Introduction to Software Testing

Chapter 9.1

Challenges in Testing Software

Testing for Emergent Properties: Safety and Security

Paul Ammann & Jeff Offutt

http://www.cs.gmu.edu/~offutt/softwaretest/

Chapter 9 Outline
1. Testing for Emergent Properties:
Safety and Security
2. Software Testability
3. Test Criteria and the Future of
Software Testing

Introduction to Software Testing (Ch 9.2)

Ammann & Offutt

Emergent Property Overview

General definition:

A property that arises as a result of assembling

components together into a system
Emergent properties exist at system level
The key is the interaction of a system with its environment
Emergent properties do not exist at component level
But individual component design can have a profound effect on emergent

properties
Safety and Security are classic emergent properties

How do we address such properties?

Introduction to Software Testing (Ch 9.2)

Ammann & Offutt

Example
Sample Security Property: Outsiders only have
access through intended interface

gets (buf)

Internet

Property Violation: Buffer

overflow vulnerability leads to
shell access inside component
Introduction to Software Testing (Ch 9.2)

Web Application

Ammann & Offutt

Why Emergent Properties Are Hard

Fundamentally different than analyzing intended function
Trying to show software lacks certain features
Trying to show absence of certain behaviors.
This is really hard!

Alternative approach
Catalogue typical problem areas
Systematically work through catalog.
Not complete!

Introduction to Software Testing (Ch 9.2)

Ammann & Offutt

High Level Steps

Capture relevant safety/security properties
Often well-understood by system engineers
Hazard model for safety domain
Threat model for security domain

Identify high risk areas

Relates system properties to component properties
Example: Fault tree analysis for safety

Mitigate risk
Testing is only one possible approach
Often redesign is a better option
It helps to understand the issues as early as possible!

Introduction to Software Testing (Ch 9.2)

Ammann & Offutt

Test Cases For Emergent Properties

Develop misuse cases
Helps developers think about ways in which system can be misused

Identify assumptions, and devise test cases that violate them

Can a critical object reach an inconsistent state?
What ways beyond the explicit API exist to alter the state?
What happens when objects are deserialized?
What happens when a database file is accessed outside the DBMS?
What normal checks can be easily evaded?

Identify configuration issues, and devise tests to check them

Develop invalid input tests
Often the unsafe or insecure behavior exists outside the expected domain
of inputs
See discussion of bypass testing in Chapter 7

Dont forget about static analysis:

Avoidance/removal of unsafe library calls
Introduction to Software Testing (Ch 9.2)

Ammann & Offutt

Summary
Most real systems have safety and/or security requirements
Emergent properties only exist at the system level
Think about the interaction between a system and its environment
Components, by themselves, dont exhibit emergent properties

Emergent property requirements are better understood by

domain experts than by software developers

Communication is essential

Successfully addressing emergent properties requires careful

attention at ALL phases of the software development life cycle

Safety and Security cannot be tested in at the end
Testing is only one tool

Introduction to Software Testing (Ch 9.2)

Ammann & Offutt