Modeling, Analysis and Testing of Safety Issues - An Event-Based Approach and Case Study

IEICE Trans. Inf. & Syst.

Muftuoglu²,

Belli

et al. 2015

Self Cite

SUMMARYGraphical User Interfaces (GUIs) are critical for the security, safety and reliability of software systems. Injection attacks, for instance via SQL, succeed due to insufficient input validation and can be avoided if contract-based approaches, such as Design by Contract, are followed in the software development lifecycle of GUIs. This paper proposes a model-based testing approach for detecting GUI data contract violations, which may result in serious failures such as system crash. A contract-based model of GUI data specifications is used to develop test scenarios and to serve as test oracle. The technique introduced uses multi terminal binary decision diagrams, which are designed as an integral part of decision tableaugmented event sequence graphs, to implement a GUI testing process. A case study, which validates the presented approach on a port scanner written in Java programming language, is presented.

Section: Related Workmentioning

confidence: 99%

Model-Based Contract Testing of Graphical User Interfaces

IEICE Trans. Inf. & Syst.

Muftuoglu²,

Belli

et al. 2015

Self Cite

“…Because input validation errors may lead to malfunctions of the entire system as well as to vulnerabilities for attacks [18], various specification-based and implementation-based test techniques exist to validate user interfaces [16]. Event sequence graphs [3] can be used for analysis and validation of UI requirements prior to implementation and testing of the code [19].…”

Section: Related Workmentioning

confidence: 99%

“…The outputs considerably differ from the ones in Table 4. In erroneous cases (1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19), the software outputs the right error message and aborts sending the packets.…”

Section: F F F F F F T T T T T T T T T T T T T T T T T T 2 Min <= 655mentioning

confidence: 99%

Event-Based Input Validation Using Design-by-Contract Patterns

2009 20th International Symposium on Software Reliability Engineering

Müftüoğlu

Belli

et al. 2009

This paper proposes an approach for validation of numerical inputs based on graphical user interfaces (GUI) that are modeled and specified by event sequence graphs (ESG). For considering complex structures of input data, ESGs are augmented by decision tables and patterns of design by contract (DbC IntroductionInput validation testing chooses test data that attempt to show the presence or absence of specific faults pertaining to input tolerance [16]. This paper focuses on numerical input validation testing of graphical user interfaces (GUI). Our approach for input validation suggests to specify user interface requirements and to convert this specification into a model from which valid and invalid test cases can be generated [3]. For specification of user-system interactions we choose an event-based formal model, where the inputs and events are merged and assigned to the vertices of an event transition diagram, called event sequence graph (ESG); arcs visualize the sequence relation of the events. An ESG is a simple albeit powerful formalism for capturing the behavior of interactive systems. However, modeling complex boundary restrictions on input data as well as dependencies among them inflates the ESG model of a system under consideration (SUC). To overcome this problem, we refine the nodes of the underlying ESG by decision tables, which visualize Boolean algebraic constraints on input data [4]. Decision table augmented ESG is supplemented with design by contract (DbC) patterns so that decision table rules for numerical input validation are refined to pre-condition rules. Based on these concepts, test data are generated. Equivalence class partitioning and boundary value approaches support the test case generation process [1,2]. This paper is an extension of our preliminary work [26], where we introduced algorithms for detection and correction of boundary overflow vulnerabilities through static analysis. The novelty of the present paper stems from following:(i) Theoretical background is extended by incorporating ESGs.(ii) Concept of DbC patterns have also been formalized. Especially pre-condition pattern of DbC plays an important role in refining decision tables for input validation. The formalism we introduce in Section 3.3 enables to considerably improve test case generation algorithm.(iii) The tool we introduced in our preliminary work is improved. Our tool now adds an exception handling mechanism, which we built on DbC concept, instead of a simple if statement wherever necessary.(iv) For validation of the approach we tested three open source port scanners, developed in C++, in a local 20th International Symposium on Software Reliability Engineering 978-0-7695-3878-5/09 $26.00

“…Among them, code coverage rate helps to detect possible input errors and, by using correction algorithms, the illegal inputs can be enforced to set them in defined boundaries. Event sequence graphs [3] can be used for analysis and validation of UI requirements prior to implementation and testing of the code [4]. An ESG is a simple albeit powerful formalism for capturing the behavior of a variety of interactive systems that include real-time, embedded systems, and graphical user interfaces [3].…”

Section: Related Workmentioning

confidence: 99%

GUI-Based Testing of Boundary Overflow Vulnerability

2009 33rd Annual IEEE International Computer Software and Applications Conference

Müftüoğlu

Kaya

et al. 2009

Boundary overflows are caused by violation of constraints, mostly limiting the range of internal values of a program, and can be provoked by an intruder to gain control of or access to stored data. In order to countermeasure this well-known vulnerability issue, this paper focuses on input validation of graphical user interfaces (GUI). The approach proposed generates test cases for numerical inputs based on GUI specification through decision tables. If boundary overflow error (s) are detected, the source code will be analyzed to localize and correct the encountered error(s) automatically.