Bio-inspired Robustness Testing Approaches
description
Transcript of Bio-inspired Robustness Testing Approaches
Overview of the talk
2
The Test and Fault Injection Group: who are we?
Robustness: what is it? Why is it important? Robustness testing activities of the group Part I: An evolutionary approach for
robustness tests generation Part II: Use of sequence alignment algorithms
as test oracles
The Test and Fault Injection Group
3
Distributed systems Laboratory (LSD)
Software Engineering and Dependability
(SED)
Test and Fault Injection group
(TIF)Fault-tolerant architectures
Distributed Systems
http://www.sed.ic.unicamp.br/
Motivation
4
Testing software to ensure that the required functionality was met … Example:
Requirement: When heading in a direction (up / down) an elevator
would service all received stop requests in that direction then it would reverse direction and verify if other stops in that direction had to be serviced
Test scenarios: Does the elevator goes up when a request up is given? Does the elevator goes down when a request down is
given? … is necessary but not enough
Why robustness testing?
5
Requirement: When heading in a direction (up / down) an
elevator would service all received stop requests in that direction then it would reverse direction and verify if other stops in that direction had to be serviced
Test scenarios: What if a request down is given and the elevator is on the first floor? What if a request up is given and the elevator is on the last floor?
How does the system behave in presence of erroneous or unexpected user inputs? internal or external failures? stressful conditions? attacks?
Robustness testing
Robustness
6
IEEE Std 610.12-1990 - Glossary of Software Engineering Terminology “Robustness is the degree to which a software
system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.”
[Anderson85]: “[…] A computing system can be said to
be robust if it retains its ability to deliver service in conditions which are beyond its normal domain of operation”
7
In independent technical assessment To perform top-level investigation into the
quality of the software being developed and to see how the developing organization reacts when problems are encountered.
During component selection: To help in the decision of what component
better suit the system being developed
During software development To assess error handling mechanismsSource: SEI-CMU Report [CPK05]
When Robustness testing is useful?
Robustness testing characterization
8
Specified Inputs PossibleBehavior Outputs
Should work
Undefined
Should return error
ValidComponent under test
Success
FailureInvalid
Inspired on (Kropp, Koopman, Siewiorek 1998)
TIF – Test & Fault Injection Group
9
Robustness testing
Model-based testing
Test execution environme
nt
Fault injectio
n
Test results analys
is
Activity DiagramState Diagram
Exhaustive searchEvolutionary search
External faults:Accidental faultsMalicious faults
Interface faultsCommunication faults
Property-orientedBioinformatics algorithms
TIF – Research Projects and Tools
10
Model-based
testing
• Tools:• Condado• Plavis
• Projects• ATIFS• PLAVIS• QSEE• Harpia
Fault injectio
n –
Acci
dental Fault
s
• Tools• Jaca• WSInject
• Projects• ACERTE• Benchmarkin
g• WebMov• BioCORE• RobustWeb
Attack injection • Webmov
• RobustWeb
TIF – Collaborations with other research groups
11
Foreign groups: University of Coimbra Institut Telecom Sud-
Paris Université Paris-Orsay Laboratoire
d’Automatique et d’Analyse des Systèmes (LAAS), Toulouse
Universidad Politécnica de Valencia
Brazilian groups: INPE ITA UFRGS UFES UFAL
USP-S.Carlos
Part I – Robustness tests generation
12
Robustness testing
Model-based testing
Test execution environme
nt
Fault injectio
n
Test results analys
is
Activity DiagramState Diagram
Exhaustive searchEvolutionary search
External faults:Accidental faultsMalicious faults
Interface faultsCommunication faults
Property-orientedBioinformatics algorithms
Robustness testing characterization
13
Specified Inputs PossibleBehavior Outputs
Should work
Undefined
Should return error
ValidComponent under test
Success
FailureInvalid
Inspired on (Kropp, Koopman, Siewiorek 1998)
Model-Based Testing (MBT)
14
Used to test software system based on a model of the system behavior
Test cases are generated from the system behavior model
State-based models: Commonly used to represent behavior of reactive
systems Techniques proposed since early sixties
Why MBT
15
Useful when source code is not available Applicable in all test phases: from Unit to
System testing Tests can be prepared early in development
cycle Test preparation can help in uncover requirements
faults Tests can be automatically generated
For robustness testing: Concerns with abnormal situations early in the
development cycle
MBT – State-based models
16
Useful to represent behavior of reactive systems: Control objects and systems Communication protocols User interactions …
Fonte: H. Robinson, StarWest 2006
Homepage
Imagepage Newspage
ImageTab
HomeTab
NewsTab
HomeTab
NewsTab
ImageTab
MBT – State-based models
17
Useful to represent behavior of reactive systems: Control objects and systems Communication protocols User interactions …
There are various models: FSM (Finite State Machines) EFSM (Extended-Finite State Machines) UML State Machines And others:
Statecharts State transition systems
EFSM
18
EFSM consists of: States Transitions
The following elements are associated with each transition: Events Guards (enabling conditions) Actions
State1 State2 Event(P) [Guard] / Actions
EFSM Testing Strategies
19
•W method•U method•D method• and variants
Search based
•State cover•Transition cover•Switch cover•Path coverage•Constrained path coverage
Graph based
•Random testing•Evolutionary testing
Automata
theoretic
Plavis platform
Condado tool
??? tool
Exhaustive enumeration approaches
20
Automata-theoretic approaches Equivalence between specification model and
implementation Graph-based approaches:
Coverage of model elements Exhaustive search of the state-space
Algorithms commonly used: Traveling salesman Depth-first search
Model-based robustness test cases generation
21
Specification(nominal)
Specification of robust behavior
Robustnesstest
cases
Test case generation
Unexpectedinputs
Inopportune inputsUnspecified inputsInputs that should return errors
Difficulties with exhaustive search
22
Model can be very big, in special, when representing data aspects and abnormal situationsRisk of state explosion Algorithms like TSM or DFS are no longer
adequate
Huge solution space Generation of large test suites
Big test cases High costs to execute and maintain
Search-based testing
23
How to deal with the huge solution space? Use of meta-heuristics to search the solution
space for automatic test case generation Various approaches:
Random testingEvolutionary algorithms (EA)
Genetic Algorithms (GA)Generalized Extreme Optimization Algorithms (GEO)
Have been extensively used to search input data for single functions
Evolutionary testing schema
24
Reinsert
Evaluate
Terminate?Selectfittest
solutions
Mutate
Initial solution
Output
No solution
Testexecution
and monitorin
g
Solution: input data
Traversed path
Code-based x EFSM-based evolutionary testing
25
Code-based: Generation:
Input data Controllability:
Control of code instructions
No control of states and context variables
Path feasibility: execute inputs to decide
whether the required element (instruction, decision, ...) has been traversed
EFSM-based: Generation:
Sequence of inputs Controllability:
States, event parameters and context variables
No control of code instructions
Path feasibility: Static approaches
path feasibility is an undecidable problem
Some existing approaches
26
MBT x CBT
Characteristics Evolutionary Algorithm
(Kalaji et al. 2009)
MBT: EFSM
Transition coveragePath sensitization
Genetic Algorithm (GA)
(Lefticaru et al. 2008)
CBT: Java Generate flowchartGenerate test data from the generated flowchart
GASimulated annealingParticle swarm optimization
(McMinn et.al 2005)
CBT: C Sequence of function callsState-based behavior
GA
(Derderian et al. 2005)
MBT: EFSM
Test paths with high likelihood to be feasible according to guards in transitions
GA
(Baresel et al.2003)
MBT: EFSMCBT: C code
Test sequence = signal wave form for the executable model Test data for C code
Random
GA(Guo et al. 2003)
MBT: FSM Unique Input-Output Sequences
GA
MOST-EFSM: our evolutionary model-based testing approach (Thaise Yano, PhD)
27
Generation: A solution = test sequence Test sequence = sequence of events starting at the initial
state + parameters Test sequence transition path Objectives: find a path that covers the test purpose +
minimize path size Controllability:
How to guide the search for an adequate path in the EFSM? Use of Dependency Analysis
Path feasibility Use of executable EFSM test paths dynamically derived
Steps of the approach
28
Create model
Validate model
Analyse dependences
Generate abstract test
cases
Generate executable test
casesÉrika Almeida - MSc
Test criterium
Example – ATM system
Test purpose
ATM – Automated Teller Machine [Korel et al. 2003]
Dependency analysis – ATM example
30
Shows control and data dependencies between transitions
Backward reachability analysis to obtain
Taffecting(tp)
Based on algorithm from K. Androutsopoulos et al.2009
Taffecting(t18) = {t1,t4,t8,t17}
seq={card(236,234,138), pin(236), spanish(), savings(), deposit(867)}path = { t1 t4 t6 t8 t18 }
Example - nominal inputs
seq={card(236,234,138), receipt(), pin(236), spanish(), pin(236), savings(), deposit(867)}path = { t1 t4 t6 t8 t18 }
Example - Inopportune inputs
seq={card(236,234,138), receipt(), pin(236), spanish(), pin(236), savings(), deposit(867)}path = { t1 t4 t6 t8 t18 }
Assumption: Unexpected input the machine remains in current state and generates null output
Example - Inopportune inputs
Some results
34
Sequence size x Number of Fitness Function evaluations
t3 t18
Work in progress Definition of other test criteria:
For the moment only test purpose coverage Transition coverage based on dependency analysis
Evaluation of the approach Cost – effectiveness use of benchmark models Scalability Use in real world applications
Web-services from an industry Teleduc
Open points and opportunities (1)
36
Development of a framework to support MOST How to guide users in adjusting the EA for his/her
problem?
Use of model transformation to easy dependency analysis One of the challenges in EFSM is the problem of
how to determine control dependency, as state machines may not have a final state Transform the model to improve its “analysability” Transform to a control flow graph [J.Li, E.Wong 2002]
use of MDA approaches
Open points and opportunities (2)
37
Comparison with the use of other meta-heuristics for EFSM-based testing: Given that each heuristic has its own strengths and limitations,
some might be more useful for some problems than others Random testing (e.g, hit-or-jump) Multi-objective Genetic Algorithms Multi-objective Ant Colony …
More long term … Use of more than two objectives Use of other approaches:
Memetic algorithms (MA): form of hybrid GA + individual learning procedures to perform local refinements
Hyper-heuristics: use of machine-learning techniques to automate the process of selecting, combining, adapting several heuristics to efficiently solve a problem
38
Part II – Result Analysis
39
Robustness testing
Model-based testing
Test execution environm
ent
Fault injectio
n
Test results analysi
s
Activity DiagramState Diagram
Exhaustive searchHeuristic-based search
External faults:Accidental faultsMalicious faults
Interface faultsCommunication faults
Property-orientedBioinformatics algorithms
Robustness testing characterization
40
Specified Inputs PossibleBehavior Outputs
Should work
Undefined
Should return error
ValidComponent under test
Success
FailureInvalid
Inspired on (Kropp, Koopman, Siewiorek 1998)
How to identify robustness failures? (1) Comparison with a “golden run”
Component under test
Valid inputs
Outputs(golden run)
Component under test
Invalid inputs
Outputs
= FailureSuccess Yes No
What if the “golden run” is
faulty?
How to identify robustness failures? (2)
CRASH scale of the Ballista approach: Catastrophic: system crashes or reboots Restart: task execution hangs Abort: abnormal termination of task execution Silent: no exception reported when it should be Hindering: incorrect error code or delayed response
However …
Use of the CRASH scale: A system can fail without aborting or delaying
responses or sending error messages For example:
in an Elevator service, if there is a requestUP(floorID), then the Elevator should moveUp( ), stopAt(floorID) and opendoor( ) or else it stays in the same floor
In case of a request to a valid floor, if the Elevator opendoor( ) before stopAt(floorID), failure
A passive approach for robustness testing
44
Systemunder Test
Environment
Inputs
Outputs
Execution Traces
Inputs
OutputsClient
Points of Observation (PO)
Trace AnalyserSpecification(model or properties)
Verdict PassFailInconclusive
Analysis
Observation
Passive testing
45
A monitoring approach The steps:
Add observation mechanisms (PO) to the System under Test (SUT)
Execute the SUT and collect execution traces Filter the execution trace to keep only the events
of interest Analyse the filtered trace
46
•Execution trace is compared with a specification, given as a finite state machine (FSM)•Only control aspects are considered
Invariant analysis
• For EFSM-based specifications: consider the data aspects
• Intervals to represent possible variable values
• Predicates to represent assertions on variable values
Interval determina
tion• Invariant = property the SUT
must satisfy• Useful when no complete
specification of acceptable behavior may be available
Trace acceptatio
n
Passive Testing Approaches
47
A previous invariant analysis approach
Textual specification
Behavior model
I1 = RcvInvoke(TID = N)/?, *, TR-Invoke.res/{Ack (TID = N)}I2= RcvInvoke(TID = N) / TR.Invoke.ind, *, TR-Invoke.res / {Ack (TID = N) }
Invariants in the form of regular expressions
verification
[Bayse, Cavalli, Nuñez, Zahidi 2005]
Our proposal (Gizelle S. Lemos)
48
An approach for analyzing results of robustness testing:
1. Monitoring system execution in the presence of faults, collecting execution trace
2. Definition of the properties the system should verify even in the presence of faults
3. Verify whether the system model satisfies the required properties, if the model exists
4. Checking whether the execution trace satisfies the required properties
How to obtain the properties? What kind of properties to analyze? How to express the properties? How to analyze the trace?
Aspects to consider
How to obtain the properties?
50
Specification stating what a system should or should not do
Robustness specification should take into account Invalid and inopportune inputs:
exceptions, erroneous data, valid data at the wrong moment, missing events, late events
Outputs corresponding to the abnormal inputs: exception handlers, error messages, restart mechanism, …
For the moment, only safety properties are being considered: Something bad never happens during execution If something bad happens a robustness failure
is identified
What kind of properties?
How to express the properties
52
The (execution) trace is modeled as a sequence of events
The property (invariant) is also modeled as a sequence of events, much smaller than the trace
Properties can be represented by regular expressions Ex.: ((moveUp | moveDown), stopAtFloor,
opendoor )*
How to analyse the trace?
53
The trace satisfies the property if the property is a subsequence of the trace The events in the property may not be
consecutive in the trace, because of interleaving with other events that are not of interest for the property
Ex.: … moveUp(1, 4), requestDown(2, 1), …, stopAtFloor( 1, 4), movedown(2, 1), opendoor(1, 4)
How to analyse the trace?
54
Because of occurrence of unexpected events, some events in the trace may be different from those in the property, but also acceptable Events can be replaced by others
Ex.: in response to an incorrect input, a call to an exception handler is acceptable, but abort or hang is not
Events can also be deleted Ex.: in a fail stop behavior, the system stops
and no longer emits any output
The problem
55
In robustness testing we may not always know the exact behavior a system should have, but we know that some behaviors are more acceptable than others
Pattern matching
What algorithm to use?
56
In the literature longest common subsequence (LCS) problem: How to find the longest subsequence common to both
the trace and the property? Existing invariant analysis approaches use exact
pattern matching algorithms, which are adequate for conformance testing
For robustness testing inexact pattern matching algorithms are more appropriate Dynamic programming can be used when the number
of sequences is constant Match is solved in O(MxN) time, where M and N are the sizes
of both sequences
Dynamic programming is used for the alignment of two DNA sequences It is possible to take into account semantic
aspects, not allowable in pattern matching algorithms Use of a scoring system
It is possible to detect insertions, deletions or replacements of one or more inputs or outputs in the sequence
It is possible to obtain some statistics, as for example, number of matches and mismatches
The selected pattern matching algorithm
Alignment classification
58
Global: Useful when the sequences present almost the
same size: Stretch the sequences using gaps so that they have the
same size Semi global:
Sequences may not have the same size: Prefix or suffix are ignored use of gaps
Local: Useful for sequences of different sizes The focus is to find regions of high similarity
Example
59
Example
60
61
The DP algorithm Objective
Obtain the optimal alignment between two sequences The optimal alignment between sequences is the
one that maximizes the score
Where ma is the number of matches mi is the number of mismatches g is the number of gaps w is the weight for matches and mismatches gp is penalty assigned to gap occurrence
Scoring function
Schematic view of the approach
PassVerdict: Fail
Inconclusive
63
Filtered execution trace
Execution trace after encoding
Aligning the trace with an invariant
64
RcvInvoke / TR-Invoke.ind,*,RcvAck / { TR-Result.cnf,NULL }
14,30,22,28
An invariant
The invariant after encoding
Alignment example
What can be wrong?
65
False positives: Mark as violations some sequences that may be
correct
False negatives: Accept some sequences that are incorrect
Causes: Incorrect property used Inadequate scoring system Inadequate algorithm
On-going work
Assessment of the approach using: Benchmark programs
Number of false positives and false negatives
Simple regular expressions will not be enough Need other alignment algorithms (e.g. regular
expression constrained sequence alignment) Ex.: [requestUp] (moveUp, stopAtFloor, opendoor )*
Open points and opportunities
67
Use of the approach in real-world applications Web services robustness testing
Analysis of various properties Need to use multiple sequence alignment
algorithms
68
Some publications
69
Model-based testing
70
Martins, E., Sabião, S. B., and Ambrosio, A. M. ConData: A tool for automating specification-based test case generation for communication systems. Software Quality Control, 8(4):303–320, 1999.
ROCHA, Camila R.; MARTINS, Eliane. A strategy to improve component testability without source code. In Proc. Testing Component-based Systems Workshop (Net.ObjectDays Workshop), Erfurt (Germany), 2004.
Eliane Martins, Vanessa G. Vieira. Regression test selection for testable Classes. 5th. European Dependable Computing Conference, EDCC 2005, Budapest, Hungary, 20-22 April 2005, ”. Lecture Notes in Computer Science. Publisher: Springer-Verlag. Volume 3463/2005, pp453-470.
Ana Maria Ambrosio; Eliane Martins; Nandamudi L. Vijaykumar; Solon V. Carvalho. A Conformance Testing Process for Space Applications Software Services. AIAA (American Institute of Aeronautics and Astronautics) Journal of Aerospace Computing, Information, and Communication (1542-9423) 2006 vol. 3 no. 4, pages (146-158).
Ivan Perez, Eliane Martins, Júlio Esslinger Viégas. Uso de Modelos da UML em Testes de Componentes. VIII Workshop de Testes e Tolerância a Falhas (Em conjunto com o XXV SBRC - Simpósio Brasileiro de Computadores), Belém, PA, 29 de Maio de 2007.
T. Yano, E.Martins, F.L.Sousa. Generating Feasible Test Paths from an Executable Model Using a Multi-Objective Approach. In Proceedings of the 3rd International Workshop on Search-Based Software Testing, joint with IEEE International Conference on Software Testing, Verification and Validation (ICST), 2010. Paris
Trace Analysis
71
Martins, Eliane; Morais, Anderson Nunes Paiva; Cavalli, Ana. Generating Attack Scenarios for the Validation of Security Protocol Implementations, The 2nd Brazilian Workshop on Systematic and Automated Software Testing (SBES 2008 -SAST), Brazil, October 2008.
Cavalli, Ana ; Martins, E. ; Morais, Anderson Nunes de Paiva . Use of invariant properties to evaluate the results of fault-injection-based robustness testing of protocol implementations. In: 4th Workshop on Advances in Model Based Testing (A-MOST 2008), joint with 1st. IEEE International Conference on Software Testing, Verification and Validation (ICST), 2008, Lillehammer. Proceedings of the A-MOST, 2008.
F. Bessayah, A. Cavalli, E. Martins. A Formal Approach for Specification and Verification of Fault Injection Process. In Proceedings of The ACM International Conference on Interactive Sciences (ICIS'09),Seoul, Korea. November 24-26, 2009.
. G. S. Lemos, E. Martins, Robustness Testing Oracle using a Sequence Alignment Algorithm. First International Workshop on Software Test Output Validation (STOV), Co-located with ISSTA 2010, Trento, Italy.
Fault injection (1)
72
Eliane Martins, Regina O. Moraes. Validating an ODBMS Component using a High-Level Software Fault Injection Tool. 1st. Latin American Symposium on Dependable Computing (LADC), S.Paulo, Brasil, 21-24/10/2003.
Regina O. Moraes, Eliane Martins. Fault Injection Approach Based on Architectural Dependencies. Lecture Notes in Computer Science. Publisher: Springer-Verlag. Volume 3549 / 2005. Editors: Rogério de Lemos, Cristina Gacek, Alexander Romanovsky.
Regina Lúcia O. de Moraes, Eliane Martins, Elaine C. Catapani Poleti, Naaliel Vicente Mendes. Using Stratified Sampling for Fault Injection. 2nd. Latin-American Symposium on Dependable Computing (2nd LADC), Salvador, Bahia, Brazil, Oct/2005.
Regina Moraes, João Durães, Eliane Martins and Henrique Madeira. A Field Data Study on the Use of Software Metrics to Define Representative Fault Distribution. Workshop on Empirical Evaluation of Dependability and Security (WEEDS), collocated with The IEEE-IFIP International Conference on Dependable Systems and Networks (DSN-2006), Filadélfia, EUA, junho/2006.
R. Moraes, R. Barbosa, J. Durães, N. Mendes, E. Martins, H. Madeira. Do injected component interface faults represent software bugs?. 6th. European Dependable Computing Conference (EDCC) 2006. Coimbra, Portugal, Outbro/2006.
R. Moraes, J. Durães, E. Martins, H. Madeira. Experimental Risk Assessment and Comparison Using Software Fault Injection. DSN 2007. Edimburgo. Escócia. Junho/2007
Fault injection (2)
73
Morais, Anderson; Martins, Eliane; Cavalli, Ana; Jimenez , Willy. Security Protocol Testing Using Attack Trees. In: The 2009 International Symposium on Trusted Computing and Communications (EUC 2009 - TRUSTCOM), Vancouver, 29-31 August 2009.
Anderson Morais, Ana Cavalli, Eliane Martins, Attack scripts generation for security validation, Sécurité des Systèmes d’Information et les Environnements Collaboratifs (SEC-SY), joint with INFORSID 2010, 25 May 2010, Marseille, France.
F. Bessayah, A. Cavalli, W. Maja, E. Martins, A.W. Valenti. A Fault Injection Tool for Testing Web Services Composition. In Testing: Academic and Industrial Conference - Practice and Research Techniques (TAIC PART’10). Windsor,UK. To be published.
Example
74
Generated with Plavis: http://www2.dem.inpe.br/plavisFSM/main.php
Cruise control system (obtained in March/2010: http://sir.unl.edu/php/index.php)
Transition tree for the Cruise Control System
75
Inactive/Idle
Inactive/Idle
Standby/Running
Standby/Running
Cruising/Running
Cruising/Running
Standby/Running
Inactive/Idle
Standby/Running
Cruising/Running
Standby/Running
Inactive/Idle
Cruising/Running
Active/Running
Active/Running
Active/RunningengineOn
accelerator
brake
on
engineOff
brake
on
accelerator
engineOff
off
on
resume
accelerator
brake
engineOff
Inactive/Idle
Inactive/Idle
Inactive/Idle
Inactive/Idle
Inactive/Idle
Inactive/Idle
resume
accelerator
brake
on
off
engineOff
Active/Running
Active/Running
Active/Running
off
resume
engineOn
Cruising/Running
Cruising/Running
resume
engineOn
Standby/Running
Standby/Running
engineOn
off
Example of test cases generated by Plavis (1)
76
UIO method1 Seq: accelerator off engineOn brake on resume engineOff2 Seq: engineOn on accelerator3 Seq: engineOn resume brake4 Seq: engineOn on brake brake5 Seq: engineOn on engineOff engineOn6 Seq: engineOn on accelerator off brake7 Seq: engineOn accelerator brake8 Seq: brake engineOn9 Seq: engineOn engineOff engineOn1 0 Seq: engineOff engineOn
...Total: 29 test cases
Example of test cases generated by Plavis (2)
77
Switch-cover method
Total: 483 test cases
1 Seq: engineOn on off on accelerator resume accelerator engineOff
2 Seq: engineOn on accelerator resume brake on brake engineOff
3 Seq: engineOn on off on brake resume off brake engineOff4 Seq: engineOn on accelerator on off resume off engineOn engineOff
5 Seq: engineOn on off resume off on engineOff6 Seq: engineOn on brake resume accelerator on brake brake engineOff
...