Cryptographic Verification of Test Coverage Claims

The market for software components is growing, driven on the "demand side" by the need for rapid deployment of highly functional products and, on the "supply side", by distributed object standards. As components and component vendors proliferate, there is naturally a growing concern about quality and the effectiveness of testing processes. White-box testing, particularly the use of coverage criteria, Is a widely used method for measuring the "thoroughness" of testing efforts. High levels of test coverage are used as indicators of good quality control procedures. Software vendors who can demonstrate high levels of test coverage have a credible claim to high quality. However, verifying such claims involves knowledge of the source code, test cases, build procedures, etc. In applications where reliability and quality are critical, it would be desirable to verify test coverage claims without forcing vendors to give up valuable technical secrets. In this paper, we explore cryptographic techniques that can be used to verify such claims. Our techniques have certain limitations, which we discuss in this paper. However, vendors who have done the hard work of developing high levels of test coverage can use these techniques (for a modest additional cost) to provide credible evidence of high coverage, while simultaneously reducing disclosure of intellectual property.

[1]  Premkumar T. Devanbu,et al.  Techniques for trusted software engineering , 1998, Proceedings of the 20th International Conference on Software Engineering.

[2]  Simeon C. Ntafos,et al.  An Evaluation of Random Testing , 1984, IEEE Transactions on Software Engineering.

[3]  James R. Larus,et al.  Efficient path profiling , 1996, Proceedings of the 29th Annual IEEE/ACM International Symposium on Microarchitecture. MICRO 29.

[4]  Norman Ramsey,et al.  Specifying representations of machine instructions , 1997, TOPL.

[5]  Phyllis G. Frankl,et al.  An Experimental Comparison of the Effectiveness of Branch Testing and Data Flow Testing , 1993, IEEE Trans. Software Eng..

[6]  James M. Bieman,et al.  Software reliability growth with test coverage , 2002, IEEE Trans. Reliab..

[7]  Cristina Cifuentes Partial automation of an integrated reverse engineering environment of binary code , 1996, Proceedings of WCRE '96: 4rd Working Conference on Reverse Engineering.

[8]  Hiralal Agrawal,et al.  Dominators, super blocks, and program coverage , 1994, POPL '94.

[9]  Elaine J. Weyuker,et al.  A Formal Analysis of the Fault-Detecting Ability of Testing Methods , 1993, IEEE Trans. Software Eng..

[10]  Peter G. Neumann,et al.  Computer-related risks , 1994 .

[11]  Elaine J. Weyuker,et al.  On Testing Non-Testable Programs , 1982, Comput. J..

[12]  Premkumar T. Devanbu GENOA - A Customizable, Language- And Front-end Independent Code Analyzer , 1992, International Conference on Software Engineering.

[13]  James R. Larus,et al.  EEL: machine-independent executable editing , 1995, PLDI '95.

[14]  James M. Bieman,et al.  The relationship between test coverage and reliability , 1994, Proceedings of 1994 IEEE International Symposium on Software Reliability Engineering.

[15]  Umesh V. Vazirani,et al.  An Introduction to Computational Learning Theory , 1994 .

[16]  Phyllis G. Frankl,et al.  Further empirical studies of test effectiveness , 1998, SIGSOFT '98/FSE-6.

[17]  Cristina Cifuentes,et al.  Decompilation of binary programs , 1995, Softw. Pract. Exp..

[18]  Alan Eustace,et al.  ATOM - A System for Building Customized Program Analysis Tools , 1994, PLDI.

[19]  F. Schneider Trust in Cyberspace , 1998 .

[20]  Thomas J. Ostrand,et al.  Experiments on the effectiveness of dataflow- and control-flow-based test adequacy criteria , 1994, Proceedings of 16th International Conference on Software Engineering.

[21]  Bennet S. Yee,et al.  Secure Coprocessors in Electronic Commerce Applications , 1995, USENIX Workshop on Electronic Commerce.

[22]  G. G. Preckshot,et al.  Using commercial-off-the-shelf (COTS) software in high-consequence safety systems , 1995 .

[23]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[24]  Jeffrey M. Voas,et al.  Certifying Off-the-Shelf Software Components , 1998, Computer.

[25]  Elaine J. Weyuker,et al.  An Applicable Family of Data Flow Testing Criteria , 1988, IEEE Trans. Software Eng..