ICSE MET 17 Keynote. Metamorphic Testing: Beyond Testing Numerical Computations

Size: px

Start display at page:

Download "ICSE MET 17 Keynote. Metamorphic Testing: Beyond Testing Numerical Computations"

Theresa Simmons
6 years ago
Views:

1 ICSE MET 17 Keynote Metamorphic Testing: Beyond Testing Numerical Computations Dr. Zhi Quan (George) Zhou Associate Professor University of Wollongong Australia 1

2 Why this topic? Observation: MT is often illustrated using mathematical functions, e.g. sin(x) = sin (x+360) sin(-x) = -sin(x) This is because mathematical functions have well known properties that everyone understands. Z.Q. (George) Zhou, University of Wollongong 2

3 Why this topic? Misunderstanding: Is MT just for numerical programs? Z.Q. (George) Zhou, University of Wollongong 3

4 Why this topic? The fact: Source: Segura et al., A survey on metamorphic testing, TSE 2016 Z.Q. (George) Zhou, University of Wollongong 4

5 Presentation outline MT in security testing A motivating example: the Heartbleed bug Detecting obfuscator bugs MT for online search MT beyond verification Z.Q. (George) Zhou, University of Wollongong 5

6 Presentation outline MT in security testing A motivating example: the Heartbleed bug Detecting obfuscator bugs MT for online search MT beyond verification Z.Q. (George) Zhou, University of Wollongong 6

7 MT in Security Testing A motivating example: the Heartbleed bug Under the Heartbeat protocol, the client sends a message and the message length to the server, and the server sends back the same message. Z.Q. (George) Zhou, University of Wollongong 7

8 MT in Security Testing A motivating example: the Heartbleed bug Server, if you are still there, send me banana (6 letters) Z.Q. (George) Zhou, University of Wollongong 8

9 MT in Security Testing A motivating example: the Heartbleed bug banana Z.Q. (George) Zhou, University of Wollongong 9

10 MT in Security Testing A motivating example: the Heartbleed bug The specification (RFC 6520) (TLS and DTLS Heartbeat Extension) Z.Q. (George) Zhou, University of Wollongong 10

11 MT in Security Testing A motivating example: the Heartbleed bug The specification (RFC 6520) (TLS and DTLS Heartbeat Extension) Z.Q. (George) Zhou, University of Wollongong 11

12 MT in Security Testing A motivating example: the Heartbleed bug The specification (RFC 6520) (TLS and DTLS Heartbeat Extension) Z.Q. (George) Zhou, University of Wollongong 12

13 MT in Security Testing A motivating example: the Heartbleed bug The specification (RFC 6520) (TLS and DTLS Heartbeat Extension) Z.Q. (George) Zhou, University of Wollongong 13

14 MT in Security Testing A motivating example: the Heartbleed bug The specification (RFC 6520) (TLS and DTLS Heartbeat Extension) Z.Q. (George) Zhou, University of Wollongong 14

15 MT in Security Testing A motivating example: the Heartbleed bug The specification (RFC 6520) (TLS and DTLS Heartbeat Extension) Z.Q. (George) Zhou, University of Wollongong 15

16 The bug: Z.Q. (George) Zhou, University of Wollongong 16

17 MT in Security Testing A motivating example: the Heartbleed bug Server, if you are still there, send me banana (600 letters) Z.Q. (George) Zhou, University of Wollongong 17

18 MT in Security Testing 600 characters in server buffer starting from b. A They motivating can be anything. example: the Heartbleed bug banana. User George set password to abcdefg. Server master key is set to Z.Q. (George) Zhou, University of Wollongong 18

19 MT in Security Testing A motivating example: the Heartbleed bug Difficulty in detecting the bug No crash No hang Undetectable with fuzz testing alone. Z.Q. (George) Zhou, University of Wollongong 19

20 MT in Security Testing A motivating example: the Heartbleed bug How MT can help? To identify MRs, the tester will ask: What if I change some of the parameter values? Z.Q. (George) Zhou, University of Wollongong 20

21 What if I change type to a different value? Z.Q. (George) Zhou, University of Wollongong 21

22 What if I change payload_length to a different value? This MR will generate failure test cases! Z.Q. (George) Zhou, University of Wollongong 22

23 What if I change two ore more parameters? MT can guide the tester to think beyond the normal range of input values (negative testing). Z.Q. (George) Zhou, University of Wollongong 23

24 MT in Security Testing Related work: MT in penetration test COMPSAC'17 Z.Q. (George) Zhou, University of Wollongong 24

25 Presentation outline MT in security testing A motivating example: the Heartbleed bug Detecting obfuscator bugs MT for online search MT beyond verification Z.Q. (George) Zhou, University of Wollongong 25

26 Detecting obfuscator bugs A pilot study Critical security infrastructure Transform an original program into an equivalent program less readable to prevent attackers from analyzing and understanding the original code. Z.Q. (George) Zhou, University of Wollongong 26

27 Detecting obfuscator bugs A pilot study As important as compilers But difficult to test A surprising observation: Compiler testing: a lot of research Obfuscator testing: almost nothing Our work: first to report real bugs. Z.Q. (George) Zhou, University of Wollongong 27

28 Detecting obfuscator bugs Obfuscators under test Cobfusc open source Linux utility that makes a C source file unreadable, but compilable. Z.Q. (George) Zhou, University of Wollongong 28

29 Detecting obfuscator bugs Obfuscators under test Z.Q. (George) Zhou, University of Wollongong 29

30 Detecting obfuscator bugs Obfuscators under test Stunnix CXX-Obfus commercial C/C++ obfuscator users include many Fortune 500 companies Z.Q. (George) Zhou, University of Wollongong 30

31 Detecting obfuscator bugs Obfuscators under test Z.Q. (George) Zhou, University of Wollongong 31

32 Detecting obfuscator bugs Obfuscators under test Tigress C obfuscator developed at the University of Arizona that supports novel defenses against both static and dynamic reverse engineering. Z.Q. (George) Zhou, University of Wollongong 32

33 Detecting obfuscator bugs Obfuscators under test Obfuscator-LLVM open source tool in LLVM compilation suite. Given a C source program, Obfuscator-LLVM outputs obfuscated and compiled binary code LLVM users include Adobe Systems, Apple, Intel, and Sony. Z.Q. (George) Zhou, University of Wollongong 33

34 Detecting obfuscator bugs Obfuscators under test Z.Q. (George) Zhou, University of Wollongong 34

35 Detecting obfuscator bugs The metamorphic relations (MRs) MR 1 Same outputs for the same inputs Q O(Q) C(O(Q)) P O(P) C(O(P)) obfuscator compiler Z.Q. (George) Zhou, University of Wollongong 35

36 Detecting obfuscator bugs The metamorphic relations (MRs) Q MR 1 How do we generate equivalent (P, Q)? MR 1.1 : by a separate tool MR 1.2 : by the obfuscator. C(O(Q)) P O(P) C(O(P)) obfuscator compiler Z.Q. (George) Zhou, University of Wollongong 36

37 Detecting obfuscator bugs The metamorphic relations (MRs) MR 2 For the same input program, the obfuscator should generate (behaviourally) equivalent programs regardless of when the obfuscator is run. P O(P) C(O(P)) obfuscator compiler P O(P) C(O(P)) obfuscator compiler Z.Q. (George) Zhou, University of Wollongong 37

38 Detecting obfuscator bugs The metamorphic relations (MRs) MR 3 Looks at obfuscated source code without compiling it. P O(P) C(O(P)) obfuscator compiler Checks whether obfuscation rules have been applied consistently each time the obfuscator runs. Z.Q. (George) Zhou, University of Wollongong 38

39 Detecting obfuscator bugs Tigress Z.Q. (George) Zhou, University of Wollongong 39

40 Detecting obfuscator bugs Tigress either true or false, i.e. 1 or 0. Z.Q. (George) Zhou, University of Wollongong 40

41 Detecting obfuscator bugs Tigress either or i.e., true. Z.Q. (George) Zhou, University of Wollongong 41

42 Detecting obfuscator bugs Tigress true else branch is unreachable true else branch is unreachable Z.Q. (George) Zhou, University of Wollongong 42

43 Any MT test case (i, j) will Detecting obfuscator bugs Tigress detect a failure because i-10 i+10. true i = i - 10 else branch is unreachable true i = i + 10 else branch is unreachable Z.Q. (George) Zhou, University of Wollongong 43

44 true i = i - 10 else branch is unreachable true Conventional testing without MT can detect the i = i + 10 else branch is unreachable failure only when i<=j (hence not guaranteed). Z.Q. (George) Zhou, University of Wollongong 44

45 In comparison, MT guarantees detection of the failure in this example, because O(P 1 ) and O(P 2 ) always output different values for i. true i = i - 10 else branch is unreachable true i = i + 10 else branch is unreachable Z.Q. (George) Zhou, University of Wollongong 45

46 Detecting obfuscator bugs Cobfusc MR 1.2 P O(P) C(O(P)) obfuscator compiler P: O(O(O(P))): Can t be compiled. Z.Q. (George) Zhou, University of Wollongong 46

47 Detecting obfuscator bugs Obfuscator-LLVM MR 2 : When an obfuscator runs at different times for the same program, the behaviour of the output programs should be equivalent.

48 Detecting obfuscator bugs Obfuscator-LLVM

49 Detecting obfuscator bugs Obfuscator-LLVM

50 Detecting obfuscator bugs Stunnix CXX-Obfus MR 3 : checking that obfuscated source files based on the same input source file are consistent. Z.Q. (George) Zhou, University of Wollongong 50

51 Detecting obfuscator bugs Stunnix CXX-Obfus Z.Q. (George) Zhou, University of Wollongong 51

52 Detecting obfuscator bugs Stunnix CXX-Obfus Z.Q. (George) Zhou, University of Wollongong 52

53 Relevant publication Metamorphic testing for cybersecurity, Computer, Z.Q. (George) Zhou, University of Wollongong 53

54 Presentation outline MT in security testing A motivating example: the Heartbleed bug Detecting obfuscator bugs MT for online search MT beyond verification Z.Q. (George) Zhou, University of Wollongong 54

MT for Online Search Related publications Automated functional testing of web search engines in the absence of an oracle, The University of Hong Kong, Tech. Rep.

55 MT for Online Search Related publications Automated functional testing of web search engines in the absence of an oracle, The University of Hong Kong, Tech. Rep. TR , 2007 Automated functional testing of online search services, Software Testing, Verification and Reliability, Metamorphic testing for software quality assessment: A study of search engines, IEEE Transactions on Software Engineering, 2016 Ongoing projects to report more interesting findings Z.Q. (George) Zhou, University of Wollongong 55

56 MT for Online Search Significance Post-industrial society / knowledge society / information society Key: to find the information. Z.Q. (George) Zhou, University of Wollongong 56

57 MT for Online Search Significance Online search / information retrieval The main activity to discover information cf. browsing Very difficult to test. Z.Q. (George) Zhou, University of Wollongong 57

58 MT for Online Search Applications Z.Q. (George) Zhou, University of Wollongong

59 MT for Online Search Applications Z.Q. (George) Zhou, University of Wollongong 59

60 MT for Online Search Applications Z.Q. (George) Zhou, University of Wollongong 60

61 MT for Online Search Applications Z.Q. (George) Zhou, University of Wollongong 61

62 MT for Online Search Applications Z.Q. (George) Zhou, University of Wollongong 62

63 MT for Online Search Applications

64 MT for Online Search Applications Location based service / local search Source of image:

65 MT for Online Search Traditional evaluation methods Precision Recall C / B expensive C / A impossible Difficulties: (1) the sheer volume of online data (2) how to decide relevance? (3) how to assess ranking quality? C B A 65

66 MT for Online Search How to identify MRs? A top-down approach Z.Q. (George) Zhou, University of Wollongong 66

67 MT for Online Search MR examples First identify some General MRs, e.g.: If A implies B then * results for A results for B, and * results for A results for B. A general MR can generate many concrete MRs. Z.Q. (George) Zhou, University of Wollongong 67

68 a general MR: If A implies B then results for A results for B. a concrete MR: filtering by location Example: Z.Q. (George) Zhou, University of Wollongong 68

69 a general MR: If A implies B then results for A results for B. a concrete MR: filtering by location failure Z.Q. (George) Zhou, University of Wollongong 69

70 a general MR: If A implies B then results for A results for B. concrete MRs: using logical operations such as AND, OR, EXCLUDE: results for (A 1 AND A 2 ) results for A 1 results for (A 1 - A 2 ) results for A 1 results for (A 1 ) results for (A 1 OR A 2 ) Z.Q. (George) Zhou, University of Wollongong 70

71 a general MR: If A implies B then results for A results for B. concrete MRs: using logical operators such as AND, OR, EXCLUDE: results for (A 1 AND A 2 ) results for A 1 results for (A 1 - A 2 ) results for A 1 results for (A 1 ) results for (A 1 OR A 2 ) A 1, A 2 can be any search criteria, e.g. query terms and filters Z.Q. (George) Zhou, University of Wollongong 71

72 a general MR: If A implies B then results for A results for B. concrete MRs: using logical operators such as AND, OR, EXCLUDE: results for (A 1 AND A 2 ) results for A 1 results for (A 1 - A 2 ) results for A 1 results for (A 1 ) results for (A 1 OR A 2 ) A 1, A 2 can be any search criteria, e.g. query terms and filters Z.Q. (George) Zhou, University of Wollongong 72

73 a general MR: If A implies B then results for A results for B. concrete MRs: using logical operators such as AND, OR, EXCLUDE: results for (A 1 AND A 2 ) results for A 1 results for (A 1 - A 2 ) results for A 1 results for (A 1 ) results for (A 1 OR A 2 ) A 1, A 2 can be any search criteria, e.g. query terms and filters Z.Q. (George) Zhou, University of Wollongong 73

74 concrete MRs: using logical operators such as AND, OR, EXCLUDE: results for (A 1 AND A 2 ) results for A 1 results for (A 1 - A 2 ) results for A 1 results for (A 1 ) results for (A 1 OR A 2 ) A 1, A 2 can be any search criteria, e.g. query terms and filters. Z.Q. (George) Zhou, University of Wollongong 74

75 concrete MRs: using logical operators such as AND, OR, EXCLUDE: results for (A 1 AND A 2 ) results for A 1 results for (A 1 - A 2 ) results for A 1 results for (A 1 ) results for (A 1 OR A 2 ) A 1, A 2 can be any search criteria, e.g. query terms and filters. Z.Q. (George) Zhou, University of Wollongong 75

76 MT for Online Search Z.Q. (George) Zhou, University of Wollongong 76

77 MT for Online Search Validity must be carefully considered Because online search may only return approximate results. We cannot use simple mathematics such as: If A=1, B=2 then A+B=3. Z.Q. (George) Zhou, University of Wollongong 77

78 MT for Online Search Validity must be carefully considered Dynamic nature of online data? All tests must be repeatable. Z.Q. (George) Zhou, University of Wollongong 78

79 MT for Online Search Validity must be carefully considered Relationship between users information needs and logical consistency (MRs)? Users perceived quality of ranking decreases if they find strong inconsistencies in search results. Z.Q. (George) Zhou, University of Wollongong 79

80 MT for Online Search Ranking quality Most users are more concerned about the first few items. Z.Q. (George) Zhou, University of Wollongong 80

81 MT for Online MR: An Search example of Web search engines Ranking quality filter Z.Q. (George) Zhou, University of Wollongong 81

82 MT for Online Search Ranking quality Studied different file types HTML, PDF, TXT Sensitive / vulnerable to hyperlink structure / topology of Web components Needs improvement for less structured files How about multimedia search? Further research topic Any bias in search results? Z.Q. (George) Zhou, University of Wollongong 82

83 Useful for detecting security vulnerabilities Undetectable with traditional approaches.

84 Presentation outline MT in security testing A motivating example: the Heartbleed bug Detecting obfuscator bugs MT for online search MT beyond verification Z.Q. (George) Zhou, University of Wollongong 84

85 MT beyond verification Software testing can be performed for different purposes, with verification and validation being the core tasks. Testing is also used for other types of quality assessment beyond V&V, such as usability and scalability. Z.Q. (George) Zhou, University of Wollongong 85

86 MT beyond verification Meeting the challenges lack of specifications lack of oracles when verifying, validating, and assessing large and complex software systems. User-oriented approach Z.Q. (George) Zhou, University of Wollongong 86

87 Figure adapted from: Mauro Pezzè and Michal Young, Software Testing and Analysis: Process, Principles and Techniques

88 x x x x x x x Note: User manuals are not specifications --- an adequate guide to building a product that will fulfill its goals.

89 Difficulties in user validation A large body of software systems come without specifications, or with incomplete specifications, e.g.: online systems open source development poor software evolution web services Z.Q. (George) Zhou, University of Wollongong 89

90 Difficulties in user validation The lack of knowledge about the software design and specifications, coupled with the oracle problem, makes user validation extremely difficult. It is hard for users to decide if, and to what degree, the systems are appropriate for their needs. Z.Q. (George) Zhou, University of Wollongong 90

91 Difficulties in user validation The lack of knowledge about the software design and specifications, coupled with the oracle problem, makes user validation extremely difficult. It is hard Solution: for users define to decide MRs if, and from to the what degree, the user s systems perspective. are appropriate for their needs. Beyond traditional verification and fault detection. Z.Q. (George) Zhou, University of Wollongong 91

92 MT beyond verification From verification to validation

93 MT beyond verification From verification to validation Z.Q. (George) Zhou, University of Wollongong 93

94 MT beyond verification From V&V to quality assessment A crucial deficiency in Bing s functional completeness, which refers to the degree to which the set of functions covers all the specified tasks and user objectives. Z.Q. (George) Zhou, University of Wollongong 94

95 MT beyond verification From V&V to quality assessment Z.Q. (George) Zhou, University of Wollongong 95

96 MT beyond verification From V&V to quality assessment Functional completeness Z.Q. (George) Zhou, University of Wollongong 96

97 MT beyond verification From V&V to quality assessment Functional correctness Z.Q. (George) Zhou, University of Wollongong 97

98 Functional correctness: more examples Search for a paper in the ACM digital library: In black and white: an integrated approach to class-level testing of object-oriented programs Z.Q. (George) Zhou, University of Wollongong 98

99 Functional correctness: more examples Z.Q. (George) Zhou, University of Wollongong 99

100 Functional correctness: more examples Oracle on the fly: Shoot first and then point to the target. filter Z.Q. (George) Zhou, University of Wollongong 100

101 Functional correctness: more examples Z.Q. (George) Zhou, University of Wollongong 101

102 Z.Q. (George) Zhou, University of Wollongong 102

103 MT beyond verification Measuring software performance Performance efficiency: MT revealed scalability problems of the SUTs. Z.Q. (George) Zhou, University of Wollongong 103

104 MT beyond verification Measuring software performance: scalability steeper performance degradation when searching large domains. Z.Q. (George) Zhou, University of Wollongong 104

105 MT beyond verification Measuring software performance: scalability performance degradation when searching large domains. Z.Q. (George) Zhou, University of Wollongong 105

106 MT beyond verification Reliability: degree to which a system performs specified functions under specified conditions for a specified period of time. Measuring reliability We performed MT under different operational profiles and quantified the test results on an hourly basis. Z.Q. (George) Zhou, University of Wollongong 106

107 MT beyond verification Measuring reliability Z.Q. (George) Zhou, University of Wollongong 107

108 MT beyond verification Measuring reliability Z.Q. (George) Zhou, University of Wollongong 108

109 MT beyond verification Measuring reliability Z.Q. (George) Zhou, University of Wollongong 109

110 MT beyond verification Measuring reliability Z.Q. (George) Zhou, University of Wollongong 110

111 MT beyond verification Measuring reliability Z.Q. (George) Zhou, University of Wollongong 111

112 MT beyond verification Measuring usability Operability: easy to operate and control. A lot of search operators were tested in MT. Z.Q. (George) Zhou, University of Wollongong 112

113 MT beyond verification Measuring usability User error protection: e.g. even if users didn't issue their queries by following the optimal order. Z.Q. (George) Zhou, University of Wollongong 113

114 MT beyond verification Quality in Use Model Quality in Use Model: characterizes the impact that the product has on its stakeholders. Effectiveness: accuracy and completeness with which users achieve specified goals. Z.Q. (George) Zhou, University of Wollongong 114

115 MT beyond verification Quality in Use Model Context completeness: A system "can be used... in all the specified contexts of use." We tested with different operational profiles e.g. different languages, query types, and domains to search. Z.Q. (George) Zhou, University of Wollongong 115

116 Ongoing Research Location-based search GPS navigation software ecommerce websites Z.Q. (George) Zhou, University of Wollongong 116

117 Questions are welcome Z.Q. (George) Zhou, University of Wollongong 117

Bridge Course On Software Testing

Bridge Course On Software Testing G. PULLAIAH COLLEGE OF ENGINEERING AND TECHNOLOGY Accredited by NAAC with A Grade of UGC, Approved by AICTE, New Delhi Permanently Affiliated to JNTUA, Ananthapuramu (Recognized by UGC under 2(f) and 12(B)