Fuzzing for CPS Mutation Testing

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient em EECS, U. of Ottawa and SnT Centre, U. of Luxembourg
Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
2 Mutation Testing SUT SUT SUT SUT Test suite Test suite Test suite Test suite SUT Test suite FAIL PASS FAIL FAIL PASS SUT Test suite PASS New test 1 New test 2 New test 3 FAIL FAIL FAIL Improve with automatically generated test cases SUT
3 Our focus: C/C++ software deployed on CPS
4 State-of-the-art Tool for C: SEMu § Based on symbolic execution (KLEE) § Excellent for testing command line utilities § Inapplicable to CPS (limitations of KLEE) § Unable to test functions with floating point parameters § Unable to test functions communicating over network § Dependency on LLVM
5 Grey-box Fuzzing § Can be an ideal solution for mutation testing § Generates test cases by exercising the compiled software § Not affected by the limitations of symbolic execution
6 Evolutionary Process in Grey-box Fuzzing SUT SUT New behaviour observed? (number of times branches are covered) Seed files Queue Test and collect coverage Select from queue Randomly modify file . . Test Crash SUT SUT Crashing inputs Yes: add to queue No: discard The grey-box fuzzing process demonstrated useful to generate diverse inputs that expose different faults
7 Grey-box fuzzing may Facilitate Mutation Testing § When an input leads to a program state that differs for the original and the mutated function, differences in code coverage might be observed § Additional modifications of such input may help propagating the infection and kill the mutant
8 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=2,y=1,z=5 x=2,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1
9 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=4,y=1,z=5 x=4,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1 infected state
10 DDCM payload data Sun sensor data S-band antenna data Fuzzing is not for System-level CPS Testing
11 We aim to generate test cases at unit level, but it is not supported by grey-box fuzzers
12 MutatiOn Testing wIth Fuzzing (MOTIF) 1. Generate fuzzing driver Live Mutant SUT source Fuzzing driver int main(...){ double x = load(..); double y = load(..); int z = load(..); double m_x = load(..); double m_y = load(..); int m_z = load(..); ret = max(x,y,z); mut_ret = mut_max(m_x,m_y,m_z); if( ! match ( ret, mut_ret ) ){ abort(); } 0100100001110110000 1100101101110110000 0101101101110110000 if( ! match (x, m_x ){ abort() }; if( ! match (y, m_y) { abort() }; if( ! match (z, m_z) { abort() };
13 1. Generate fuzzing driver Live mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Generate test case Test case MutatiOn Testing wIth Fuzzing (MOTIF)
14 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) Assign fuzzer inputs to input variables Inspect results
15 Empirical Evaluation RQ1. How does MOTIF compare to mutation testing based on symbolic execution? RQ2. How does MOTIF perform with software that cannot be tested with symbolic execution? RQ3. How does MOTIF’s seeding strategy contribute to its results?
16 Case Study Subjects Software deployed on space CPS from ESA project: § MLFS: the Mathematical Library for Flight Software § LIBU: a utility library from one of our industry partner § ASN1lib: a serialization/deserialization library generated with the ASN1SCC compiler
17 RQ1. MOTIF vs Symb. Execution § We created SEMuP: a modified MOTIF pipeline that instead of using AFL++ relies on KLEE/SEMu to generate test case § We considered subjects where symbolic execution is applicable (e.g., no floating-point var): § ASN1Lib § 27 source files of LIBU § 1,499 mutants not killed by existing test suites § Executed both approaches for 10,000 seconds for each mutant § Repeated 10 times
18 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib LIBU 10.5 46.8 MOTIF kills 86.08% and 73.79% mutants (avg). It outperforms symbolic execution.
19 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib 10.5 46.8 MOTIF kills 252 mutants not killed by SEMuP. SEMuP kills 103 mutants not killed by MOTIF. Complementarity MOTIF kills 74 mutants not killed by SEMuP. SEMuP kills 1 mutants not killed by MOTIF. LIBU
11 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation Testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) https://github.com/SNTSVV/MOTIF 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU Results RQ2 RQ1 https://faqas.uni.lu
Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
22 Backup Slides
23 RQ2 Executed MOTIF on subjects where symbolic execution is not applicable 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU § Percentage of killed mutants is lower than for the other cases but MOTIF is still effective § Especially considering that MLFS is a math library with MC/DC test suite § Live mutants are hard to kill § Some of the mutants can be killed only with inputs belonging to a narrow portion of a large input domain § Numbers in a small range § Input strings that match a string stored in a global variable.
24 RQ3: Seed Inputs vs Fuzzing § We focus on the proportion of mutants killed with seed inputs in the experiments for RQ1 and RQ2 § Mutants killed by seeds: § RQ1 experiments: § LIBU: one mutant (less than 1% of all the mutants killed) § ASN1Lib: 280 mutants (24.15%) § RQ2 experiments: § MLFS: 76 mutants (5.43%) § LIBU: 26 mutants (21.66%)
1 de 24

Fuzzing for CPS Mutation Testing

Baixar para ler offline
Software

Presentation at ASE 2023

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient em EECS, U. of Ottawa and SnT Centre, U. of Luxembourg

Recomendados

Mutation-Testing mit PIT por
Mutation-Testing mit PITMutation-Testing mit PIT
Mutation-Testing mit PITSebastian Dietrich
112 visualizações10 slides
Cgc2 por
Cgc2Cgc2
Cgc2Chong-Kuan Chen
398 visualizações109 slides
Unit and integration Testing por
Unit and integration TestingUnit and integration Testing
Unit and integration TestingDavid Berliner
23.9K visualizações57 slides
Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft... por
Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft...Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft...
Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft...Susumu Tokumoto
582 visualizações19 slides
Must.kill.mutants. TopConf Tallinn 2016 por
Must.kill.mutants. TopConf Tallinn 2016Must.kill.mutants. TopConf Tallinn 2016
Must.kill.mutants. TopConf Tallinn 2016Gerald Muecke
553 visualizações64 slides
2016 10-04: tdd++: tdd made easier por
2016 10-04: tdd++: tdd made easier2016 10-04: tdd++: tdd made easier
2016 10-04: tdd++: tdd made easierChristian Hujer
394 visualizações111 slides

Mais conteúdo relacionado

Similar a Fuzzing for CPS Mutation Testing

Fighting Fear-Driven-Development With PHPUnit por
Fighting Fear-Driven-Development With PHPUnitFighting Fear-Driven-Development With PHPUnit
Fighting Fear-Driven-Development With PHPUnitJames Fuller
4.1K visualizações56 slides
DSR Testing (Part 1) por
DSR Testing (Part 1)DSR Testing (Part 1)
DSR Testing (Part 1)Steve Upton
1.1K visualizações188 slides
Mateusz Bryła - Mutation testing por
Mateusz Bryła - Mutation testingMateusz Bryła - Mutation testing
Mateusz Bryła - Mutation testingkraqa
1.1K visualizações27 slides
MUTANTS KILLER - PIT: state of the art of mutation testing system por
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system Tarin Gamberini
3.1K visualizações56 slides
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and... por
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
2.5K visualizações99 slides
Review of an open source unit test tool- Cucumber_Presentation por
Review of an open source unit test tool- Cucumber_PresentationReview of an open source unit test tool- Cucumber_Presentation
Review of an open source unit test tool- Cucumber_PresentationJabeen Shazia Posses H1 B Visa (Jazz)
283 visualizações21 slides

Similar a Fuzzing for CPS Mutation Testing(20)

Fighting Fear-Driven-Development With PHPUnit por James Fuller
Fighting Fear-Driven-Development With PHPUnitFighting Fear-Driven-Development With PHPUnit
Fighting Fear-Driven-Development With PHPUnit
James Fuller4.1K visualizações
DSR Testing (Part 1) por Steve Upton
DSR Testing (Part 1)DSR Testing (Part 1)
DSR Testing (Part 1)
Steve Upton1.1K visualizações
Mateusz Bryła - Mutation testing por kraqa
Mateusz Bryła - Mutation testingMateusz Bryła - Mutation testing
Mateusz Bryła - Mutation testing
kraqa1.1K visualizações
MUTANTS KILLER - PIT: state of the art of mutation testing system por Tarin Gamberini
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system
Tarin Gamberini3.1K visualizações
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and... por Maksim Shudrak
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak2.5K visualizações
Review of an open source unit test tool- Cucumber_Presentation por Jabeen Shazia Posses H1 B Visa (Jazz)
Review of an open source unit test tool- Cucumber_PresentationReview of an open source unit test tool- Cucumber_Presentation
Review of an open source unit test tool- Cucumber_Presentation
Jabeen Shazia Posses H1 B Visa (Jazz)283 visualizações
Automated Program Repair Keynote talk por Abhik Roychoudhury
Automated Program Repair Keynote talkAutomated Program Repair Keynote talk
Automated Program Repair Keynote talk
Abhik Roychoudhury5.7K visualizações
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve... por Felipe Prado
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado111 visualizações
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012. por Wolfgang Grieskamp
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Wolfgang Grieskamp2.5K visualizações
The why and how of moving to php 7.x por Wim Godden
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
Wim Godden486 visualizações
The why and how of moving to php 7.x por Wim Godden
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
Wim Godden1.2K visualizações
"egg" - A stealth fine grained code analyzer por FFRI, Inc.
"egg" - A stealth fine grained code analyzer"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzer
FFRI, Inc.874 visualizações
Google test training por Thierry Gayet
Google test trainingGoogle test training
Google test training
Thierry Gayet1.4K visualizações
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki... por Puppet
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...
Puppet2.9K visualizações
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu... por NETWAYS
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...
NETWAYS306 visualizações
Testes? Mas isso não aumenta o tempo de projecto? Não quero... por Comunidade NetPonto
Testes? Mas isso não aumenta o tempo de projecto? Não quero...Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Comunidade NetPonto2K visualizações
Unit testing - A&BP CC por JWORKS powered by Ordina
Unit testing - A&BP CCUnit testing - A&BP CC
Unit testing - A&BP CC
JWORKS powered by Ordina722 visualizações
Unit testing php-unit - phing - selenium_v2 por Tricode (part of Dept)
Unit testing php-unit - phing - selenium_v2Unit testing php-unit - phing - selenium_v2
Unit testing php-unit - phing - selenium_v2
Tricode (part of Dept)2.5K visualizações
Software Engineering - RS3 por Atakan Aral
Software Engineering - RS3Software Engineering - RS3
Software Engineering - RS3
Atakan Aral558 visualizações
Hack@macs 2014 test driven development & pair programing por unihack
Hack@macs 2014 test driven development & pair programingHack@macs 2014 test driven development & pair programing
Hack@macs 2014 test driven development & pair programing
unihack459 visualizações

Mais de Lionel Briand

Metamorphic Testing for Web System Security por
Metamorphic Testing for Web System SecurityMetamorphic Testing for Web System Security
Metamorphic Testing for Web System SecurityLionel Briand
15 visualizações27 slides
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... por
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Lionel Briand
7 visualizações24 slides
Data-driven Mutation Analysis for Cyber-Physical Systems por
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsLionel Briand
19 visualizações28 slides
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems por
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsLionel Briand
18 visualizações21 slides
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... por
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...Lionel Briand
44 visualizações17 slides
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... por
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Lionel Briand
23 visualizações19 slides

Mais de Lionel Briand(20)

Metamorphic Testing for Web System Security por Lionel Briand
Metamorphic Testing for Web System SecurityMetamorphic Testing for Web System Security
Metamorphic Testing for Web System Security
Lionel Briand15 visualizações
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... por Lionel Briand
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand7 visualizações
Data-driven Mutation Analysis for Cyber-Physical Systems por Lionel Briand
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand19 visualizações
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems por Lionel Briand
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand18 visualizações
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... por Lionel Briand
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand44 visualizações
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... por Lionel Briand
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand23 visualizações
PRINS: Scalable Model Inference for Component-based System Logs por Lionel Briand
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand24 visualizações
Revisiting the Notion of Diversity in Software Testing por Lionel Briand
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
Lionel Briand227 visualizações
Applications of Search-based Software Testing to Trustworthy Artificial Intel... por Lionel Briand
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand320 visualizações
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety por Lionel Briand
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand343 visualizações
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ... por Lionel Briand
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand1.5K visualizações
Reinforcement Learning for Test Case Prioritization por Lionel Briand
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
Lionel Briand474 visualizações
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ... por Lionel Briand
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Lionel Briand196 visualizações
On Systematically Building a Controlled Natural Language for Functional Requi... por Lionel Briand
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
Lionel Briand216 visualizações
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and... por Lionel Briand
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Lionel Briand370 visualizações
Guidelines for Assessing the Accuracy of Log Message Template Identification ... por Lionel Briand
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Lionel Briand151 visualizações
A Theoretical Framework for Understanding the Relationship between Log Parsin... por Lionel Briand
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
Lionel Briand400 visualizações
Requirements in Cyber-Physical Systems: Specifications and Applications por Lionel Briand
Requirements in Cyber-Physical Systems: Specifications and ApplicationsRequirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and Applications
Lionel Briand876 visualizações
Practical Constraint Solving for Generating System Test Data por Lionel Briand
Practical Constraint Solving for Generating System Test DataPractical Constraint Solving for Generating System Test Data
Practical Constraint Solving for Generating System Test Data
Lionel Briand450 visualizações
Automating System Test Case Classification and Prioritization for Use Case-Dr... por Lionel Briand
Automating System Test Case Classification and Prioritization for Use Case-Dr...Automating System Test Case Classification and Prioritization for Use Case-Dr...
Automating System Test Case Classification and Prioritization for Use Case-Dr...
Lionel Briand373 visualizações

Último

Quality Engineer: A Day in the Life por
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the LifeJohn Valentino
10 visualizações18 slides
How Workforce Management Software Empowers SMEs | TraQSuite por
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteTraQSuite
7 visualizações3 slides
Automated Testing of Microsoft Power BI Reports por
Automated Testing of Microsoft Power BI ReportsAutomated Testing of Microsoft Power BI Reports
Automated Testing of Microsoft Power BI ReportsRTTS
11 visualizações20 slides
EV Charging App Case por
EV Charging App Case EV Charging App Case
EV Charging App Case iCoderz Solutions
10 visualizações1 slide
Quality Assurance por
Quality Assurance Quality Assurance
Quality Assurance interworksoftware2
8 visualizações6 slides
Streamlining Your Business Operations with Enterprise Application Integration... por
Streamlining Your Business Operations with Enterprise Application Integration...Streamlining Your Business Operations with Enterprise Application Integration...
Streamlining Your Business Operations with Enterprise Application Integration...Flexsin
5 visualizações12 slides

Último(20)

Quality Engineer: A Day in the Life por John Valentino
Quality Engineer: A Day in the LifeQuality Engineer: A Day in the Life
Quality Engineer: A Day in the Life
John Valentino10 visualizações
How Workforce Management Software Empowers SMEs | TraQSuite por TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuiteHow Workforce Management Software Empowers SMEs | TraQSuite
How Workforce Management Software Empowers SMEs | TraQSuite
TraQSuite7 visualizações
Automated Testing of Microsoft Power BI Reports por RTTS
Automated Testing of Microsoft Power BI ReportsAutomated Testing of Microsoft Power BI Reports
Automated Testing of Microsoft Power BI Reports
RTTS11 visualizações
EV Charging App Case por iCoderz Solutions
EV Charging App Case EV Charging App Case
EV Charging App Case
iCoderz Solutions10 visualizações
Quality Assurance por interworksoftware2
Quality Assurance Quality Assurance
Quality Assurance
interworksoftware28 visualizações
Streamlining Your Business Operations with Enterprise Application Integration... por Flexsin
Streamlining Your Business Operations with Enterprise Application Integration...Streamlining Your Business Operations with Enterprise Application Integration...
Streamlining Your Business Operations with Enterprise Application Integration...
Flexsin 5 visualizações
tecnologia18.docx por nosi6702
tecnologia18.docxtecnologia18.docx
tecnologia18.docx
nosi67026 visualizações
Page Object Model por artembondar5
Page Object ModelPage Object Model
Page Object Model
artembondar57 visualizações
Transport Management System - Shipment & Container Tracking por Freightoscope
Transport Management System - Shipment & Container TrackingTransport Management System - Shipment & Container Tracking
Transport Management System - Shipment & Container Tracking
Freightoscope 6 visualizações
Flask-Python por Triloki Gupta
Flask-PythonFlask-Python
Flask-Python
Triloki Gupta10 visualizações
Chat GPTs por Gene Leybzon
Chat GPTsChat GPTs
Chat GPTs
Gene Leybzon13 visualizações
predicting-m3-devopsconMunich-2023.pptx por Tier1 app
predicting-m3-devopsconMunich-2023.pptxpredicting-m3-devopsconMunich-2023.pptx
predicting-m3-devopsconMunich-2023.pptx
Tier1 app10 visualizações
How to build dyanmic dashboards and ensure they always work por Wiiisdom
How to build dyanmic dashboards and ensure they always workHow to build dyanmic dashboards and ensure they always work
How to build dyanmic dashboards and ensure they always work
Wiiisdom16 visualizações
FOSSLight Community Day 2023-11-30 por Shane Coughlan
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
Shane Coughlan8 visualizações
Ports-and-Adapters Architecture for Embedded HMI por Burkhard Stubert
Ports-and-Adapters Architecture for Embedded HMIPorts-and-Adapters Architecture for Embedded HMI
Ports-and-Adapters Architecture for Embedded HMI
Burkhard Stubert35 visualizações
Top-5-production-devconMunich-2023-v2.pptx por Tier1 app
Top-5-production-devconMunich-2023-v2.pptxTop-5-production-devconMunich-2023-v2.pptx
Top-5-production-devconMunich-2023-v2.pptx
Tier1 app9 visualizações
Winter Projects GDSC IITK por SahilSingh368445
Winter Projects GDSC IITKWinter Projects GDSC IITK
Winter Projects GDSC IITK
SahilSingh368445416 visualizações
What is API por artembondar5
What is APIWhat is API
What is API
artembondar515 visualizações
predicting-m3-devopsconMunich-2023-v2.pptx por Tier1 app
predicting-m3-devopsconMunich-2023-v2.pptxpredicting-m3-devopsconMunich-2023-v2.pptx
predicting-m3-devopsconMunich-2023-v2.pptx
Tier1 app14 visualizações
Playwright Retries por artembondar5
Playwright RetriesPlaywright Retries
Playwright Retries
artembondar57 visualizações

Fuzzing for CPS Mutation Testing

  • 1. Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
  • 2. 2 Mutation Testing SUT SUT SUT SUT Test suite Test suite Test suite Test suite SUT Test suite FAIL PASS FAIL FAIL PASS SUT Test suite PASS New test 1 New test 2 New test 3 FAIL FAIL FAIL Improve with automatically generated test cases SUT
  • 3. 3 Our focus: C/C++ software deployed on CPS
  • 4. 4 State-of-the-art Tool for C: SEMu § Based on symbolic execution (KLEE) § Excellent for testing command line utilities § Inapplicable to CPS (limitations of KLEE) § Unable to test functions with floating point parameters § Unable to test functions communicating over network § Dependency on LLVM
  • 5. 5 Grey-box Fuzzing § Can be an ideal solution for mutation testing § Generates test cases by exercising the compiled software § Not affected by the limitations of symbolic execution
  • 6. 6 Evolutionary Process in Grey-box Fuzzing SUT SUT New behaviour observed? (number of times branches are covered) Seed files Queue Test and collect coverage Select from queue Randomly modify file . . Test Crash SUT SUT Crashing inputs Yes: add to queue No: discard The grey-box fuzzing process demonstrated useful to generate diverse inputs that expose different faults
  • 7. 7 Grey-box fuzzing may Facilitate Mutation Testing § When an input leads to a program state that differs for the original and the mutated function, differences in code coverage might be observed § Additional modifications of such input may help propagating the infection and kill the mutant
  • 8. 8 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=2,y=1,z=5 x=2,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1
  • 9. 9 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=4,y=1,z=5 x=4,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1 infected state
  • 10. 10 DDCM payload data Sun sensor data S-band antenna data Fuzzing is not for System-level CPS Testing
  • 11. 11 We aim to generate test cases at unit level, but it is not supported by grey-box fuzzers
  • 12. 12 MutatiOn Testing wIth Fuzzing (MOTIF) 1. Generate fuzzing driver Live Mutant SUT source Fuzzing driver int main(...){ double x = load(..); double y = load(..); int z = load(..); double m_x = load(..); double m_y = load(..); int m_z = load(..); ret = max(x,y,z); mut_ret = mut_max(m_x,m_y,m_z); if( ! match ( ret, mut_ret ) ){ abort(); } 0100100001110110000 1100101101110110000 0101101101110110000 if( ! match (x, m_x ){ abort() }; if( ! match (y, m_y) { abort() }; if( ! match (z, m_z) { abort() };
  • 13. 13 1. Generate fuzzing driver Live mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Generate test case Test case MutatiOn Testing wIth Fuzzing (MOTIF)
  • 14. 14 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) Assign fuzzer inputs to input variables Inspect results
  • 15. 15 Empirical Evaluation RQ1. How does MOTIF compare to mutation testing based on symbolic execution? RQ2. How does MOTIF perform with software that cannot be tested with symbolic execution? RQ3. How does MOTIF’s seeding strategy contribute to its results?
  • 16. 16 Case Study Subjects Software deployed on space CPS from ESA project: § MLFS: the Mathematical Library for Flight Software § LIBU: a utility library from one of our industry partner § ASN1lib: a serialization/deserialization library generated with the ASN1SCC compiler
  • 17. 17 RQ1. MOTIF vs Symb. Execution § We created SEMuP: a modified MOTIF pipeline that instead of using AFL++ relies on KLEE/SEMu to generate test case § We considered subjects where symbolic execution is applicable (e.g., no floating-point var): § ASN1Lib § 27 source files of LIBU § 1,499 mutants not killed by existing test suites § Executed both approaches for 10,000 seconds for each mutant § Repeated 10 times
  • 18. 18 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib LIBU 10.5 46.8 MOTIF kills 86.08% and 73.79% mutants (avg). It outperforms symbolic execution.
  • 19. 19 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib 10.5 46.8 MOTIF kills 252 mutants not killed by SEMuP. SEMuP kills 103 mutants not killed by MOTIF. Complementarity MOTIF kills 74 mutants not killed by SEMuP. SEMuP kills 1 mutants not killed by MOTIF. LIBU
  • 20. 11 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation Testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) https://github.com/SNTSVV/MOTIF 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU Results RQ2 RQ1 https://faqas.uni.lu
  • 21. Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
  • 23. 23 RQ2 Executed MOTIF on subjects where symbolic execution is not applicable 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU § Percentage of killed mutants is lower than for the other cases but MOTIF is still effective § Especially considering that MLFS is a math library with MC/DC test suite § Live mutants are hard to kill § Some of the mutants can be killed only with inputs belonging to a narrow portion of a large input domain § Numbers in a small range § Input strings that match a string stored in a global variable.
  • 24. 24 RQ3: Seed Inputs vs Fuzzing § We focus on the proportion of mutants killed with seed inputs in the experiments for RQ1 and RQ2 § Mutants killed by seeds: § RQ1 experiments: § LIBU: one mutant (less than 1% of all the mutants killed) § ASN1Lib: 280 mutants (24.15%) § RQ2 experiments: § MLFS: 76 mutants (5.43%) § LIBU: 26 mutants (21.66%)