Towards a Property-based Testing Environment with Applications to Security-Critical Software

We consider an approach to testing that combines white-box and black-box techniques. Black-box testing is used for testing a program's e ects against its speci cation. White-box testing is essential if subtle implementation errors are to be identi ed, e.g., errors due to race conditions. Full white-box testing is a large task. However, for many properties, only a small portion of the program is relevant | hence property-based testing has the potential to substantially simplify much of the testing work. The portion of a program that relates to a given property can be identi ed through slicing. We describe the ongoing development of a Tester's Assistant, which in the long term, will include a speci cation-driven slicer for C programs, a test data generator, a coverage analyzer, and an execution monitor. The slicer and execution monitor are described in this paper, and applications to Unix security are indicated. Security is an important application of property-based testing because of the subtle undetected security errors in delivered operating systems. It is also a promising application because of the (unexpectedly) concise speci cations that capture most security requirements, and because of the operating system support for execution monitoring. The work reported here is being supported in part by ARPA under contract USNN00014-94-1-0065 and by the Lawrence Livermore National Laboratory under work order LLNL-IUTB234584.