Modeling, Analysis and Testing of
System Vulnerabilities
Fevzi Belli1, Nimal Nissanke2 , Christof J. Budnik1
1
2
Dept. of Computer Science, Electrical Engineering and Mathematics, University of Paderborn,
Germany
{belli, cb}@adt.upb.de
School of Computing, Information Systems and Mathematics, South Bank University, London, UK
[email protected]
Content
Introduction
Finite-State Modeling of System Vulnerabilities
Testing of Event Sequences for Revealing Threats
Validation of the Approach
Conclusion
Merging inputs and states leads to more efficient
algorithms for analysis and test.
We focus on input sequences, generated as strings
of L(G), or L(R).
The result is a simplified version of the state
transition diagram (STD) of the FSA that we call an
Event Sequence Graph (ESG) [Myhill].
Conference
Modeling, Analysis
and Testing of
System
Vulnerabilities
Fevzi Belli
[email protected]
State Transition Diagram
(STD) of the FSA
Event Sequence Graph
(ESG) of the FSA
For representing GUI we will interpret the input set as
objects that can be controlled and perceived by
input/output devices, i.e., elements of WIMPs
(Windows, Icons, Menus and Pointers).
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
Test inputs for GUI are generally sequences of user
activities that interact with system behavior.
20. November 2003 (Folie 5)
Modeling of Realjukebox
- Event Sequence: Play - Rew - FF - Stop
Play
Record
Pause
Jump
Begin
Rew
FF
Stop
Event Sequence Graph (ESG)
- System Function (Complete Event Sequence): Playing a Track
Event Sequence Graph (ESG)
Conference
Modeling, Analysis
and Testing of
System
Vulnerabilities
(GUI of the RealJukebox, the uppermost layer)
An Event Pair (EP) consists of a legal input in a correct
state and a legal output in a correct state upon this input,
e.g., LS, LR, SP, SM, SR, PS, PP, PR, PM, MP,
MS, MM, MR, RL, RM.
An ES that leads to a final event which is in accordance
with the user expectations will be called a Complete Event
Sequence (CES), e.g., LSR, LR, LSPR, LSMR, LSPSR,
LSPPR, LSPMR, LSMPR, LSMSR, LSMMR, LSMR, LRLR,
LRMR..
Sub-sequences of the CES: Partial Event Sequences (PES).
PES of length n define n-tuples of events, i.e.: Event Triple
(ETr), Event Quadruple (EQr), etc.
Fevzi Belli
[email protected]
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
20. November 2003 (Folie 9)
Testing a Legal Event Sequence
- Event Sequence: Play - Pause - Jump to the Beginning
Play
Record
Pause
Jump
Begin
Rew
FF
Stop
„Jump to the Beginning“ does not place the position
indicator at the beginning of the current track. At the same
time, „Play“ is on although „Pause“ is still active!
Completed ESG (CESG) as the complement of the
modeled system.
Conference
Modeling, Analysis
and Testing of
System
Vulnerabilities
Fevzi Belli
[email protected]
We construct now Faulty EP (FEP) for testing the
robustness, safety issues, etc. of the system, e.g., LL,
SL, LP, PL, LM, ML, SS, RP, RR, RS.
A FEP is already faulty, and a faulty state cannot be
“faultier”, i.e., in a faulty state the system cannot accept
an additional illegal input. Thus, a FEP cannot be
extended to the right by any FEP.
To exercise a FEP, we extend it to the left, i.e., an ES
will be used as a prefix to execute a FEP, e.g.,LL, LP,
LM, LSL, LSPL, LSPML, LSS, LSPMRP, LSPMRR,
LSPMRS.
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
20. November 2003 (Folie 11)
Testing a Faulty Event Sequence
- Faulty Event Sequence: Play - Pause - Record
Play
Record
Pause
Jump
Begin
Rew
FF
Stop
Activating the „Record“ after „Play“ and „Pause“ causes
the loss of the track position!
Coverage of the edges of the ESG is a meaningful
criterion to systematize the test process and judge the
efficiency of the test cases (Belli) in the following way:
+ Define walks of the length n through the ESG as
sequences of n adjacent events starting at the
entry and ending at the exit of the ESG.
Conference
Modeling, Analysis
and Testing of
System
Vulnerabilities
Fevzi Belli
[email protected]
+ Construct a set of walks subject
- to cover all sequences of events of a given
length, e.g., to cover all EP, and/or ETr, EQr,
etc., and
- the total length of all of the walks is minimal.
This minimization problem is a special case of the
Chinese Postman Problem (Aho, Sabnani, Dahbura, Ü.
Uyar, etc. (MUIO Sequences)). Its complexity is,
however, less than the original one’s (our first
approach: O(n²) ).
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
20. November 2003 (Folie 13)
Detected Faults by ES and FES vs. the length of the ES,
e.g. EP, ETr, EQr, ...:
FES
Conference
Modeling, Analysis
and Testing of
System
Vulnerabilities
ES
Fevzi Belli
[email protected]
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
20. November 2003 (Folie 16)
The cumulated number of detected faults in relation to
the number of test executions:
Conference
Modeling, Analysis
and Testing of
System
Vulnerabilities
Fevzi Belli
[email protected]
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
20. November 2003 (Folie 17)
We introduced a complementary view for detection and
handling of undesirable events in following steps:
+ Construct the sequences of legal and illegal events of
different lengths n.
Conference
+ Input those sequences to the system under test (SUT).
Modeling, Analysis
and Testing of
System
Vulnerabilities
+ Observe the output and determine whether a desirable
behavior, or an undesirable, faulty event occurs.
Fevzi Belli
[email protected]
The latter case should invoke an error message, or a
defense activity of the SUT (exception handling).
Rule of thumb: The user is always right, i.e., there are no
user errors!
The test costs are scalable (length/number of the event
sequences as test cases).
The approach is black box-oriented, i.e., requires the
system specification prior to testing.
Introduction
Finite-State Modeling of
System Vulnerabilities
Testing of Event
Sequences for Revealing
Threats
Validation of the
Approach
Conclusion
The specification can be, however, incrementally
produced, even during testing.
20. November 2003 (Folie 18)