SlideShare a Scribd company logo

Presentation

Z
Zachary Ratliff

This document analyzes the relationship between software bug type and the number of factors involved in failures. It finds that most bugs are caused by one or two factors, while progressively fewer bugs involve more factors. It also finds that complex "Mandelbug" software bugs fall within the range that can be tested using conventional combinatorial testing techniques. This suggests that combinatorial testing can achieve confidence levels similar to exhaustive testing for more complicated bugs.

1 of 19
Download to read offline
The Relationship Between Software Bug Type and Number of Factors Involved in Failures Zachary Ratliff Computer Security Division Security Components & Mechanisms 6 August 2015
Background Why do we want to determine this relationship? • Help us better understand detection differences between different types of software bugs • Determine if complex software bugs fall within range for using conventional covering arrays as seen in previous studies This is the first study looking at this relationship Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 1
Trend of Software Interaction Strength • The majority of faults are induced by a single factor or the joint combinatorial effect of two factors. • Progressively fewer faults are induced by 3 or more factors. Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 2 N-wise covering array
Counting Factors Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 3 • Two factors that must be present to trigger fault • Could be detected with a 2-way covering array Format String bug when: n = %x%x%x%x & privs = true
Covering Arrays • Each row is a single test • • 2³ = 960 possible 3-way combinations • All 3-way combinations generated with 13 tests Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 4 3-Way Covering Array 10 3
Applications of Combinatorial Testing Lockheed Martin joint work with NIST applied basic combinatorial testing to 8 different pilot projects • Could save up to 20% of testing costs if used early enough on a program • Could increase test coverage by 20% to 50% Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 5
Classifications of Software Bugs • Bohrbug (BOH) • Non Age-Related Mandelbug (NAM) • Age-related bug (ARB) • Unknown (UNK) Research at Duke University looking at different aspects of failures Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 6
Bohrbug •Only factors •Less complicated to reproduce Mandelbug •At least one factor •May have direct factors •More complex error propagation •Include age-related bugs Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 7 direct indirect
Direct versus Indirect Factors Direct • User input causes buffer overflow • Wrong output when a negative number is passed to a function Indirect • The internal clock is out of sync with real time causing a calculation to be incorrect • Program crashes only when ran on a x86 Windows 7 operating system Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 8
MySQL Data 51.65% 27.69% 6.20% 14.46% BOH NAM ARB UNK 242 total bugs 125 BOH 67 NAM 15 ARB 35 UNK Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 9 We could not determine the factors present in approximately 25% of the bugs analyzed
Coverage Analysis Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 10 1 2 3 4 5 Bohrbugs 41% 84% 97% 100% - Mandelbugs 31% 69% 90% 97% 100% • MySQL software bugs followed the same trend as software in previous studies • Determined that Mandelbugs had a significantly higher average interaction strength
MySQL Interaction Strength 0 20 40 60 80 100 1 2 3 4 5 SQL-Bohrbugs SQL-Mandelbugs Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 11 Coverage(%)
Discovery of MySQL Software Bugs • Are bugs with higher interaction strengths found later in the software life-cycle? Considerations: -Increase of users -Better testing practices Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 12
Bug Discovery Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 13
What it means for Software Testers •Finding Mandelbugs during software testing can be very expensive and time consuming •In the past, testers failed to locate complex bugs early in the software lifecycle The interaction strength of a software bug correlates with the time period of the bug’s discovery Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 14
•Complex software bugs i.e. Mandelbugs, fall within range for conventional covering arrays used in combinatorial testing •A confidence level similar to that of exhaustive testing can be achieved when using combinatorial testing for complex software bugs This is contingent on indirect factors being present at the time of testing -More studies needed to further firm up our conclusions -Currently working on analyzing NASA software bugs Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 15
Combinatorial Testing Tools •ACTS – Automated Combinatorial Testing for Software http://csrc.nist.gov/groups/SNS/acts/index.html •ComTest – Combinatorial Testing Plugin for the Eclipse IDE https://github.com/comtest/comtestnist Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015
• Rick Kuhn, National Institute of Standards and Technology • Raghu Kacker, National Institute of Standards and Technology • Kishor Trivedi, Duke University • Michael Grottke, University of Erlangen-Nuremberg • Zheng Zheng, Beijing University of Aeronautics and Astronautics • Allen Nikora, NASA / Jet Propulsion Laboratory • SURF Program, National Institute of Standards and Technology Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 Special Thanks
References 1. Covering arrays: D.R. Kuhn, R.N. Kacker, Y. Lei, J. Hunter, “Combinatorial Software Testing”, IEEE Computer Society, August 2009 2. Distribution of faults: D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., “Software Fault Interactions and Implications for Software Testing”, IEEE Transactions on Software Engineering, June 2004 3. Lockheed Martin / NIST study: J. Hagar, T. Wissink, D.R. Kuhn, R.N. Kacker, “Introducing Combinatorial Testing in a Large Organization”, IEEE Computer, April 2015 4. Software Bug Classifications / Indirect vs. Direct Factors: M. Grottke, A.P. Nikora, K.S. Trivedi, “An Empirical Investigation of Fault Types in Space Mission System Software”, IEEE/IFIP International Conference on Dependable Networks and Systems(DSN), June/July 2010 Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015

Recommended

SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...
SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...
SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...
South Tyrol Free Software Conference
 
Say No to the Dependency Hell
Say No to the Dependency HellSay No to the Dependency Hell
Say No to the Dependency Hell
Ivan Pashchenko
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
Sympathy for the Developer
Sympathy for the DeveloperSympathy for the Developer
Sympathy for the Developer
Sarah Gibson
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Mentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for SuccessMentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for Success
Sonatype
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens
 
Iwsm2014 mispredicting software reliability (rakesh rana)
Iwsm2014 mispredicting software reliability (rakesh rana)Iwsm2014 mispredicting software reliability (rakesh rana)
Iwsm2014 mispredicting software reliability (rakesh rana)
Nesma
 

Recommended

SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...
SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...
SFSCon19 - Kristian Schwienbacher - Custom error and event tracking for Ember...
South Tyrol Free Software Conference
 
Say No to the Dependency Hell
Say No to the Dependency HellSay No to the Dependency Hell
Say No to the Dependency Hell
Ivan Pashchenko
 
Supply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software DevelopmentSupply Chain Solutions for Modern Software Development
Supply Chain Solutions for Modern Software Development
Sonatype
 
Sympathy for the Developer
Sympathy for the DeveloperSympathy for the Developer
Sympathy for the Developer
Sarah Gibson
 
Information Security Incidents Survey in Russia
Information Security Incidents Survey in RussiaInformation Security Incidents Survey in Russia
Information Security Incidents Survey in Russia
Positive Hack Days
 
Mentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for SuccessMentors View: Aligning Your Team and Your Powers for Success
Mentors View: Aligning Your Team and Your Powers for Success
Sonatype
 
On the health of the npm packaging ecosystem
On the health of the npm packaging ecosystemOn the health of the npm packaging ecosystem
On the health of the npm packaging ecosystem
Tom Mens
 
Iwsm2014 mispredicting software reliability (rakesh rana)
Iwsm2014 mispredicting software reliability (rakesh rana)Iwsm2014 mispredicting software reliability (rakesh rana)
Iwsm2014 mispredicting software reliability (rakesh rana)
Nesma
 
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
Pavneet Singh Kochhar
 
Software testing principles
Software testing principlesSoftware testing principles
Software testing principles
Donato Di Pierro
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and you
nelinger
 
7 testing principles
7 testing principles7 testing principles
7 testing principles
Testing Expert
 
An Empirical Study of Goto in C Code from GitHub Repositories
An Empirical Study of Goto in C Code from GitHub RepositoriesAn Empirical Study of Goto in C Code from GitHub Repositories
An Empirical Study of Goto in C Code from GitHub Repositories
SAIL_QU
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
Venkatesh Prasad Ranganath
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMSDETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
AAKANKSHA JAIN
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Testing Principles
Testing PrinciplesTesting Principles
Testing Principles
Risma Rustiyan R
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource September 2018- A WhiteSource WebinarFind Out What's New With WhiteSource September 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
Principles of software testing
Principles of software testingPrinciples of software testing
Principles of software testing
Software Testing Books
 
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Tim Menzies
 
Analysis of the Behavior of Event Processing Applications
Analysis of the Behavior of Event Processing ApplicationsAnalysis of the Behavior of Event Processing Applications
Analysis of the Behavior of Event Processing Applications
Ella Rabinovich
 
Seven testing principles
Seven testing principlesSeven testing principles
Seven testing principles
Vaibhav Dash
 
QA in Production
QA in ProductionQA in Production
QA in Production
rouanw
 
Consequences of Mispredictions of Software Reliability
Consequences of Mispredictions of Software ReliabilityConsequences of Mispredictions of Software Reliability
Consequences of Mispredictions of Software Reliability
RAKESH RANA
 
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALMApplying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Aligned AG
 
Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
CAST
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 

More Related Content

What's hot

It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
Pavneet Singh Kochhar
 
Software testing principles
Software testing principlesSoftware testing principles
Software testing principles
Donato Di Pierro
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
SBWebinars
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and you
nelinger
 
7 testing principles
7 testing principles7 testing principles
7 testing principles
Testing Expert
 
An Empirical Study of Goto in C Code from GitHub Repositories
An Empirical Study of Goto in C Code from GitHub RepositoriesAn Empirical Study of Goto in C Code from GitHub Repositories
An Empirical Study of Goto in C Code from GitHub Repositories
SAIL_QU
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
Venkatesh Prasad Ranganath
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
FINOS
 
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMSDETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
AAKANKSHA JAIN
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
Mark Sherman
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
Fasten Project
 
Testing Principles
Testing PrinciplesTesting Principles
Testing Principles
Risma Rustiyan R
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource September 2018- A WhiteSource WebinarFind Out What's New With WhiteSource September 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
WhiteSource
 
Principles of software testing
Principles of software testingPrinciples of software testing
Principles of software testing
Software Testing Books
 
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Tim Menzies
 
Analysis of the Behavior of Event Processing Applications
Analysis of the Behavior of Event Processing ApplicationsAnalysis of the Behavior of Event Processing Applications
Analysis of the Behavior of Event Processing Applications
Ella Rabinovich
 
Seven testing principles
Seven testing principlesSeven testing principles
Seven testing principles
Vaibhav Dash
 
QA in Production
QA in ProductionQA in Production
QA in Production
rouanw
 
Consequences of Mispredictions of Software Reliability
Consequences of Mispredictions of Software ReliabilityConsequences of Mispredictions of Software Reliability
Consequences of Mispredictions of Software Reliability
RAKESH RANA
 
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALMApplying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Aligned AG
 

What's hot (20)

It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
It’s Not a Bug, It’s a Feature: Does Misclassification Affect Bug Localization?
 
Software testing principles
Software testing principlesSoftware testing principles
Software testing principles
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Google, quality and you
Google, quality and youGoogle, quality and you
Google, quality and you
 
7 testing principles
7 testing principles7 testing principles
7 testing principles
 
An Empirical Study of Goto in C Code from GitHub Repositories
An Empirical Study of Goto in C Code from GitHub RepositoriesAn Empirical Study of Goto in C Code from GitHub Repositories
An Empirical Study of Goto in C Code from GitHub Repositories
 
Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...Are free Android app security analysis tools effective in detecting known vul...
Are free Android app security analysis tools effective in detecting known vul...
 
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
OSSF 2018 - David habusha of Whitesource - Open Source Vulnerabilities 101
 
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMSDETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
DETECTION OF MALICIOUS EXECUTABLES USING RULE BASED CLASSIFICATION ALGORITHMS
 
Risks in the Software Supply Chain
Risks in the Software Supply ChainRisks in the Software Supply Chain
Risks in the Software Supply Chain
 
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
FOSDEM 2020 Presentation: Comparing dependency management issues across packa...
 
Testing Principles
Testing PrinciplesTesting Principles
Testing Principles
 
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource September 2018- A WhiteSource WebinarFind Out What's New With WhiteSource September 2018- A WhiteSource Webinar
Find Out What's New With WhiteSource September 2018- A WhiteSource Webinar
 
Principles of software testing
Principles of software testingPrinciples of software testing
Principles of software testing
 
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
Make the Most of Your Time: How Should the Analyst Work with Automated Tracea...
 
Analysis of the Behavior of Event Processing Applications
Analysis of the Behavior of Event Processing ApplicationsAnalysis of the Behavior of Event Processing Applications
Analysis of the Behavior of Event Processing Applications
 
Seven testing principles
Seven testing principlesSeven testing principles
Seven testing principles
 
QA in Production
QA in ProductionQA in Production
QA in Production
 
Consequences of Mispredictions of Software Reliability
Consequences of Mispredictions of Software ReliabilityConsequences of Mispredictions of Software Reliability
Consequences of Mispredictions of Software Reliability
 
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALMApplying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
Applying IEC 62304 Risk Management in Aligned Elements - the medical device ALM
 

Similar to Presentation

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
CAST
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
Rogue Wave Software
 
A Combined Approach of Software Metrics and Software Fault Analysis to Estima...
A Combined Approach of Software Metrics and Software Fault Analysis to Estima...A Combined Approach of Software Metrics and Software Fault Analysis to Estima...
A Combined Approach of Software Metrics and Software Fault Analysis to Estima...
IOSR Journals
 
When do software issues get reported in large open source software
When do software issues get reported in large open source softwareWhen do software issues get reported in large open source software
When do software issues get reported in large open source software
RAKESH RANA
 
When do software issues get reported in large open source software - Rakesh Rana
When do software issues get reported in large open source software - Rakesh RanaWhen do software issues get reported in large open source software - Rakesh Rana
When do software issues get reported in large open source software - Rakesh Rana
IWSM Mensura
 
Concepts in Software Safety
Concepts in Software SafetyConcepts in Software Safety
Concepts in Software Safety
dalesanders
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
Stijn Muylle
 
IEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable SoftwareIEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable Software
Ann Marie Neufelder
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
real simple reliable software
real simple reliable software real simple reliable software
real simple reliable software
AnnMarieNeufelder1
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
Rogue Wave Software
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
iosrjce
 
F017652530
F017652530F017652530
F017652530
IOSR Journals
 
Chapter 9 Testing Strategies.ppt
Chapter 9 Testing Strategies.pptChapter 9 Testing Strategies.ppt
Chapter 9 Testing Strategies.ppt
VijayaPratapReddyM
 
Qa Faqs
Qa FaqsQa Faqs
Qa Faqs
nitin lakhanpal
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
CAST
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
Rogue Wave Software
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
ijceronline
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
ijceronline
 
A Survey of Software Reliability factor
A Survey of Software Reliability factorA Survey of Software Reliability factor
A Survey of Software Reliability factor
IOSR Journals
 

Similar to Presentation (20)

Applying Software Quality Models to Software Security
Applying Software Quality Models to Software SecurityApplying Software Quality Models to Software Security
Applying Software Quality Models to Software Security
 
The road towards better automotive cybersecurity
The road towards better automotive cybersecurityThe road towards better automotive cybersecurity
The road towards better automotive cybersecurity
 
A Combined Approach of Software Metrics and Software Fault Analysis to Estima...
A Combined Approach of Software Metrics and Software Fault Analysis to Estima...A Combined Approach of Software Metrics and Software Fault Analysis to Estima...
A Combined Approach of Software Metrics and Software Fault Analysis to Estima...
 
When do software issues get reported in large open source software
When do software issues get reported in large open source softwareWhen do software issues get reported in large open source software
When do software issues get reported in large open source software
 
When do software issues get reported in large open source software - Rakesh Rana
When do software issues get reported in large open source software - Rakesh RanaWhen do software issues get reported in large open source software - Rakesh Rana
When do software issues get reported in large open source software - Rakesh Rana
 
Concepts in Software Safety
Concepts in Software SafetyConcepts in Software Safety
Concepts in Software Safety
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
IEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable SoftwareIEEE 1633 Recommended Practices for Reliable Software
IEEE 1633 Recommended Practices for Reliable Software
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
real simple reliable software
real simple reliable software real simple reliable software
real simple reliable software
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
A Review on Software Fault Detection and Prevention Mechanism in Software Dev...
 
F017652530
F017652530F017652530
F017652530
 
Chapter 9 Testing Strategies.ppt
Chapter 9 Testing Strategies.pptChapter 9 Testing Strategies.ppt
Chapter 9 Testing Strategies.ppt
 
Qa Faqs
Qa FaqsQa Faqs
Qa Faqs
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
Cybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminarCybersecurity overview - Open source compliance seminar
Cybersecurity overview - Open source compliance seminar
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
A Survey of Software Reliability factor
A Survey of Software Reliability factorA Survey of Software Reliability factor
A Survey of Software Reliability factor
 

Presentation

  • 1. The Relationship Between Software Bug Type and Number of Factors Involved in Failures Zachary Ratliff Computer Security Division Security Components & Mechanisms 6 August 2015
  • 2. Background Why do we want to determine this relationship? • Help us better understand detection differences between different types of software bugs • Determine if complex software bugs fall within range for using conventional covering arrays as seen in previous studies This is the first study looking at this relationship Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 1
  • 3. Trend of Software Interaction Strength • The majority of faults are induced by a single factor or the joint combinatorial effect of two factors. • Progressively fewer faults are induced by 3 or more factors. Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 2 N-wise covering array
  • 4. Counting Factors Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 3 • Two factors that must be present to trigger fault • Could be detected with a 2-way covering array Format String bug when: n = %x%x%x%x & privs = true
  • 5. Covering Arrays • Each row is a single test • • 2³ = 960 possible 3-way combinations • All 3-way combinations generated with 13 tests Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 4 3-Way Covering Array 10 3
  • 6. Applications of Combinatorial Testing Lockheed Martin joint work with NIST applied basic combinatorial testing to 8 different pilot projects • Could save up to 20% of testing costs if used early enough on a program • Could increase test coverage by 20% to 50% Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 5
  • 7. Classifications of Software Bugs • Bohrbug (BOH) • Non Age-Related Mandelbug (NAM) • Age-related bug (ARB) • Unknown (UNK) Research at Duke University looking at different aspects of failures Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 6
  • 8. Bohrbug •Only factors •Less complicated to reproduce Mandelbug •At least one factor •May have direct factors •More complex error propagation •Include age-related bugs Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 7 direct indirect
  • 9. Direct versus Indirect Factors Direct • User input causes buffer overflow • Wrong output when a negative number is passed to a function Indirect • The internal clock is out of sync with real time causing a calculation to be incorrect • Program crashes only when ran on a x86 Windows 7 operating system Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 8
  • 10. MySQL Data 51.65% 27.69% 6.20% 14.46% BOH NAM ARB UNK 242 total bugs 125 BOH 67 NAM 15 ARB 35 UNK Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 9 We could not determine the factors present in approximately 25% of the bugs analyzed
  • 11. Coverage Analysis Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 10 1 2 3 4 5 Bohrbugs 41% 84% 97% 100% - Mandelbugs 31% 69% 90% 97% 100% • MySQL software bugs followed the same trend as software in previous studies • Determined that Mandelbugs had a significantly higher average interaction strength
  • 12. MySQL Interaction Strength 0 20 40 60 80 100 1 2 3 4 5 SQL-Bohrbugs SQL-Mandelbugs Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 11 Coverage(%)
  • 13. Discovery of MySQL Software Bugs • Are bugs with higher interaction strengths found later in the software life-cycle? Considerations: -Increase of users -Better testing practices Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 12
  • 14. Bug Discovery Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 13
  • 15. What it means for Software Testers •Finding Mandelbugs during software testing can be very expensive and time consuming •In the past, testers failed to locate complex bugs early in the software lifecycle The interaction strength of a software bug correlates with the time period of the bug’s discovery Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 14
  • 16. •Complex software bugs i.e. Mandelbugs, fall within range for conventional covering arrays used in combinatorial testing •A confidence level similar to that of exhaustive testing can be achieved when using combinatorial testing for complex software bugs This is contingent on indirect factors being present at the time of testing -More studies needed to further firm up our conclusions -Currently working on analyzing NASA software bugs Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 15
  • 17. Combinatorial Testing Tools •ACTS – Automated Combinatorial Testing for Software http://csrc.nist.gov/groups/SNS/acts/index.html •ComTest – Combinatorial Testing Plugin for the Eclipse IDE https://github.com/comtest/comtestnist Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015
  • 18. • Rick Kuhn, National Institute of Standards and Technology • Raghu Kacker, National Institute of Standards and Technology • Kishor Trivedi, Duke University • Michael Grottke, University of Erlangen-Nuremberg • Zheng Zheng, Beijing University of Aeronautics and Astronautics • Allen Nikora, NASA / Jet Propulsion Laboratory • SURF Program, National Institute of Standards and Technology Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015 Special Thanks
  • 19. References 1. Covering arrays: D.R. Kuhn, R.N. Kacker, Y. Lei, J. Hunter, “Combinatorial Software Testing”, IEEE Computer Society, August 2009 2. Distribution of faults: D.R. Kuhn, D.R. Wallace, A.M. Gallo, Jr., “Software Fault Interactions and Implications for Software Testing”, IEEE Transactions on Software Engineering, June 2004 3. Lockheed Martin / NIST study: J. Hagar, T. Wissink, D.R. Kuhn, R.N. Kacker, “Introducing Combinatorial Testing in a Large Organization”, IEEE Computer, April 2015 4. Software Bug Classifications / Indirect vs. Direct Factors: M. Grottke, A.P. Nikora, K.S. Trivedi, “An Empirical Investigation of Fault Types in Space Mission System Software”, IEEE/IFIP International Conference on Dependable Networks and Systems(DSN), June/July 2010 Zachary Ratliff (Computer Security / Security Components & Mechanisms) The Relationship Between Bug Type and Number of Factors Involved in Failures 6 August 2015