Markus Becker,Christoph Kuznik,Mabel Mary Joy,Tao Xie,Wolfgang Mueller

DOI: https://doi.org/10.1109/DSN.2012.6263914

2012-01-01

Abstract:This paper presents a novel mutation based testing method through binary mutation. For this, a table of mutants is derived by control flow analysis of a disassembled binary under test. Mutations are injected at runtime by dynamic translation. Thus, our approach neither relies on source code nor a certain compiler. As instrumentation is avoided, testing results correspond to the original binary. In addition to high-level language faults, the proposed approach captures target specific faults related to compiling and linking. We investigated the software of an automotive case study. For this, a taxonomy of mutation operators for the ARM instruction set is proposed. Our experimental results prove 100% accuracy w.r.t. confidence metrics provided by conventional testing methods while avoiding significant mutant compilation overhead. Further speed up is achieved by an efficient binary mutation testing framework that relies on extending the open source software emulator QEMU.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Yi Gao,Xing Hu,Tongtong Xu,Xin Xia,David Lo,Xiaohu Yang

DOI: https://doi.org/10.1145/3597503.3639124

2024-01-01

Abstract:Test migration, which enables the reuse of test cases crafted with knowledge and creativity by testers across various platforms and programming languages, has exhibited effectiveness in mobile app testing. However, unit test migration at the source code level has not garnered adequate attention and exploration. In this paper, we propose a novel cross-language and cross-platform test migration methodology, named MUT, which consists of four modules: code mapping, test case filtering, test case translation, and test case adaptation. MUT initially calculates code mappings to establish associations between source and target projects, and identifies suitable unit tests for migration from the source project. Then, MUT's code translation component generates a syntax tree by parsing the code to be migrated and progressively converts each node in the tree, ultima tely generating the target tests, which are compiled and executed in the target project. Moreover, we develop a web tool to assist developers in test migration. The effectiveness of our approach has been validated on five prevalent functional domain projects within the open-source community. We migrate a total of 550 unit tests and submitted pull requests to augment test code in the target projects on GitHub. By the time of this paper submission, 253 of these tests have already been merged into the projects (including 197 unit tests in the Luliyucoordinate-LeetCode project and 56 unit tests in the Rangerlee-HtmlParser project). Through running these tests, we identify 5 bugs, and 2 functional defects, and submitted corresponding issues to the project. The evaluation substantiates that MUT's test migration is both viable and beneficial across programming languages and different projects.

Mohsen Ahmadi,Pantea Kiaei,Navid Emamdoost

DOI: https://doi.org/10.48550/arXiv.2102.05709

2021-02-13

Abstract:Mutation analysis is an effective technique to evaluate a test suite adequacy in terms of revealing unforeseen bugs in software. Traditional source- or IR-level mutation analysis is not applicable to the software only available in binary format. This paper proposes a practical binary mutation analysis via binary rewriting, along with a rich set of mutation operators to represent more realistic bugs. We implemented our approach using two state-of-the-art binary rewriting tools and evaluated its effectiveness and scalability by applying them to SPEC CPU benchmarks. Our analysis revealed that the richer mutation operators contribute to generating more diverse mutants, which, compared to previous works leads to a higher mutation score for the test harness. We also conclude that the reassembleable disassembly rewriting yields better scalability in comparison to lifting to an intermediate representation and performing a full translation.

Software Engineering,Cryptography and Security

Zitai Chen,Sam L. Thomas,Flavio D. Garcia

DOI: https://doi.org/10.48550/arXiv.2208.03528

2022-08-06

Abstract:In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis. We show that the flexibility afforded by our approach does not lead to a performance trade-off -- MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors -- none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.

Cryptography and Security

Lingming Zhang,Tao Xie,Lu Zhang,Nikolai Tillmann,Jonathan de Halleux,Hong Mei

DOI: https://doi.org/10.1109/ICSM.2010.5609672

2010-01-01

Abstract:Mutation testing has been used to assess and improve the quality of test inputs. Generating test inputs to achieve high mutant-killing ratios is important in mutation testing. However, existing test-generation techniques do not provide effective support for killing mutants in mutation testing. In this paper, we propose a general test-generation approach, called PexMutator, for mutation testing using Dynamic Symbolic Execution (DSE), a recent effective test-generation technique. Based on a set of transformation rules, PexMutator transforms a program under test to an instrumented meta-program that contains mutant-killing constraints. Then PexMutator uses DSE to generate test inputs for the meta-program. The mutant-killing constraints introduced via instrumentation guide DSE to generate test inputs to kill mutants automatically. We have implemented our approach as an extension for Pex, an automatic structural testing tool developed at Microsoft Research. Our preliminary experimental study shows that our approach is able to strongly kill more than 80% of all the mutants for the five studied subjects. In addition, PexMutator is able to outperform Pex, a state-of-the-art test-generation tool, in terms of strong mutant killing while achieving the same block coverage.

Huang Wang,Chao Wang,Huaping Chen

DOI: https://doi.org/10.1504/ijhpsa.2015.072853

2015-01-01

Abstract:Cross-instruction set architecture ISA full-system emulator plays an important role in reusing binary codes across different architectures. With the rapid development of multi-core technology, it is desirable to build a high-performance multi-core emulator rather than conventional single core emulator. However, current mainstream cross-ISA full-system emulator can only work sequentially, which seriously confines the parallelism. In order to take the advantage of parallelism of host platform to emulate multi processor architecture, this paper presents XE-MU, a cross-ISA full-system emulator on multiple processor architectures. Firstly, efficient methods are targeted to translate atomic instructions. Secondly, we study the approach to emulation of communications for inter-core and core-to-I/O devices. For the implementation, we utilise both GCC built-in-functions and LL/SC instructions-based methods to translate the atomic instructions. We propose a portable and efficient lock-free queue implementation for communications in virtual machine. In order to verify the effectiveness of these methods, we conducted experiments on the Loongson-3A hardware platform. Experimental results demonstrate that both methods are able to enhance the performance of the emulator and reduce the overhead of inter-core communication with interrupts; thereby, the efficiency of the emulator can be greatly improved.

Tao Xie,Wolfgang Mueller,Florian Letombe

DOI: https://doi.org/10.1109/hldvt.2011.6114167

2011-01-01

Abstract:Mutation-testing has been considered as an important coverage metric to measure the quality of simulation-based verification and validation processes [1, 2, 3]. On the other hand, IP-XACT has evolved to the IEEE standard for IP reuse and IP-based System-on-Chip (SoC) integration, which covers both RTL and TLM. In this paper, we present our effort to enable the mutation-based simulation coverage metric for system level IP integration with IP-XACT. Two major ingredients are required for this extension. First, as IP-XACT system designs are XML files, which are not originally for execution, we need an execution/simulation engine for IP-XACT designs. For this, we created a code generator that generates SystemC models from IP-XACT XML designs, such that we can simulate and test an IP-XACT design. Second, we define the mutation operators on IP-XACT schema, which is the model of errors that we can inject into IP-XACT designs during mutation testing. With IP-XACT, the mutation maintains a focus on the integration and configuration of components. We implemented the code generator and mutation operators in an Eclipsed-based IP-XACT editor with the help of Eclipse Modeling Framework. Then several experiments were conducted on a TLM library for CoreConnect SoC modeling. From the results, we can see that the defined IP-XACT mutation serves an effective qualification for simulation tests, in terms of its ability to reveal the weakness of the tests.

Xingya Wang,Shiyu Zhang,Fangxiao Liu,Lichao Feng,Zhihong Zhao

DOI: https://doi.org/10.1109/qrs-c55045.2021.00017

2021-01-01

Abstract:Mutation testing simulates typical software defects by executing mutation operations. It can effectively measure the defect detection capabilities of a test-suite. However, in the mutation testing, we must generate, compile, and execute plenty of mutants, which causes substantial computing costs. Mutants selection can reduce the number of mutants but cannot avoid compiling and executing all mutants. Therefore, mutation testing suffers an efficiency problem, making it hard to use in practice. In this paper, we propose a Mutants Quality Prediction method, MQP, which relies on the static features of the source program, test-suite, and mutants to predict the quality of a test-suite. MQP avoids compiling and executing all mutants during mutants selection and thus can save expensive computing costs. Then, we use MQP as the fitness function and select the evolutionary optimization strategy, Genetic Algorithm, to generate a high-quality mutant subset. We empirically studied MQP on nine widely used items. The experimental results show that MQP achieves a good predictive effect. Its accuracy rate can reach 98.30%, while the average absolute error is only 0.74%. Moreover, the reduction efficiency of the MQP-based mutation testing is about 20 times that of the random-based selective mutation testing.

Thierry Titcheu Chekam,Mike Papadakis,Maxime Cordy,Yves Le Traon

DOI: https://doi.org/10.1145/3425497

IF: 3.685

2021-04-30

ACM Transactions on Software Engineering and Methodology

Abstract:We introduce SEMu , a Dynamic Symbolic Execution technique that generates test inputs capable of killing stubborn mutants (killable mutants that remain undetected after a reasonable amount of testing). SEMu aims at mutant propagation (triggering erroneous states to the program output) by incrementally searching for divergent program behaviors between the original and the mutant versions. We model the mutant killing problem as a symbolic execution search within a specific area in the programs’ symbolic tree. In this framework, the search area is defined and controlled by parameters that allow scalable and cost-effective mutant killing. We integrate SEMu in KLEE and experimented with Coreutils (a benchmark frequently used in symbolic execution studies). Our results show that our modeling plays an important role in mutant killing. Perhaps more importantly, our results also show that, within a two-hour time limit, SEMu kills 37% of the stubborn mutants, where KLEE kills none and where the mutant infection strategy (strategy suggested by previous research) kills 17%.

computer science, software engineering

Robert M. Hierons,Tao Xie

DOI: https://doi.org/10.1002/stvr.1798

2021-01-01

Abstract:This issue contains four papers. The first paper provides a survey of work on testing adaptive and context-aware systems, while the second one concerns testing embedded systems. The remaining two papers explore particular problems associated with an area well known to most STVR readers: mutation testing. The first paper, ‘Testing of adaptive and context-aware systems: Approaches and challenges’, by Bento R. Siqueira, Fabiano C. Ferrari, Kathiani E. Souza, Valter V. Camargo and Rogério de Lemos, introduces a systematic literature review and a thematic analysis of studies to characterize the state of the art in testing adaptive systems (ASs) and context-aware systems (CASs) and discuss approaches, challenges, observed trends and research limitations and directions. The authors discover recurring research concerns related to AS and CAS testing (such as generation of test cases and built-in tests), recurring testing challenges (such as context monitoring and runtime decisions), some trends (such as model-based testing and hybrid techniques) and some little investigated issues (such as uncertainty and prediction of changes). (Recommended by T.Y. Chen) The second paper, ‘Remote embedded devices test framework on the cloud’, by Il-Seok (Benjamin) Choi and Chang-Sung Jeong, introduces a remote embedded device test framework on the cloud named RED-TFC, whose reliability test manager component can automatically perform various tests for evaluating reliability and performance of distributed shared devices by utilizing the cloud concept. RED-TFC includes two major techniques: the adaptive sample scale for reliability test (ASRT) and the mass sample reliability test (MSRT). The authors analyse two Android smartphone models that include many embedded components and show that RED-TFC can help detect a high number of reliability problems in smartphones. (Recommended by Tanja Vos) The third paper, ‘Analysing the combination of cost reduction techniques in Android mutation testing’, by Macario Polo-Usaola and Isyed Rodríguez-Trujillo, concerns the use of mutation testing when testing mobile apps. As the authors note, when testing an app, one typically deploys the app and its mutants on mobile devices or executes them on an emulator. Doing so increases the test execution time. Naturally, it can also significantly increase the cost of mutation testing, especially when there are many mutants. The authors investigate several techniques that have been devised for reducing execution time in mutation testing and produce a mathematical model with the aim of predicting the time taken when some combination of these techniques is used. (Recommended by Mike Papadakis) The final paper is ‘An ensemble-based predictive mutation testing approach that considers impact of unreached mutants’ by Alireza Aghamohammadi and Seyed-Hassan Mirian-Hosseinabadi. This paper also concerns both mutation testing and prediction. However, the authors look at a different prediction problem: that of predicting whether a mutant will be killed. The authors note that previous work did not consider the impact of unreachable mutants: those where the mutation point is not covered by any of the test cases used. It is argued that since many mutation tools exclude unreachable mutants, such mutants should also be removed from any empirical evaluation. The authors report the results of replicating previous studies but also eliminating unreachable mutants, finding that the resultant performance of prediction techniques is far lower than that reported. The authors then propose an alternative prediction model, which is shown to be effective when unreachable mutants are removed. (Recommended by Tanja Vos)

Changqing Wei,Xiangjuan Yao,Dunwei Gong,Huai Liu

DOI: https://doi.org/10.1109/tse.2024.3358297

IF: 7.4

2024-03-19

IEEE Transactions on Software Engineering

Abstract:Mutation testing, a mainstream fault-based software testing technique, can mimic a wide variety of software faults by seeding them into the target program and resulting in the so-called mutants. Test data generated in mutation testing should be able to kill as many mutants as possible, hence guaranteeing a high fault-detection effectiveness of testing. Nevertheless, the test data generation can be very expensive, because mutation testing normally involves an extremely large number of mutants and some mutants are hard to kill. It is thus a critical yet challenging job to find an efficient way to generate a small set of test data that are able to kill multiple mutants at the same time as well as reveal those hard-to-detect faults. In this paper, we propose a new approach for test data generation in mutation testing, through the novel applications of the Markov chain usage model and the estimation of distribution algorithm. We first utilize the Markov chain usage model to reduce the so-called mutant branches in weak mutation testing and generate a minimal set of extended paths. Then, we regard the problem of generating test data as the problem of covering extended paths and use an estimation of distribution algorithm based on probability model to solve the problem. Finally, we develop a framework, TAMMEA, to implement the new approach of generating test data for mutation testing. The empirical studies based on fifteen object programs show that TAMMEA can kill more mutants using fewer test data compared with baseline techniques. In addition, the computation overhead of TAMMEA is lower than that of the baseline technique based on the traditional genetic algorithm, and comparable to that of the random method. It is clear that the new approach improves both the effectiveness and efficiency of mutation testing, thus promoting its practicability.

engineering, electrical & electronic,computer science, software engineering

Muhui Jiang,Tianyi Xu,Yajin Zhou,Yufeng Hu,Ming Zhong,Lei Wu,Xiapu Luo,Kui Ren

DOI: https://doi.org/10.48550/arXiv.2105.14273

2021-08-12

Abstract:Emulator is widely used to build dynamic analysis frameworks due to its fine-grained tracing capability, full system monitoring functionality, and scalability of running on different operating systemsand architectures. However, whether the emulator is consistent with real devices is unknown. To understand this problem, we aim to automatically locate inconsistent instructions, which behave differently between emulators and real devices. We target ARM architecture, which provides machine readable specification. Based on the specification, we propose a test case generator by designing and implementing the first symbolic execution engine for ARM architecture specification language (ASL). We generate 2,774,649 representative instruction streams and conduct differential testing with these instruction streams between four ARM real devices in different architecture versions (i.e., ARMv5, ARMv6, ARMv7-a, and ARMv8-a) and the state-of-the-art emulators (i.e., QEMU). We locate 155,642 inconsistent instruction streams, which cover 30% of all instruction encodings and 47.8% of the instructions. We find undefined implementation in ARM manual and implementation bugs of QEMU are the major causes of inconsistencies. Furthermore, we discover four QEMU bugs, which are confirmed and patched by thedevelopers, covering 13 instruction encodings including the most commonly used ones (e.g.,STR,BLX). With the inconsistent instructions, we build three security applications and demonstrate thecapability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Cryptography and Security

Willibald Krenn,Rupert Schlick

DOI: https://doi.org/10.48550/arXiv.1601.06974

2016-12-21

Abstract:In the context of black-box testing, generating test cases through model mutation is known to produce powerful test suites but usually has the drawback of being prohibitively expensive. This paper presents a new version of the tool MoMuT::UML (<a class="link-external link-http" href="http://www.momut.org" rel="external noopener nofollow">this http URL</a>), which implements a scalable version of mutation-driven test case generation (MDTCG). It is able to handle industrial-sized UML models comprising networks of, e.g., 2800 interacting state machines. To achieve the required scalability, the implemented algorithm exploits the concurrency in MDTCG and combines it with a search based generation strategy. For evaluation, we use seven case studies of different application domains with an increasing level of difficulty, stopping at a model of a railway station in Austria's national rail network.

Software Engineering

Wei Zhou,Le Guan,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.48550/arXiv.2107.07759

2021-07-16

Cryptography and Security

Abstract:Emulating firmware for microcontrollers is challenging due to the tight coupling between the hardware and firmware. This has greatly impeded the application of dynamic analysis tools to firmware analysis. The state-of-the-art work automatically models unknown peripherals by observing their access patterns, and then leverages heuristics to calculate the appropriate responses when unknown peripheral registers are accessed. However, we empirically found that this approach and the corresponding heuristics are frequently insufficient to emulate firmware. In this work, we propose a new approach called uEmu to emulate firmware with unknown peripherals. Unlike existing work that attempts to build a general model for each peripheral, our approach learns how to correctly emulate firmware execution at individual peripheral access points. It takes the image as input and symbolically executes it by representing unknown peripheral registers as symbols. During symbolic execution, it infers the rules to respond to unknown peripheral accesses. These rules are stored in a knowledge base, which is referred to during the dynamic firmware analysis. uEmu achieved a passing rate of 95% in a set of unit tests for peripheral drivers without any manual assistance. We also evaluated uEmu with real-world firmware samples and new bugs were discovered.

Haiying Sun,Mingsong Chen,Min Zhang,Jing Liu,Ying Zhang

DOI: https://doi.org/10.1109/COMPSAC.2016.136

2016-01-01

Abstract:Structure coverage driven test generation is the key approach for automatic testing at source code level. However, the defect detection ability of the generated test cases should be carefully evaluated since the correlation between coverage and test effectiveness is in doubt. In this paper, we propose a test generation approach based on mutation testing with the intent to derive test cases towards finding defects rather than just covering certain syntactic structures. Moreover, instead of generating test cases from the code under test directly, we base our approach on UML activity diagrams to make it possible to decide verdicts of test inputs. Mutation operators for activity diagrams are defined and the test generation algorithms are based on solving mutated path constraints. Experimental results have shown that by applying the proposed mutated testing approach, test cases with higher defect detection ability can be generated.

Christoph Bockisch,Gabriele Taentzer,Daniel Neufeld

2024-04-22

Abstract:Mutation testing is an approach to check the robustness of test suites. The program code is slightly changed by mutations to inject errors. A test suite is robust enough if it finds such errors. Tools for mutation testing usually integrate sets of mutation operators such as, for example, swapping arithmetic operators; modern tools typically work with compiled code such as Java bytecode. In this case, the mutations must be defined in such a way that the mutated program still can be loaded and executed. The results of mutation tests depend directly on the possible mutations. More advanced mutations and even domain-specific mutations can pose another challenge to the test suite. Since extending the classical approaches to more complex mutations is not well supported and is difficult, we propose a model-driven approach where mutations of Java bytecode can be flexibly defined by model transformation. The corresponding tool called MMT has been extended with advanced mutation operators for modifying object-oriented structures, Java-specific properties and method calls of APIs, making it the only mutation testing tool for Java bytecode that supports such mutations.

Software Engineering

Wei Li,Xiaohui Luo,Yiran Zhang,Qingkai Meng,Fengyuan Ren

DOI: https://doi.org/10.1007/978-3-031-12597-3_1

2022-01-01

Abstract:Emulation of Instruction Set Architecture (ISA) is necessary for a wide variety of use cases, such as providing the compatibility to execute programs compiled for a different ISA. This issue is usually solved using Dynamic Binary Translation (DBT), where guest machine code is translated to host ISA on runtime and Just-in-time (JIT) compilation is performed to achieve high-performance emulation. QEMU, a famous emulator, is developed to solve this issue, where Tiny Code Generator (TCG) is constructed to translate guest binary code to TCG Intermediate Representation (IR), and then generate target ISA machine code from TCG IR. Due to the limitations of TCG, some extensions, such as HQEMU, use LLVM as the backend to optimize programs and generate high-performance machine code. However, HQEMU is limited by its underlying implementation. That is, HQEMU still translates guest binary code to TCG IR at first. In this paper, we develop a novel, LLVM-based emulator, where guest machine code is directly lifted to LLVM IR to reduce the extra overhead and produce high-quality machine code. We evaluate our DBT emulator using BYTEmark benchmark and demonstrating its ability to outperform the de facto standard QEMU DBT system. The evaluation results confirm that our emulator delivers an average speedup of 3.3x over QEMU across BYTEmark benchmark compiled for x86-64 running on an ARMv8 platform, meanwhile, demonstrate that our user-level DBT emulator can significantly reduce the overhead to run a program on a cross-ISA system.

Amit Seal Ami,Kaushal Kafle,Kevin Moran,Adwait Nadkarni,Denys Poshyvanyk

DOI: https://doi.org/10.1109/ICSE-Companion52605.2021.00034

2021-02-13

Abstract:This demo paper presents the technical details and usage scenarios of $\mu$SE: a mutation-based tool for evaluating security-focused static analysis tools for Android. Mutation testing is generally used by software practitioners to assess the robustness of a given test-suite. However, we leverage this technique to systematically evaluate static analysis tools and uncover and document soundness issues. $\mu$SE's analysis has found 25 previously undocumented flaws in static data leak detection tools for Android. $\mu$SE offers four mutation schemes, namely Reachability, Complex-reachability, TaintSink, and ScopeSink, which determine the locations of seeded mutants. Furthermore, the user can extend $\mu$SE by customizing the API calls targeted by the mutation analysis. $\mu$SE is also practical, as it makes use of filtering techniques based on compilation and execution criteria that reduces the number of ineffective mutations.

Software Engineering

Xiaoying Bai,Shufang Lee,Yinong Chen

DOI: https://doi.org/10.1109/anss.2007.30

2007-01-01

Abstract:Simulation is proven to be an effective way for testing complex real-time hardware/software systems. However, simulation test data generation is a challenging issue which determines the efficiency in such testing. This paper proposed a data-driven mutation based approach for test data generation to address the unique requirements of realtime, input domain coverage, adaptability, and reliability. The architecture is designed to simulate the process for data sampling, transforming, packaging, and transmitting segments in an aerospace ground control system. Various mutant operators are defined for signal generation and data package generation to produce fault-sensitive inputs based on the system's fault pattern analysis. Mechanisms are defined to generate a large number of test cases by combination and composition of various data outputs from different dimensions to achieve a high coverage. A configuration mechanism is introduced to enable re-composition and re-combination of simulation components. The selective simulation testing method is discussed to improve test effectiveness. A case study shows that the proposed approach can achieve a high fault-coverage with a small number of effective test cases