Bo-His Li,Chin-Yu Huang

DOI: https://doi.org/10.1109/srds.2017.33

2017-01-01

Abstract:During software regression testing, the code coverage of target program is a crucial factor while we perform test case reduction and prioritization. Modified Condition/ Decision Coverage (MC/DC) is one of the most strict and high-accuracy criterion in code coverage and it is usually considered necessary for adequate testing of critical software. In the past, Hayhurst et al proposed a method to implement the MC/DC criterion that complies with regulatory guidance for DO-178B level A software. Hayhurst's MC/DC approach was to find some test cases which are satisfied by MC/DC criterion for each operator (and, or, not, or xor) in the Boolean expression. However, there could be some problems when using Hayhurst's MC/DC approach to select test cases. In this paper, we discuss how to improve and/or enhance Hayhurst's MC/DC approach by using a greedy-based method. Some experiments are performed based on real programs to evaluate as well as compare the performance of our proposed and Hayhurst's approaches.

Xiaowei Zhang,Haihua Yan,Zhen Zhang

DOI: https://doi.org/10.1109/icrms.2016.8050052

2016-01-01

Abstract:The Modified Condition Decision Coverage (MC/DC) test criterion is a mandatory requirement for the testing of avionics software as per the DO-178B standard. In the implementation of safety-critical software, there are many complex logics and testing requirements are relatively high. In structure-based testing, MC/DC coverage has a strong ability to detect errors compared to decision or condition coverage. However, it isn't enough to prove that the implementation is correct; there may be defects still lurking in the software. In this paper we classified the flaws in Boolean expressions into four types based on the software faults model and analyzed the MC/DC sensitivity to these flaws. We found that MC/DC is not sensitive to the relational condition boundary error. Additionally, we present a testing criteria called Enhanced-Condition-MC/DC (EC-MC/DC) as a method of improving MC/DC testing adequacy. The validity and feasibility of the method are verified by real-world open source programs.

Jun-Ru Chang,Chin-Yu Huang

DOI: https://doi.org/10.1109/compsac.2007.44

2007-01-01

Abstract:The coverage criteria of verification techniques play an important role in software development and testing. The goal is to reduce the size of test suites to economize on time, and to ensure whether all statements (or conditions) are covered. We can use these criteria to track test progress, assess current situations, predict emerging events, and so on. Thus we can take the necessary actions upon early indications that testing activity is falling behind. Modified condition/decision coverage (MC/DC) was proposed by NASA in 1994, and had been widely adopted and discussed since then. As evident from the definition, MC/DC criterion is used to judge whether each Boolean operator can be satisfied or not. However, we find that the selected test cases sometimes may not be able to satisfy the original definition of MC/DC under some Boolean expressions. In this paper, we will propose a simple but useful method which focuses on all conditions of Boolean expression to practice MC/DC. Specifically, our proposed approach will use n-cube graph and Gray code to implement the MC/DC criterion. We will further show how to use the proposed method to differentiate the necessary and redundancy test cases. Finally, a practical regression testing tool, TASTE (Tool for Automatic Software regression TEsting), will be presented in this paper. An example is given to illustrate the detailed working process and is explained in detail.

Zhiyuan Wan,Bo Zhou

DOI: https://doi.org/10.1109/ITAIC.2011.6030179

2011-01-01

Abstract:Recently automated test generation tools that implement variations of symbolic execution technology have demonstrated their ability to find subtle errors. However, one challenge they all face is how to effectively handle the exponential number of paths in large, realistic programs. This paper presents Directed Systematic Dynamic Testing approach, or DSDT for short, that combines compositional systematic dynamic testing with a search heuristic based on block-coverage. The approach tests program under test compositionally and directs the path exploration along the program point with the lowest block-coverage. We implemented our algorithm on top of jFuzz for testing Java program and evaluated our approach on testing a Java implementation of red-black tree. The preliminary experimental results show that Directed Systematic Dynamic Testing approach can efficiently achieve the code coverage of program under test. © 2011 IEEE.

Dong Li,Linghuan Hu,Ruizhi Gao,W. Eric Wong,D. Richard Kuhn,Raghu N. Kacker

DOI: https://doi.org/10.1109/qrs-c.2017.131

2017-01-01

Abstract:Software, in many different fields and tasks, has played a critical role and even replaced humans to improve efficiency and safety. However, catastrophic consequences can be caused by implementation bugs and design defects. Modified condition/decision coverage (MC/DC), required by the Federal Aviation Administration on Level A (the most safety critical system), has been shown to be effective in detecting software bugs. However, generating tests to achieve high MC/DC can be very expensive and time consuming. Recently, many studies showed that combinatorial testing (CT) could generate high-quality test cases in a cost-effective way. Can CT generate test cases to achieve high MC/DC? In this paper, we conduct an empirical study on two real-life programs to evaluate the efficiency and effectiveness of using combinatorial testing to improve MC/DC coverage achievement, as well as the fault detection strength.

Hong Wei-jiang,Liu Yi-jun,Chen Zhen-bang,Dong Wei,Wang Ji

DOI: https://doi.org/10.1631/fitee.1900213

2020-01-01

Abstract:Symbolic execution is an effective way of systematically exploring the search space of a program, and is often used for automatic software testing and bug finding. The program to be analyzed is usually compiled into a binary or an intermediate representation, on which symbolic execution is carried out. During this process, compiler optimizations influence the effectiveness and efficiency of symbolic execution. However, to the best of our knowledge, there exists no work on compiler optimization recommendation for symbolic execution with respect to (w.r.t.) modified condition/decision coverage (MC/DC), which is an important testing coverage criterion widely used for mission-critical software. This study describes our use of a state-of-the-art symbolic execution tool to carry out extensive experiments to study the impact of compiler optimizations on symbolic execution w.r.t. MC/DC. The results indicate that instruction combining (IC) optimization is the important and dominant optimization for symbolic execution w.r.t. MC/DC. We designed and implemented a support vector machine based optimization recommendation method w.r.t. IC (denoted as auto). The experiments on two standard benchmarks (Coreutils and NECLA) showed that auto achieves the best MC/DC on 67.47% of Coreutils programs and 78.26% of NECLA programs.

Jun-Ru Chang,Chin-Yu Huang,Po-Hsi Li

DOI: https://doi.org/10.1109/sere-c.2012.23

2012-01-01

Abstract:During software development, white-box testing is used to examine the internal design of the program. One of the most important aspects of white-box testing is the code coverage. Among various test coverage measurements, the Modified Condition/Decision Coverage (MC/DC) is a structural coverage measure and can be used to assess the adequacy and quality of the requirements-based testing (RBT) process. NASA has proposed a method to select the needed test cases for satisfying this criterion. However, there may have some flaws in NASA's method. That is, the selected test cases may not satisfy the original definition of the MC/DC criterion in some particular situations and perhaps can not detect errors completely. On the other hand, NASA's method may be hard to detect some operator errors. For example, we may not be able to detect the incorrectly coding or for xor in some cases. Additionally, this method is too complex and could take a lot of time to obtain the needed test cases. In this paper, we will propose a classification-based algorithm to select the needed test cases. First, test cases will be classified based on the outcome value of expression and the target condition. After classifying all test cases, MC/DC pairs can be found quickly, conveniently and effectively. Also, if there are some missing (unfound) test cases, our proposed classification-based method can also suggest to developers what kinds of test cases have to be generated. Finally, some experiments are performed based upon real programs to evaluate the performance and effectiveness of our proposed classification-based algorithm.

DOI: https://doi.org/10.1007/s11219-024-09667-3

2024-05-15

Software Quality Journal

Abstract:One of the main objectives of testing is to achieve adequate code coverage. Modern code coverage standards suggest MC/DC (Modified Condition/Decision Coverage) instead of MCC (Multiple Condition Coverage) due to its ability to generate a feasible number of test cases. In contrast to the MC/DC, which only takes independent pairs into consideration, the MCC often considers each and every test case. In our work, we suggest SC-MCC, i.e., MCC with Short-Circuit. The key aspect of this paper is to demonstrate the effectiveness of SC-MCC-based test cases compared to MC/DC using Coverage-Guided Fuzzing (CGF) technique. In this work, we have considered American Fuzzy Lop (AFL) tool to generate both the SC-MCC and MC/DC test cases for 54 RERS benchmark programs. As part of this paper, we propose unique goal constraint generation and fuzz-instrumentation techniques that help in mitigating the masking problem of AFL. Subsequently, we performed mutation testing by employing the GCOV tool and computed the mutation score in order to evaluate the quality of the generated test cases. Finally, based on our observations, SC-MCC has performed better for over 85% of the programs taken into consideration.

computer science, software engineering

Ian McCormack,Tomas Dougan,Sam Estep,Hanan Hibshi,Jonathan Aldrich,Joshua Sunshine

2024-10-20

Abstract:The Rust programming language restricts aliasing to provide static safety guarantees. However, in certain situations, developers need to bypass these guarantees by using a set of unsafe features. If they are used incorrectly, these features can reintroduce the types of safety issues that Rust was designed to prevent. We seek to understand how current development tools can be improved to better assist developers who find it necessary to interact with unsafe code. To that end, we study how developers reason about foreign function calls, the limitations of the tools that they currently use, their motivations for using unsafe code, and how they reason about encapsulating it. We conducted a mixed-methods investigation consisting of semi-structured interviews with 19 developers, followed by a survey that reached an additional 160 developers. Our participants were motivated to use unsafe code when they perceived that there was no alternative, and most avoided using it. However, limited tooling support for foreign function calls made participants uncertain about their design choices, and certain foreign aliasing and concurrency patterns were difficult to encapsulate. To overcome these challenges, Rust developers need verification tools that can provide guarantees of soundness within multi-language applications.

Software Engineering

Shuang Hu,Baojian Hua,Lei Xia,Yang Wang

DOI: https://doi.org/10.1109/qrs57517.2022.00101

2022-01-01

Abstract:Rust is a new safe system programming language enforcing safety guarantees by novel language features, a rich type system, and strict compile-time checking rules, and thus has been used extensively to build system software. For multilingual Rust applications containing external C code, memory security vulnerabilities can occur due to the intrinsically unsafe nature of C and the improper interactions between Rust and C. Unfortunately, existing security studies on Rust only focus on pure Rust code but cannot analyze either the native C code or the Rust/C interactions in multilingual Rust applications. As a result, the lack of such studies may defeat the guarantee that Rust is a safe language.This paper presents CRust, a unified program analysis framework across Rust and C, which enables program analyses to understand the semantics of C code by translating Rust and C into a unified specification language. The CRust framework consists of three key components: (1) a unified specification language CRustIR, which is a strong-typed low-level intermediate language suitable for program analysis; (2) a transformation to build models of C code by converting C code into CRustIR; and (3) program analysis algorithms on CRustIR to detect security vulnerabilities. We have implemented a software prototype for CRust, and have conducted extensive experiments to evaluate its effectiveness and performance. Experimental results demonstrated that CRust can effectively detect common memory security vulnerabilities caused by the interaction of Rust and C that are missed by state-of-the-art tools. In addition, CRust is efficient in bringing negligible overhead (0.23 seconds on average).

Rahul Pandita,Tao Xie,Nikolai Tillmann,Jonathan de Halleux

DOI: https://doi.org/10.1109/ICSM.2010.5609565

2010-01-01

Abstract:Test coverage criteria including boundary-value and logical coverage such as Modified Condition/Decision Coverage (MC/DC) have been increasingly used in safety-critical or mission-critical domains, complementing those more popularly used structural coverage criteria such as block or branch coverage. However, existing automated test-generation approaches often target at block or branch coverage for test generation and selection, and therefore do not support testing against boundary-value coverage or logical coverage. To address this issue, we propose a general approach that uses instrumentation to guide existing test-generation approaches to generate test inputs that achieve boundary-value and logical coverage for the program under test. Our preliminary evaluation shows that our approach effectively helps an approach based on Dynamic Symbolic Execution (DSE) to improve boundary-value and logical coverage of generated test inputs. The evaluation results show 30.5% maximum (23% average) increase in boundary-value coverage and 26% maximum (21.5% average) increase in logical coverage of the subject programs under test using our approach over without using our approach. In addition, our approach improves the fault-detection capability of generated test inputs by 12.5% maximum (11% average) compared to the test inputs generated without using our approach.

Lei Xia,Yufei Wu,Baojian Hua

DOI: https://doi.org/10.1109/qrs-c60940.2023.00102

2023-01-01

Abstract:Rust is a modern system-level programming language providing strong security guarantees, which has been widely applied in building software infrastructures. However, unsafe Rust, a language feature introduced for programming flexibility and efficiency, can be prone to memory vulnerabilities due to the lack of compile-time and run-time checks. Worse yet, it is challenging to diagnose such memory vulnerabilities in Rust programs, due to the subtle interactions between the safe and unsafe code. This paper presents Rustcheck, the first memory safety enhancement framework for dynamic program analysis of Rust programs. The key idea of Rustcheck is to dynamically detect memory safety issues caused by the improper use of unsafe Rust through static instrumentations. We have implemented a software prototype for Rustcheck and conducted experiments to evaluate the effectiveness and performance of it by applying Rustcheck to 56 CVES from real-world Rust projects. And experimental results showed that Rustcheck can successfully detect all of 65 memory vulnerabilities in CVEs, with low runtime overhead (3.30% on average) to the Rust projects being checked.

Shi Zhu,Qing Ding,Ming Jiang

DOI: https://doi.org/10.1109/icise.2010.5689928

2010-01-01

Abstract:Multiple Condition Coverage (MCC) is a very strong test criterion in the white-box test, but as it requires much more test cases, it is not useful in practices. We now propose a new method: Pairwise Condition Covering test, which simplified MCC, but inherited the advantage of MCC, meanwhile it needs only a few numbers of test cases. Compare to the widely used Modified Condition/Decision Coverage (MC/DC), it will use less test cases when there are quite a lot of conditions; besides it can discover the deficiencies which MC / DC could not identify.

Shuang Hu,Baojian Hua,Yang Wang

DOI: https://doi.org/10.1109/qrs57517.2022.00102

2022-01-01

Abstract:Rust is an emerging programming language designed for secure system programming that provides both security guarantees and runtime efficiency and has been increasingly used to build software infrastructures such as OS kernels, web browsers, databases, and blockchains. To support arbitrary low-level programming and to provide more flexibility, Rust introduced the unsafe feature, which may lead to security issues such as memory or concurrency vulnerabilities. Although there have been a significant number of studies on Rust security utilizing diverse techniques such as program analysis, fuzzing, privilege separation, and formal verification, existing studies suffer from three problems: 1) they only partially solve specific security issues but lack comprehensiveness; 2) most of them require manual interventions or annotations thus are not automated; and 3) they only cover a specific phase instead of the full lifecycle.In this perspective paper, we first survey current research progress on Rust security from 5 aspects, namely, empirical studies, vulnerability prevention, vulnerability detection, vulnerability rectification, and formal verification, and note the limitations of current studies. Then, we point out key challenges for Rust security. Finally, we offer our vision of a Rust security infrastructure guided by three principles: Comprehensiveness, Automation, and Lifecycle (CAL). Our work intends to promote the Rust security studies by proposing new research challenges and future research directions.

Hassan Sartaj,Muhammad Zohaib Iqbal,Atif Aftab Ahmed Jilani,Muhammad Uzair Khan

DOI: https://doi.org/10.1002/stvr.1906

2024-11-10

Software Testing Verification and Reliability

Abstract:This paper introduces an efficient method for automating modified condition/decision coverage (MC/DC) test data generation in model‐based testing, employing a strategy that uses case‐based reasoning (CBR) and range reduction heuristics to solve MC/DC‐tailored Object Constraint Language (OCL) constraints. Results indicate that CBR and range reduction outperform the baseline approach in MC/DC test data generation. Furthermore, their combination presents an effective alternative to existing constraint solvers. System‐level testing of avionics software systems requires compliance with different international safety standards such as DO‐178C. An important consideration of the avionics industry is automated test data generation according to the criteria suggested by safety standards. One of the recommended criteria by DO‐178C is the modified condition/decision coverage (MC/DC) criterion. Current model‐based test data generation approaches use constraints written in Object Constraint Language (OCL) and apply search techniques to generate test data. These approaches either do not support MC/DC criterion or suffer from performance issues while generating test data for large‐scale avionics systems. In this paper, we propose an effective way to automate MC/DC test data generation during model‐based testing. We develop a strategy that utilizes case‐based reasoning (CBR) and range reduction heuristics designed to solve MC/DC‐tailored OCL constraints. We performed an empirical study to compare our proposed strategy for MC/DC test data generation using CBR, range reduction, both CBR and range reduction, with an original search algorithm, and random search. We also empirically compared our strategy with existing constraint‐solving approaches. The results show that both CBR and range reduction for MC/DC test data generation outperform the baseline approach. Moreover, the combination of both CBR and range reduction for MC/DC test data generation is an effective approach compared to existing constraint solvers.

computer science, software engineering

Alex Le Blanc,Patrick Lam

2024-10-03

Abstract:Rust aims to be a safe programming language applicable to systems programming applications. In particular, its type system has strong guardrails to prevent a variety of issues, such as memory safety bugs and data races. However, these guardrails can be sidestepped via the unsafe keyword. unsafe allows certain otherwise-prohibited operations, but shifts the onus of preventing undefined behaviour from the Rust language's compile-time checks to the developer. We believe that tools have a role to play in ensuring the absence of undefined behaviour in the presence of unsafe code. Moreover, safety aside, programs would also benefit from being verified for functional correctness, ensuring that they meet their specifications. In this research proposal, we explore what it means to do Rust verification. Specifically, we explore which properties are worth verifying for Rust; what techniques exist to verify them; and which code is worth verifying. In doing so, we motivate an effort to verify safety properties of the Rust standard library, presenting the relevant challenges along with ideas to address them.

Programming Languages

Aymeric Fromherz,Jonathan Protzenko

2024-12-20

Abstract:The popularity of the Rust language continues to explode; yet, many critical codebases remain authored in C, and cannot be realistically rewritten by hand. Automatically translating C to Rust is thus an appealing course of action. Several works have gone down this path, handling an ever-increasing subset of C through a variety of Rust features, such as unsafe. While the prospect of automation is appealing, producing code that relies on unsafe negates the memory safety guarantees offered by Rust, and therefore the main advantages of porting existing codebases to memory-safe languages. We instead explore a different path, and explore what it would take to translate C to safe Rust; that is, to produce code that is trivially memory safe, because it abides by Rust's type system without caveats. Our work sports several original contributions: a type-directed translation from (a subset of) C to safe Rust; a novel static analysis based on "split trees" that allows expressing C's pointer arithmetic using Rust's slices and splitting operations; an analysis that infers exactly which borrows need to be mutable; and a compilation strategy for C's struct types that is compatible with Rust's distinction between non-owned and owned allocations. We apply our methodology to existing formally verified C codebases: the HACL* cryptographic library, and binary parsers and serializers from EverParse, and show that the subset of C we support is sufficient to translate both applications to safe Rust. Our evaluation shows that for the few places that do violate Rust's aliasing discipline, automated, surgical rewrites suffice; and that the few strategic copies we insert have a negligible performance impact. Of particular note, the application of our approach to HACL* results in a 80,000 line verified cryptographic library, written in pure Rust, that implements all modern algorithms - the first of its kind.

Programming Languages

Lukas Seidel,Julian Beier

2024-05-28

Abstract:The development of safety-critical aerospace systems is traditionally dominated by the C language. Its language characteristics make it trivial to accidentally introduce memory safety issues resulting in undefined behavior or security vulnerabilities. The Rust language aims to drastically reduce the chance of introducing bugs and consequently produces overall more secure and safer code. However, due to its relatively short lifespan, industry adaption in safety-critical environments is still lacking. This work provides a set of recommendations for the development of safety-critical space systems in Rust. Our recommendations are based on insights from our multi-fold contributions towards safer and more secure aerospace systems: We provide a comprehensive overview of ongoing efforts to adapt Rust for safety-critical system programming, highlighting its potential to enhance system robustness. Next, we introduce a procedure for partially rewriting C-based systems in Rust, offering a pragmatic pathway to improving safety without necessitating a full system overhaul. During the execution of our rewriting case study, we identify and fix three previously undiscovered vulnerabilities in a popular open-source satellite communication protocol. Finally, we introduce a new Rust compiler target configuration for bare metal PowerPC. With this, we aim to broaden Rust's applicability in space-oriented projects, as the architecture is commonly encountered in the domain, e.g., in the James Webb Space Telescope.

Cryptography and Security

Xiangjun Han,Baojian Hua,Yang Wang,Ziyao Zhang

DOI: https://doi.org/10.1109/qrs-c57518.2022.00122

2022-01-01

Abstract:Rust is an emerging programming language designed for both performance and security, and thus many research efforts have been conducted recently to migrate legacy code bases in C/C++ to Rust to exploit Rust's safety benefits. Unfortunately, prior studies on C to Rust conversion still have three limitations: 1) complex structure; 2) code explosion; and 3) poor performance. These limitations greatly affect the effectiveness and usefulness of such conversions. This paper presents RUSTY, the first system for effective C to Rust code conversion via unstructured control specialization. The key technical insight of RUSTY is to implement C-style syntactic sugars on top of Rust, thus eliminating the discrepancies between the two languages. We have implemented a software prototype for RUSTY and conducted experiments to evaluate the effectiveness and testify the usefulness of it by applying RUSTY to micro-benchmarks, as well as 3 realworld C projects: 1) Vim; 2) cURL; and 3) the silver searcher. And experimental results demonstrated that RUSTY is effective in eliminating unstructured controls, reducing the code size by 16% on average with acceptable overhead (less than 61 microseconds per line of C code).

Evan Martin,Tao Xie,Ting Yu

DOI: https://doi.org/10.1007/11935308_11

2006-01-01

Abstract:To facilitate managing access control in a system, security officers increasingly write access control policies in specification languages such as XACML, and use a dedicated software component called a Policy Decision Point (PDP). To increase confidence on written policies, certain types of policy testing (often in an ad hoc way) are usually conducted, which probe the PDP with some typical requests and check PDP's responses against expected ones. This paper develops a first step toward systematic policy testing by defining and measuring policy coverage when testing policies. We have developed a coverage-measurement tool to measure policy coverage given a set of XACML policies and a set of requests. We have developed a tool for request generation, which randomly generates requests for a given set of policies, and a tool for request reduction, which greedily selects a nearly minimal set of requests for achieving the same coverage as the originally generated requests. To evaluate coverage-based request reduction and its effect on fault detection, we have conducted an experiment with mutation testing on a set of real policies. Our experimental results show that the coverage-based test reduction can substantially reduce the size of generated requests and incur only relatively low loss on fault detection. We also conduct a study on the policy coverage achieved by manually generated requests.