Introduction to Software Testing
Chapter 9.1
Challenges in Testing Software –
Testing for Emergent Properties: Safety and Security
Paul Ammann & Jeff Offutt
http://www.cs.gmu.edu/~offutt/softwaretest/
Chapter 9 Outline
1. Testing for Emergent Properties:
Safety and Security
2. Software Testability
3. Test Criteria and the Future of
Software Testing
Introduction to Software Testing (Ch 9.2)
© Ammann & Offutt
2
Emergent Property Overview
• General definition:
A property that arises as a result of assembling
components together into a system
• Emergent properties exist at system level
• The key is the interaction of a system with its environment
• Emergent properties do not exist at component level
– But individual component design can have a profound effect on emergent
properties
– Safety and Security are classic emergent properties
How do we address such properties?
Introduction to Software Testing (Ch 9.2)
© Ammann & Offutt
3
Example
Sample Security Property: Outsiders only have
access through intended interface
…
gets (buf)
…
Internet
P
Property Violation: Buffer
overflow vulnerability leads to
shell access inside component
Introduction to Software Testing (Ch 9.2)
Web Application
© Ammann & Offutt
4
Why Emergent Properties Are Hard
• Fundamentally different than analyzing intended function
– Trying to show software lacks certain “features”
– Trying to show absence of certain behaviors.
– This is really hard!
• Alternative approach
– Catalogue typical problem areas
– Systematically work through catalog.
– Not complete!
Introduction to Software Testing (Ch 9.2)
© Ammann & Offutt
5
High Level Steps
• Capture relevant safety/security properties
– Often well-understood by system engineers
• Hazard model for safety domain
• Threat model for security domain
• Identify high risk areas
– Relates system properties to component properties
• Example: Fault tree analysis for safety
• Mitigate risk
– Testing is only one possible approach
– Often redesign is a better option
– It helps to understand the issues as early as possible!
Introduction to Software Testing (Ch 9.2)
© Ammann & Offutt
6
Test Cases For Emergent Properties
• Develop misuse cases
– Helps developers think about ways in which system can be misused
• Identify assumptions, and devise test cases that violate them
– Can a critical object reach an inconsistent state?
– What ways beyond the explicit API exist to alter the state?
• What happens when objects are deserialized?
• What happens when a database file is accessed outside the DBMS?
• What “normal” checks can be easily evaded?
• Identify configuration issues, and devise tests to check them
• Develop invalid input tests
– Often the unsafe or insecure behavior exists outside the expected domain
of inputs
– See discussion of bypass testing in Chapter 7
• Don’t forget about static analysis:
– Avoidance/removal of unsafe library calls
Introduction to Software Testing (Ch 9.2)
© Ammann & Offutt
7
Summary
• Most “real” systems have safety and/or security requirements
• Emergent properties only exist at the system level
– Think about the interaction between a system and its environment
– Components, by themselves, don’t exhibit emergent properties
• Emergent property requirements are better understood by
domain experts than by software developers
– Communication is essential
• Successfully addressing emergent properties requires careful
attention at ALL phases of the software development life cycle
– Safety and Security cannot be “tested in” at the end
– Testing is only one tool
Introduction to Software Testing (Ch 9.2)
© Ammann & Offutt
8