Test generation methodology based on symbolic execution for the Common Criteria higher levels

In the field of security software, the Common Criteria (CC) constitute an ISO standard for the evaluation of products and systems from Information Technologies. The international recognition of the Common Criteria justifies the investment undertaken by the manufacturers to obtain the certification of their products. The evaluation criteria are defined according to the Evaluation Assurance Level (EAL). There are seven EALs: EAL1 to EAL7, in an increasing order of security demand. For the upper levels of evaluation, the use of formal methods is mandatory. In that case, supplies intended to realize evaluation activities must contain components associated to modelling, proof and test. This contribution proposes a methodology and a tool (AGATHA [1,2]) which allow to cover the requirements associated to test generation for the upper levels of the Common Criteria. In that case, the criterion used to stop the test generation activity is defined as follows: the generated test case set covers all functions of the reference model. Each function must be covered “complete” way (although the term complete remains ambiguous in CC definitions). The strategy presented in this paper provides a formal meaning to this criterion and associated test generation techniques.