Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002

Model Checking for Counterexamples: Testing and

Security

Paul Ammann

ISE Department

May 1, 2002

May 1, 2002 © Paul Ammann 2

Overview

• Problem Overview

• What’s a Model Checker?

• What’s a Counterexample?

• Test Criteria and Temporal Logic

• Some Examples– Testing– Security


Contributors

• NIST – Paul Black, Vadim Okun• GMU Faculty – Jeff Offutt, Duminda

Wijesekera, CSIS (Sushil Jajodia, Roger Alexander, Chuck Hutchinson, Steve Noel, Brian O’Berry)

• GMU Students – Aynur Abdurazik, Elina Blank, Wei Ding, Ron Ritchey, Lingya Sun, Linda Xu


Problem Overview: Specification-Based Testing

• Testing is Expensive, so try to reduce cost:– Reuse other development artifacts

• In this case, a finite state machine description

– Automate

• Formalization of Test Objectives• Test Generation/Recognition

– Create a new test set with some property– Analyze an existing test set for some property

• This is Not a Model Checking Talk!


Specification-Based Testing

Abstraction:Define/Analyze Tests

Actual System:Execute Tests


What’s a Model Checker?

• Finite State Model– States, Transitions, Labels– Variety of ways to specify

• Constraint– Some formula in a suitable logic

• Model Checker– Verifies formula (we don’t care how), or– Finds a counterexample…


Example

aa, c

b

12

3

b => AX a true… a => AX b

false!Counter: 1, 3, 2, 1


What’s a Counterexample?

• Appears to be a sequence of states– This looks a lot like a test case – Great!

• In Computational Tree Logic (CTL)– Root of some computational tree that shows formula

does not hold

– Usually decorated with path information to reach this root

• Return to counterexample / test case relation later


Test Criteria

• Test Coverage Criteria Widely Used– Control Flow Criteria

• Statement Coverage, Branch Coverage, etc.

– Data Flow Criteria• All def-use associations, All defs, All uses, etc.

– Mutation Coverage• Comprehensive set of syntactic mutations

– Predicate Coverage• Condition Coverage, MC/DC Coverage, etc.

• Applicable to Both Code and Specifications


Test Requirements

• Given a Coverage Criterion and an Artifact

… Generate a Set of Test Requirements.

“State” coverage on model with N states:

Requirement 1: Some test must visit state 1

Requirement 2: Some test must visit state 2

…

Requirement N: Some test must visit state N


Test Criteria and Temporal Logic

• Express Test Requirements with Temporal Formulae … and Let Model Checker Find the Tests For You:

! EF (state = 1)! EF (state = 2)…! EF (state = N)


Advantages of Using a Model Checker

• Some test requirements are infeasible– Example: Maybe State x is unreachable.

– Model checker identifies these

• A single test may satisfy multiple requirements– Straightforward to identify

• Additional payoff from modeling effort– Modeling is expensive, so amortize the cost

• Very expressive mechanism


Example

• Test the case where the North South traffic flows, traffic from the South stops for left turning traffic from the North, and then traffic from the South resumes, all without East West traffic flowing: ! EF(NtoS.light = G & StoN.light = G &

E(EW.light = R U NtoE.light = G &

E(EW.light = R U StoN.light = G)))


Traffic Light Example

Note Intermediate States Not Specified, But…

... … EW.light = R EW.light = R

NtoE.light = GNtoS.light = GStoN.light = G StoN.light = G

Counterxample includes All states needed in test


Counterexample for Traffic Light

State 1: NtoS.light = R, StoN.light = R, NtoE.light = R, EW.light = R

State 2: NtoS.light = G, StoN.ligtht = GState 4: StoN.light = Y -- not explicitly specifiedState 5: StoN.light = R -- not explicitly specifiedState 6: NtoE.light = GState 7: NtoE.light = Y -- not explicitly specifiedState 8: NtoE.light = R -- not explicitly specifiedState 9: NtoS.light = G


What about Existing Test Sets?

• Regression Test Suites are a Fact of Life– What is missing?– What is redundant?

• For First Question– Transform Test Suite to (subset of) finite state

model• Keep states and transitions test suite traverses

– Evaluate against test requirements


Existing Test Set Example

1 2

3 4 5

76


First Test Case: 3, 1, 2, 4, 7

1 2

3 4

7


Second Test Case: 3, 4, 7, 6

3 4

76


Third Test Case: 3, 4, 7, 2, 4

2

3 4

7


Resulting State Machine

1 2

3 4

76

Evaluate TestRequirementsAgainst This Finite StateMachine


Example: MC/DC Coverage

• Criterion Used in Certification of Certain Commercial Avionics Software

• Idea: Test a decision with N conditions without using 2^N tests (Use N+1 instead)

• Example: A and (B or C)– 2 tests with respect to A, where B, C set so that A

determines value of decision: A true in one test, false in other test. B, C have same values in both tests.

– Similar for B, C (This looks like 2N tests, but its not…)


So, What’s the Problem?

• Is the counterexample/test relation 1 to 1?

• If so (this is traditional model checking), we have a problem: How do I make B and C keep the same values on two separate tests?– !EF ( A & (B | C)) -- first test req for A– !EF ( !A & (B | C)) -- second test req for A

• If not, what is the relation?


Possible Counterexample

AB!C

!AB!C

…

…

This is two tests, notone, but it is only 1counterexample.

!(EF ( A & B & !C) & EF (!A & B & !C))

Details: See Duminda’spaper with Lingya and me.


Another Example: Safety Testing

Specification-Based Testing Tuned to Safety Properties

• Notion of dangerous actions - Test these!

• Based on a mutation model

• Two types of tests: failing tests and passing tests

• Family of coverage criteria based on temporal operators

• Model checker (SMV) automates test generation

• Note: Use “safety” in the sense of Leveson


Dangerous Traces

• D(Dangerous)-trace:A trace from original state Machine (M), whose last state can be extended, first with a transition from M’-M, and possibly further with transitions from M+ in such a way that safe predicate P is violated

• Traces can be dangerous in a variety of interesting ways: AX, EX, AF, EF

Moriginal state machine

M’-MIn mutant but not in original machine

M+Union of M and M’

A dangerous trace

Turn point

P is violated


Testing Network Security

• Idea: Finite State Model for Network– Attributes are vulnerabilities, attacker acccess,

connectivity– Transition relation defined by possible exploits

• Basis of TVA project in CSIS lab• Original paper, Ritchey and Ammann

(Oakland 2000)• Closely related work at CMU


Results of Approach

• Model Checker needs some work– Counterexample is single attack path– Really want all attack paths

• Special case of relating counterexamples to test cases. Basically, “and” operators (logical or temporal) require multiple tests to “cover”

– Also sets of key exploits


Status of TVA Approach

• Fairly decent scaling so far, at least for model checking

• Looking at alternative computation engines

• Looking at monotonic analysis

Documents

Model Checking for Counterexamples: Testing and Security Paul Ammann ISE Department May 1, 2002