Finite-State Modeling, Analysis and Testing of System Vulnerabilities

Man-machine systems have several desirable properties, as to user friendliness, reliability, safety, security or other global system attributes. The potential for the lack, or breaches, of any such property constitutes a system vulnerability, which can lead to a situation that is undesirable from user’s point of view. This undesired situation could be triggered by special events in the form of intended, or unintended, attacks from the system’s environment. We view the undesirable system features as the sum of the situations, which are, mathematically speaking, complementary to the desirable ones that must be taken into account from the very beginning of the system development to achieve a stable system behavior and a robust operation. This work is about the modeling, analysis and testing of both desirable and undesirable system features which can be viewed as relations between the system and its operation. 1. Critical Features and Vulnerabilities of Embedded Systems In terms of behavioral patterns, the relationships between the system and its environment, i.e., the user, the natural environment, etc., can be described as proactive, reactive or interactive. In the case of proactivity, the system generates the stimuli, which evoke the activity of its environment. In the case of reactivity, the system behavior evolves through its responses to stimuli generated by its environment. Most computerhuman interfaces are nowadays interactive in the sense that the user and the system can be both proand reactive. In this particular kind of system, the user interface (UI) can have another environment, that is, the plant, the device or the equipment, which the UI is intended for and embedded in, controlling technical processes. When categorizing behavioral aspects of the human-computer systems, it is a good principle to start with the ergonomic aspects which concern the extent of comfort, or discomfort, experienced by the system and its environment at each other’s company. Any vulnerability is always accompanied by threats. In the case of safety, the threat originates from within the system due to potential failures and its spill-over effects causing potentially extensive damage to its environment. In the face of such failures, the environment could be a helpless, passive victim. The goal of the system design in this case is to prevent faults that could potentially lead to such failures or, in worst cases, to mitigate the consequences at run-time should such failures ever occur. In the case of security, the system is exposed to external threats originating from the environment, causing losses to the proprietor of the system. In this case, the environment, typically the user, maybe unauthorized, can be malicious or deliberately aggressive. The goal of the system design is then to ensure that it can protect itself against such malicious attacks. In contrast to safety and security, the lack of user friendliness of a UI is a milder form of system vulnerability. A failure to be user-friendly is still a failure to fulfill a system attribute, though it may typically cause an annoyance or an irritant to the user, possibly leading to confusion and complaints. However, disastrous consequences cannot be entirely ruled out under stressed conditions of the user if the UI is intended to mediate between a safety critical application and its operator. Since safety is being considered here as a system vulnerability in its own right, we limit ourselves here to the UIs of modest applications designed to guide and help the user to navigate through, and explore, the system functionality. Having identified several differences and distinctions between certain system vulnerabilities, let us abstract away from these peculiarities and threat them all in a generic manner in the following section. Further sections will illustrate our approach through a case study considering user interactions as a special case. An earlier version of the approach was introduced in [BE01]. The present study generalizes the approach and extends its scope of application. 2. Finite State Modeling of System Vulnerabilities 2.1 Modeling the System and Its Environment The functionality f of an application is described here as a deterministic finite-state automaton (FSA)

[1]  Amnon Naamad,et al.  The STATEMATE semantics of statecharts , 1996, TSEM.

[2]  Fevzi Belli,et al.  Specification of Fault-Tolerant System Issues by Predicate/Transition Nets and Regular Expressions-Approach and Case Study , 1991, IEEE Trans. Software Eng..

[3]  Fred B. Schneider,et al.  Implementing fault-tolerant services using the state machine approach: a tutorial , 1990, CSUR.

[4]  Thomas W. Williams,et al.  Design for Testability - A Survey , 1982, IEEE Trans. Computers.

[5]  Arto Salomaa,et al.  Two Complete Axiom Systems for the Algebra of Regular Events , 1966, JACM.

[6]  Robert S. Boyer,et al.  The Correctness Problem in Computer Science , 1982 .

[7]  Barry Boehm,et al.  Characteristics of software quality , 1978 .

[8]  Lionel C. Briand,et al.  A UML-Based Approach to System Testing , 2001, Software and Systems Modeling.

[9]  Fevzi Belli,et al.  Finite state testing and analysis of graphical user interfaces , 2001, Proceedings 12th International Symposium on Software Reliability Engineering.

[10]  I. N. Sneddon,et al.  Theory Of Automata , 1969 .

[11]  Doo-Hwan Bae,et al.  Test cases generation from UML state diagrams , 1999, IEE Proc. Softw..

[12]  Doron A. Peled,et al.  Software Reliability Methods , 2001, Texts in Computer Science.

[13]  Mary Lou Soffa,et al.  Automated test oracles for GUIs , 2000, SIGSOFT '00/FSE-8.

[14]  HeitmeyerConstance,et al.  Using model checking to generate tests from requirements specifications , 1999 .

[15]  John B. Goodenough,et al.  Exception handling: issues and a proposed notation , 1975, CACM.

[16]  Nimal Nissanke,et al.  Design for safety in Safecharts with risk ordering of states , 2002 .

[17]  Lee J. White,et al.  Generating test cases for GUI responsibilities using complete interaction sequences , 2000, Proceedings 11th International Symposium on Software Reliability Engineering. ISSRE 2000.

[18]  Alexandre Petrenko,et al.  Protocol testing: review of methods and relevance for software testing , 1994, ISSTA '94.

[19]  Luc Bougé,et al.  A Contribution to the Theory of Program Testing , 1985, Theor. Comput. Sci..

[20]  Ian Horrocks,et al.  Constructing the User Interface with Statecharts , 1999 .

[21]  Nimal Nissanke,et al.  Safecharts for specifying and designing safety critical systems , 1999, Proceedings of the 18th IEEE Symposium on Reliable Distributed Systems.

[22]  Mary Lou Soffa,et al.  Hierarchical GUI Test Case Generation Using Automated Planning , 2001, IEEE Trans. Software Eng..

[23]  Yu Lei,et al.  A Test Generation Strategy for Pairwise Testing , 2002, IEEE Trans. Software Eng..

[24]  Arthur Gill,et al.  Introduction to the theory of finite-state machines , 1962 .

[25]  R. D. Tennent Specifying Software , 2002 .

[26]  Alan C. Shaw,et al.  Software Specification Languages Based on Regular Expressions , 1980 .

[27]  Niklaus Wirth,et al.  Pascal User Manual and Report , 1991, Springer New York.

[28]  John B. Goodenough,et al.  Toward a theory of test data selection , 1975 .

[29]  Tsun S. Chow,et al.  Testing Software Design Modeled by Finite-State Machines , 1978, IEEE Transactions on Software Engineering.

[30]  Daniel P. Siewiorek,et al.  A method to automate user interface testing using variable finite state machines , 1997, Proceedings of IEEE 27th International Symposium on Fault Tolerant Computing.

[31]  Viktor Mikhaĭlovich Glushkov,et al.  Theorie der Abstrakten Automaten , 1963 .

[32]  Brian Randell,et al.  Reliability Issues in Computing System Design , 1978, CSUR.

[33]  S. L. Gerhart,et al.  Toward a theory of test data selection , 1975, IEEE Transactions on Software Engineering.

[34]  Michael L. Fredman,et al.  The AETG System: An Approach to Testing Based on Combinatiorial Design , 1997, IEEE Trans. Software Eng..

[35]  Alan C. Shaw,et al.  A prototyping environment for specifying, executing and checking communicating real‐time state machines , 1994, Softw. Pract. Exp..

[36]  Angelo Gargantini,et al.  Using model checking to generate tests from requirements specifications , 1999, ESEC/FSE-7.

[37]  Fabrizio Lombardi,et al.  Protocol conformance testing using multiple UIO sequences , 1989, IEEE Trans. Commun..

[38]  William E. Howden,et al.  Theoretical and Empirical Studies of Program Testing , 1978, IEEE Transactions on Software Engineering.

[39]  Edsger W. Dijkstra,et al.  Notes on structured programming , 1970 .