Fuzzing for CPS Mutation Testing

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient at EECS, U. of Ottawa and SnT Centre, U. of Luxembourg
Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
2 Mutation Testing SUT SUT SUT SUT Test suite Test suite Test suite Test suite SUT Test suite FAIL PASS FAIL FAIL PASS SUT Test suite PASS New test 1 New test 2 New test 3 FAIL FAIL FAIL Improve with automatically generated test cases SUT
3 Our focus: C/C++ software deployed on CPS
4 State-of-the-art Tool for C: SEMu § Based on symbolic execution (KLEE) § Excellent for testing command line utilities § Inapplicable to CPS (limitations of KLEE) § Unable to test functions with floating point parameters § Unable to test functions communicating over network § Dependency on LLVM
5 Grey-box Fuzzing § Can be an ideal solution for mutation testing § Generates test cases by exercising the compiled software § Not affected by the limitations of symbolic execution
6 Evolutionary Process in Grey-box Fuzzing SUT SUT New behaviour observed? (number of times branches are covered) Seed files Queue Test and collect coverage Select from queue Randomly modify file . . Test Crash SUT SUT Crashing inputs Yes: add to queue No: discard The grey-box fuzzing process demonstrated useful to generate diverse inputs that expose different faults
7 Grey-box fuzzing may Facilitate Mutation Testing § When an input leads to a program state that differs for the original and the mutated function, differences in code coverage might be observed § Additional modifications of such input may help propagating the infection and kill the mutant
8 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=2,y=1,z=5 x=2,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1
9 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=4,y=1,z=5 x=4,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1 infected state
10 DDCM payload data Sun sensor data S-band antenna data Fuzzing is not for System-level CPS Testing
11 We aim to generate test cases at unit level, but it is not supported by grey-box fuzzers
12 MutatiOn Testing wIth Fuzzing (MOTIF) 1. Generate fuzzing driver Live Mutant SUT source Fuzzing driver int main(...){ double x = load(..); double y = load(..); int z = load(..); double m_x = load(..); double m_y = load(..); int m_z = load(..); ret = max(x,y,z); mut_ret = mut_max(m_x,m_y,m_z); if( ! match ( ret, mut_ret ) ){ abort(); } 0100100001110110000 1100101101110110000 0101101101110110000 if( ! match (x, m_x ){ abort() }; if( ! match (y, m_y) { abort() }; if( ! match (z, m_z) { abort() };
13 1. Generate fuzzing driver Live mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Generate test case Test case MutatiOn Testing wIth Fuzzing (MOTIF)
14 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) Assign fuzzer inputs to input variables Inspect results
15 Empirical Evaluation RQ1. How does MOTIF compare to mutation testing based on symbolic execution? RQ2. How does MOTIF perform with software that cannot be tested with symbolic execution? RQ3. How does MOTIF’s seeding strategy contribute to its results?
16 Case Study Subjects Software deployed on space CPS from ESA project: § MLFS: the Mathematical Library for Flight Software § LIBU: a utility library from one of our industry partner § ASN1lib: a serialization/deserialization library generated with the ASN1SCC compiler
17 RQ1. MOTIF vs Symb. Execution § We created SEMuP: a modified MOTIF pipeline that instead of using AFL++ relies on KLEE/SEMu to generate test case § We considered subjects where symbolic execution is applicable (e.g., no floating-point var): § ASN1Lib § 27 source files of LIBU § 1,499 mutants not killed by existing test suites § Executed both approaches for 10,000 seconds for each mutant § Repeated 10 times
18 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib LIBU 10.5 46.8 MOTIF kills 86.08% and 73.79% mutants (avg). It outperforms symbolic execution.
19 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib 10.5 46.8 MOTIF kills 252 mutants not killed by SEMuP. SEMuP kills 103 mutants not killed by MOTIF. Complementarity MOTIF kills 74 mutants not killed by SEMuP. SEMuP kills 1 mutants not killed by MOTIF. LIBU
11 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation Testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) https://github.com/SNTSVV/MOTIF 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU Results RQ2 RQ1 https://faqas.uni.lu
Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
22 Backup Slides
23 RQ2 Executed MOTIF on subjects where symbolic execution is not applicable 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU § Percentage of killed mutants is lower than for the other cases but MOTIF is still effective § Especially considering that MLFS is a math library with MC/DC test suite § Live mutants are hard to kill § Some of the mutants can be killed only with inputs belonging to a narrow portion of a large input domain § Numbers in a small range § Input strings that match a string stored in a global variable.
24 RQ3: Seed Inputs vs Fuzzing § We focus on the proportion of mutants killed with seed inputs in the experiments for RQ1 and RQ2 § Mutants killed by seeds: § RQ1 experiments: § LIBU: one mutant (less than 1% of all the mutants killed) § ASN1Lib: 280 mutants (24.15%) § RQ2 experiments: § MLFS: 76 mutants (5.43%) § LIBU: 26 mutants (21.66%)
1 of 24

Fuzzing for CPS Mutation Testing

Download to read offline
Software

Presentation at ASE 2023

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient at EECS, U. of Ottawa and SnT Centre, U. of Luxembourg

Recommended

Mutation-Testing mit PIT by
Mutation-Testing mit PITMutation-Testing mit PIT
Mutation-Testing mit PITSebastian Dietrich
111 views10 slides
Cgc2 by
Cgc2Cgc2
Cgc2Chong-Kuan Chen
398 views109 slides
Unit and integration Testing by
Unit and integration TestingUnit and integration Testing
Unit and integration TestingDavid Berliner
23.9K views57 slides
Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft... by
Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft...Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft...
Semi-automatic Incompatibility Localization for Re-engineered Industrial Soft...Susumu Tokumoto
582 views19 slides
Must.kill.mutants. TopConf Tallinn 2016 by
Must.kill.mutants. TopConf Tallinn 2016Must.kill.mutants. TopConf Tallinn 2016
Must.kill.mutants. TopConf Tallinn 2016Gerald Muecke
553 views64 slides
2016 10-04: tdd++: tdd made easier by
2016 10-04: tdd++: tdd made easier2016 10-04: tdd++: tdd made easier
2016 10-04: tdd++: tdd made easierChristian Hujer
394 views111 slides

More Related Content

Similar to Fuzzing for CPS Mutation Testing

Fighting Fear-Driven-Development With PHPUnit by
Fighting Fear-Driven-Development With PHPUnitFighting Fear-Driven-Development With PHPUnit
Fighting Fear-Driven-Development With PHPUnitJames Fuller
4.1K views56 slides
DSR Testing (Part 1) by
DSR Testing (Part 1)DSR Testing (Part 1)
DSR Testing (Part 1)Steve Upton
1.1K views188 slides
Mateusz Bryła - Mutation testing by
Mateusz Bryła - Mutation testingMateusz Bryła - Mutation testing
Mateusz Bryła - Mutation testingkraqa
1.1K views27 slides
MUTANTS KILLER - PIT: state of the art of mutation testing system by
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system Tarin Gamberini
3.1K views56 slides
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and... by
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Maksim Shudrak
2.5K views99 slides
Review of an open source unit test tool- Cucumber_Presentation by
Review of an open source unit test tool- Cucumber_PresentationReview of an open source unit test tool- Cucumber_Presentation
Review of an open source unit test tool- Cucumber_PresentationJabeen Shazia Posses H1 B Visa (Jazz)
283 views21 slides

Similar to Fuzzing for CPS Mutation Testing(20)

Fighting Fear-Driven-Development With PHPUnit by James Fuller
Fighting Fear-Driven-Development With PHPUnitFighting Fear-Driven-Development With PHPUnit
Fighting Fear-Driven-Development With PHPUnit
James Fuller4.1K views
DSR Testing (Part 1) by Steve Upton
DSR Testing (Part 1)DSR Testing (Part 1)
DSR Testing (Part 1)
Steve Upton1.1K views
Mateusz Bryła - Mutation testing by kraqa
Mateusz Bryła - Mutation testingMateusz Bryła - Mutation testing
Mateusz Bryła - Mutation testing
kraqa1.1K views
MUTANTS KILLER - PIT: state of the art of mutation testing system by Tarin Gamberini
MUTANTS KILLER - PIT: state of the art of mutation testing system MUTANTS KILLER - PIT: state of the art of mutation testing system
MUTANTS KILLER - PIT: state of the art of mutation testing system
Tarin Gamberini3.1K views
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and... by Maksim Shudrak
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...
Maksim Shudrak2.5K views
Review of an open source unit test tool- Cucumber_Presentation by Jabeen Shazia Posses H1 B Visa (Jazz)
Review of an open source unit test tool- Cucumber_PresentationReview of an open source unit test tool- Cucumber_Presentation
Review of an open source unit test tool- Cucumber_Presentation
Jabeen Shazia Posses H1 B Visa (Jazz)283 views
Automated Program Repair Keynote talk by Abhik Roychoudhury
Automated Program Repair Keynote talkAutomated Program Repair Keynote talk
Automated Program Repair Keynote talk
Abhik Roychoudhury5.7K views
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve... by Felipe Prado
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado111 views
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012. by Wolfgang Grieskamp
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Model-Based Testing: Theory and Practice. Keynote @ MoTiP (ISSRE) 2012.
Wolfgang Grieskamp2.5K views
The why and how of moving to php 7.x by Wim Godden
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
Wim Godden486 views
The why and how of moving to php 7.x by Wim Godden
The why and how of moving to php 7.xThe why and how of moving to php 7.x
The why and how of moving to php 7.x
Wim Godden1.2K views
"egg" - A stealth fine grained code analyzer by FFRI, Inc.
"egg" - A stealth fine grained code analyzer"egg" - A stealth fine grained code analyzer
"egg" - A stealth fine grained code analyzer
FFRI, Inc.873 views
Google test training by Thierry Gayet
Google test trainingGoogle test training
Google test training
Thierry Gayet1.4K views
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu... by NETWAYS
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...
Puppet Camp Duesseldorf 2014: Toni Schmidbauer - Continuously deliver your pu...
NETWAYS306 views
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki... by Puppet
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...
Puppet Camp Düsseldorf 2014: Continuously Deliver Your Puppet Code with Jenki...
Puppet2.9K views
Testes? Mas isso não aumenta o tempo de projecto? Não quero... by Comunidade NetPonto
Testes? Mas isso não aumenta o tempo de projecto? Não quero...Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Testes? Mas isso não aumenta o tempo de projecto? Não quero...
Comunidade NetPonto2K views
Unit testing - A&BP CC by JWORKS powered by Ordina
Unit testing - A&BP CCUnit testing - A&BP CC
Unit testing - A&BP CC
JWORKS powered by Ordina722 views
Unit testing php-unit - phing - selenium_v2 by Tricode (part of Dept)
Unit testing php-unit - phing - selenium_v2Unit testing php-unit - phing - selenium_v2
Unit testing php-unit - phing - selenium_v2
Tricode (part of Dept)2.5K views
Software Engineering - RS3 by Atakan Aral
Software Engineering - RS3Software Engineering - RS3
Software Engineering - RS3
Atakan Aral558 views
Hack@macs 2014 test driven development & pair programing by unihack
Hack@macs 2014 test driven development & pair programingHack@macs 2014 test driven development & pair programing
Hack@macs 2014 test driven development & pair programing
unihack459 views

More from Lionel Briand

Metamorphic Testing for Web System Security by
Metamorphic Testing for Web System SecurityMetamorphic Testing for Web System Security
Metamorphic Testing for Web System SecurityLionel Briand
15 views27 slides
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... by
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Lionel Briand
7 views24 slides
Data-driven Mutation Analysis for Cyber-Physical Systems by
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsLionel Briand
19 views28 slides
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems by
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsLionel Briand
18 views21 slides
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... by
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...Lionel Briand
43 views17 slides
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... by
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Lionel Briand
23 views19 slides

More from Lionel Briand(20)

Metamorphic Testing for Web System Security by Lionel Briand
Metamorphic Testing for Web System SecurityMetamorphic Testing for Web System Security
Metamorphic Testing for Web System Security
Lionel Briand15 views
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... by Lionel Briand
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand7 views
Data-driven Mutation Analysis for Cyber-Physical Systems by Lionel Briand
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand19 views
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems by Lionel Briand
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand18 views
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... by Lionel Briand
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand43 views
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... by Lionel Briand
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand23 views
PRINS: Scalable Model Inference for Component-based System Logs by Lionel Briand
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand24 views
Revisiting the Notion of Diversity in Software Testing by Lionel Briand
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
Lionel Briand226 views
Applications of Search-based Software Testing to Trustworthy Artificial Intel... by Lionel Briand
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand309 views
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety by Lionel Briand
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand343 views
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ... by Lionel Briand
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand1.5K views
Reinforcement Learning for Test Case Prioritization by Lionel Briand
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
Lionel Briand472 views
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ... by Lionel Briand
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Lionel Briand196 views
On Systematically Building a Controlled Natural Language for Functional Requi... by Lionel Briand
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
Lionel Briand216 views
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and... by Lionel Briand
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Lionel Briand370 views
Guidelines for Assessing the Accuracy of Log Message Template Identification ... by Lionel Briand
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Lionel Briand151 views
A Theoretical Framework for Understanding the Relationship between Log Parsin... by Lionel Briand
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
Lionel Briand400 views
Requirements in Cyber-Physical Systems: Specifications and Applications by Lionel Briand
Requirements in Cyber-Physical Systems: Specifications and ApplicationsRequirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and Applications
Lionel Briand875 views
Practical Constraint Solving for Generating System Test Data by Lionel Briand
Practical Constraint Solving for Generating System Test DataPractical Constraint Solving for Generating System Test Data
Practical Constraint Solving for Generating System Test Data
Lionel Briand450 views
Automating System Test Case Classification and Prioritization for Use Case-Dr... by Lionel Briand
Automating System Test Case Classification and Prioritization for Use Case-Dr...Automating System Test Case Classification and Prioritization for Use Case-Dr...
Automating System Test Case Classification and Prioritization for Use Case-Dr...
Lionel Briand373 views

Recently uploaded

Generic or specific? Making sensible software design decisions by
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsBert Jan Schrijver
6 views60 slides
Navigating container technology for enhanced security by Niklas Saari by
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas SaariMetosin Oy
8 views34 slides
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM... by
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...Deltares
7 views40 slides
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)... by
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...Deltares
9 views34 slides
Keep by
KeepKeep
KeepGeniusee
73 views10 slides
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the... by
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...Deltares
6 views22 slides

Recently uploaded(20)

Generic or specific? Making sensible software design decisions by Bert Jan Schrijver
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
Bert Jan Schrijver6 views
Navigating container technology for enhanced security by Niklas Saari by Metosin Oy
Navigating container technology for enhanced security by Niklas SaariNavigating container technology for enhanced security by Niklas Saari
Navigating container technology for enhanced security by Niklas Saari
Metosin Oy8 views
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM... by Deltares
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
Deltares7 views
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)... by Deltares
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...
DSD-INT 2023 Modelling litter in the Yarra and Maribyrnong Rivers (Australia)...
Deltares9 views
Keep by Geniusee
KeepKeep
Keep
Geniusee73 views
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the... by Deltares
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...
DSD-INT 2023 Leveraging the results of a 3D hydrodynamic model to improve the...
Deltares6 views
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J... by Deltares
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...
DSD-INT 2023 3D hydrodynamic modelling of microplastic transport in lakes - J...
Deltares9 views
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -... by Deltares
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...
Deltares6 views
Advanced API Mocking Techniques by Dimpy Adhikary
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking Techniques
Dimpy Adhikary19 views
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t... by Deltares
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
Deltares9 views
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols by Deltares
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - DolsDSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
Deltares7 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm13 views
Winter '24 Release Chat.pdf by melbourneauuser
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdf
melbourneauuser9 views
What Can Employee Monitoring Software Do?​ by wAnywhere
What Can Employee Monitoring Software Do?​What Can Employee Monitoring Software Do?​
What Can Employee Monitoring Software Do?​
wAnywhere21 views
DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut... by Deltares
DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut...DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut...
DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut...
Deltares6 views
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra... by Marc Müller
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra....NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
.NET Developer Conference 2023 - .NET Microservices mit Dapr – zu viel Abstra...
Marc Müller38 views
SAP FOR TYRE INDUSTRY.pdf by Virendra Rai, PMP
SAP FOR TYRE INDUSTRY.pdfSAP FOR TYRE INDUSTRY.pdf
SAP FOR TYRE INDUSTRY.pdf
Virendra Rai, PMP23 views
360 graden fabriek by info33492
360 graden fabriek360 graden fabriek
360 graden fabriek
info3349224 views
DSD-INT 2023 The Danube Hazardous Substances Model - Kovacs by Deltares
DSD-INT 2023 The Danube Hazardous Substances Model - KovacsDSD-INT 2023 The Danube Hazardous Substances Model - Kovacs
DSD-INT 2023 The Danube Hazardous Substances Model - Kovacs
Deltares7 views
SUGCON ANZ Presentation V2.1 Final.pptx by Jack Spektor
SUGCON ANZ Presentation V2.1 Final.pptxSUGCON ANZ Presentation V2.1 Final.pptx
SUGCON ANZ Presentation V2.1 Final.pptx
Jack Spektor22 views

Fuzzing for CPS Mutation Testing

  • 1. Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
  • 2. 2 Mutation Testing SUT SUT SUT SUT Test suite Test suite Test suite Test suite SUT Test suite FAIL PASS FAIL FAIL PASS SUT Test suite PASS New test 1 New test 2 New test 3 FAIL FAIL FAIL Improve with automatically generated test cases SUT
  • 3. 3 Our focus: C/C++ software deployed on CPS
  • 4. 4 State-of-the-art Tool for C: SEMu § Based on symbolic execution (KLEE) § Excellent for testing command line utilities § Inapplicable to CPS (limitations of KLEE) § Unable to test functions with floating point parameters § Unable to test functions communicating over network § Dependency on LLVM
  • 5. 5 Grey-box Fuzzing § Can be an ideal solution for mutation testing § Generates test cases by exercising the compiled software § Not affected by the limitations of symbolic execution
  • 6. 6 Evolutionary Process in Grey-box Fuzzing SUT SUT New behaviour observed? (number of times branches are covered) Seed files Queue Test and collect coverage Select from queue Randomly modify file . . Test Crash SUT SUT Crashing inputs Yes: add to queue No: discard The grey-box fuzzing process demonstrated useful to generate diverse inputs that expose different faults
  • 7. 7 Grey-box fuzzing may Facilitate Mutation Testing § When an input leads to a program state that differs for the original and the mutated function, differences in code coverage might be observed § Additional modifications of such input may help propagating the infection and kill the mutant
  • 8. 8 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=2,y=1,z=5 x=2,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1
  • 9. 9 Fuzzed Input 1 Fuzzed Input 2 Fuzzed Input 3 x=1,y=1,z=5 x=4,y=1,z=5 x=4,y=1,z=0 int max( int x, int y, int z){ int t; if (x >= y) t = x; branch 1: 1 1 1 else t = y; branch 2: 0 0 0 if (t >= z) return t; branch 3: 0 0 1 return z; branch 4: 1 1 0 } return 5 return 5 return 2 int mut_max( int x, int y, int z){ int t; if (x <= y) t = x; branch 5: 1 0 0 else t = y; branch 6: 0 1 1 if (t >= z) return t; branch 7: 0 0 1 return z; branch 8: 1 1 0 } return 5 return 5 return 1 infected state
  • 10. 10 DDCM payload data Sun sensor data S-band antenna data Fuzzing is not for System-level CPS Testing
  • 11. 11 We aim to generate test cases at unit level, but it is not supported by grey-box fuzzers
  • 12. 12 MutatiOn Testing wIth Fuzzing (MOTIF) 1. Generate fuzzing driver Live Mutant SUT source Fuzzing driver int main(...){ double x = load(..); double y = load(..); int z = load(..); double m_x = load(..); double m_y = load(..); int m_z = load(..); ret = max(x,y,z); mut_ret = mut_max(m_x,m_y,m_z); if( ! match ( ret, mut_ret ) ){ abort(); } 0100100001110110000 1100101101110110000 0101101101110110000 if( ! match (x, m_x ){ abort() }; if( ! match (y, m_y) { abort() }; if( ! match (z, m_z) { abort() };
  • 13. 13 1. Generate fuzzing driver Live mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Generate test case Test case MutatiOn Testing wIth Fuzzing (MOTIF)
  • 14. 14 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) Assign fuzzer inputs to input variables Inspect results
  • 15. 15 Empirical Evaluation RQ1. How does MOTIF compare to mutation testing based on symbolic execution? RQ2. How does MOTIF perform with software that cannot be tested with symbolic execution? RQ3. How does MOTIF’s seeding strategy contribute to its results?
  • 16. 16 Case Study Subjects Software deployed on space CPS from ESA project: § MLFS: the Mathematical Library for Flight Software § LIBU: a utility library from one of our industry partner § ASN1lib: a serialization/deserialization library generated with the ASN1SCC compiler
  • 17. 17 RQ1. MOTIF vs Symb. Execution § We created SEMuP: a modified MOTIF pipeline that instead of using AFL++ relies on KLEE/SEMu to generate test case § We considered subjects where symbolic execution is applicable (e.g., no floating-point var): § ASN1Lib § 27 source files of LIBU § 1,499 mutants not killed by existing test suites § Executed both approaches for 10,000 seconds for each mutant § Repeated 10 times
  • 18. 18 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib LIBU 10.5 46.8 MOTIF kills 86.08% and 73.79% mutants (avg). It outperforms symbolic execution.
  • 19. 19 RQ1 Results Plots with datapoints belonging to each of the 10 runs 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP ASN1Lib 10.5 46.8 MOTIF kills 252 mutants not killed by SEMuP. SEMuP kills 103 mutants not killed by MOTIF. Complementarity MOTIF kills 74 mutants not killed by SEMuP. SEMuP kills 1 mutants not killed by MOTIF. LIBU
  • 20. 11 1. Generate fuzzing driver Live Mutant SUT source 4. Mutation Testing 2. Generate seed inputs 3. Compile Fuzzing driver Seed file Seed file Seed file Executable fuzzing driver Execute fuzzer (AFL++) Executable fuzzing driver Fuzzed file Post-processing Crashing file File killing mutant File killing mutant Crashing file Crashing file 5. Inspection Engineer compare outputs with specifications Bug found Generate test case Test case New regression test MutatiOn Testing wIth Fuzzing (MOTIF) https://github.com/SNTSVV/MOTIF 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MOTIF SEMuP 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU Results RQ2 RQ1 https://faqas.uni.lu
  • 21. Fuzzing for CPS Mutation Testing Jaekwon Lee1,2, Enrico Viganò1, Oscar Cornejo1, Fabrizio Pastore1, Lionel Briand1,2 1 University of Luxembourg, 2 University of Ottawa ASE 2023 - September 14th, 2023
  • 23. 23 RQ2 Executed MOTIF on subjects where symbolic execution is not applicable 0% 25% 50% 75% 100% 0 2,000 4,000 6,000 8,000 10,000 Execution time (seconds) Killed mutants MLFS LIBU § Percentage of killed mutants is lower than for the other cases but MOTIF is still effective § Especially considering that MLFS is a math library with MC/DC test suite § Live mutants are hard to kill § Some of the mutants can be killed only with inputs belonging to a narrow portion of a large input domain § Numbers in a small range § Input strings that match a string stored in a global variable.
  • 24. 24 RQ3: Seed Inputs vs Fuzzing § We focus on the proportion of mutants killed with seed inputs in the experiments for RQ1 and RQ2 § Mutants killed by seeds: § RQ1 experiments: § LIBU: one mutant (less than 1% of all the mutants killed) § ASN1Lib: 280 mutants (24.15%) § RQ2 experiments: § MLFS: 76 mutants (5.43%) § LIBU: 26 mutants (21.66%)