dynamic selection criteria called test purposes, in addition to structural tests, obtained from static selection criteria. We present a method that re-uses a behavioral model and an abstract test concretization layer developed for structural testing, and relies on additional test purposes. We propose, in the B framework, a process of test generation that uses the symbolic animation mechanisms of Leirios Test Generator (LTG) based on constraint solving, and guided by the test purposes. We build for that a B model that is the synchronized product of a behavioral B abstract model and a test purpose described as a labeled transition system. We prove the correctness of this method, and show some experimental results obtained on the IAS case study. IAS is an industrial smart-card platform dedicated to the operations of Identification, Authentication and electronic Signature. Our experiments show that the tests obtained from test purposes are complementary to the structural tests.

Test Generation Based on Abstraction and Test Purposes to Complement Structural Tests

This paper presents a computer aided model-based test generation method. We propose this approach as a complement to the LTG (Leirios Test Generator) method, which extracts functional tests out of a formal behavioral model M by means of static (or structural) selection criteria. Our method computes additional tests by applying dynamic (or behavioral) selection criteria (test purposes called TP). Applying TP directly to M is usually not possible for industrial applications due to the huge (possibly infinite) size of their state space. We compute an abstraction A of M by predicate abstraction. We propose a method to define a set of abstraction predicates from information of TP. We generate symbolic tests from A by using TP as a dynamic selection criterion. Then we instantiate them on M, which allows us play the tests on the implementation the same way as we play the functional ones. Our experimental results show that our tests are complementary to the structural ones.

Generating Tests from B Specifications and Test Purposes

This paper is about generating tests from test purposes, in addition to structural tests. We present a method that re-uses a behavioural model and an abstract test concretization layer developed for structural testing, and relies on additional test purposes. We propose, in the B framework, a process of test generation that uses the symbolic animation mechanisms of LTG (Leirios Test Generator) based on constraint solving, and guided by the test purposes. We build for that a B animable model that is the synchronized product of a behavioural B abstract model and a test purpose described as a labelled transition system. We prove the correctness of this method, and illustrate it by means of the IAS case study. IAS is a smart-card application dedicated to the operations of Identification, Authentication and electronic Signature.

Association of under-approximation techniques for generating tests from models

In this paper we present a Model-Based Testing approach with which we generate tests from an abstraction of a source behavioural model. We show a new algorithm that computes the abstraction as an under-approximation of the source model. Our first contribution is to combine two previous approaches proposed by Ball and Pasareanu et al. to compute May, Must+ and Must- abstract transition relations. Proof techniques are used to compute these transition relations. The tests obtained by covering the abstract transitions have to be instantiated from the source model. So, following Pasareanu et al., our algorithm additionally computes a concrete transition relation: the tests obtained as sequences of concrete transitions need not be instantiated from the source model. Another contribution is to propose a choice of relevant parameters and heuristics to pilot the tests computation. We experiment our approach and compare it with a previous approach of ours to compute tests from an abstraction that over-approximates the source model.

Syntactic abstraction of B models to generate tests

In a model-based testing approach as well as for the verification of properties, B models provide an interesting solution. However, for industrial applications, the size of their state space often makes them hard to handle. To reduce the amount of states, an abstraction function can be used, often combining state variable elimination and domain abstractions of the remaining variables. This paper complements previous results, based on domain abstraction for test generation, by adding a preliminary syntactic abstraction phase, based on variable elimination. We define a syntactic transformation that suppresses some variables from a B event model, in addition to a method that chooses relevant variables according to a test purpose. We propose two methods to compute an abstraction A of an initial model M. The first one computes A as a simulation of M, and the second one computes A as a bisimulation of M. The abstraction process produces a finite state system. We apply this abstraction computation to a Model Based Testing process.