Toward a scalable method for quantifying aspects of fault tolerance, software assurance, and computer security

Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358) Pub Date : 1998-07-09 DOI:10.1109/CSDA.1998.798360

Philip Koopman

{"title":"Toward a scalable method for quantifying aspects of fault tolerance, software assurance, and computer security","authors":"Philip Koopman","doi":"10.1109/CSDA.1998.798360","DOIUrl":null,"url":null,"abstract":"Quantitative assessment tools are urgently needed in the areas of fault tolerance, software assurance, and computer security. Assessment methods typically employed in various combinations are fault injection, formal verification, and testing. However these methods are expensive because they are labor-intensive, with costs scaling at least linearly with the number of software modules tested. Additionally, they are subject to human lapses and oversights because they require two different representations for each system, and then base results on a direct or an indirect representation comparison. The Ballista project has found that robustness testing forms a niche in which scalable quantitative assessment can be achieved at low cost. This scalability stems from two techniques. Associating state-setting information with test cases based on data types, and using one generic, but narrow, behavioral specification for all modules. Given that this approach has succeeded in comparing the robustness of various operating systems, it is natural to ask if it can be made more generally applicable. It appears that Ballista-like testing can be used in the fault tolerance area to measure the generic robustness of a variety of API implementations and in particular to identify reproducible ways to crash and hang software. In software assurance, it can be used as a quality check on exception handling, and in particular as a means to augment black box testing. Applying it to computer security appears more problematic, but might be possible if there is a way to orthogonally decompose various aspects of security-relevant system state into analogs of Ballista data types. While Ballista-like testing is no substitute for traditional methods, it can serve to provide a useful quality assurance check that augments existing practice at relatively low cost. Alternately, it can serve to quantify the extent of potential problems, enabling better informed decisions by both developers and customers.","PeriodicalId":171437,"journal":{"name":"Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358)","volume":"11 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1998-07-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CSDA.1998.798360","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 23

Abstract

Quantitative assessment tools are urgently needed in the areas of fault tolerance, software assurance, and computer security. Assessment methods typically employed in various combinations are fault injection, formal verification, and testing. However these methods are expensive because they are labor-intensive, with costs scaling at least linearly with the number of software modules tested. Additionally, they are subject to human lapses and oversights because they require two different representations for each system, and then base results on a direct or an indirect representation comparison. The Ballista project has found that robustness testing forms a niche in which scalable quantitative assessment can be achieved at low cost. This scalability stems from two techniques. Associating state-setting information with test cases based on data types, and using one generic, but narrow, behavioral specification for all modules. Given that this approach has succeeded in comparing the robustness of various operating systems, it is natural to ask if it can be made more generally applicable. It appears that Ballista-like testing can be used in the fault tolerance area to measure the generic robustness of a variety of API implementations and in particular to identify reproducible ways to crash and hang software. In software assurance, it can be used as a quality check on exception handling, and in particular as a means to augment black box testing. Applying it to computer security appears more problematic, but might be possible if there is a way to orthogonally decompose various aspects of security-relevant system state into analogs of Ballista data types. While Ballista-like testing is no substitute for traditional methods, it can serve to provide a useful quality assurance check that augments existing practice at relatively low cost. Alternately, it can serve to quantify the extent of potential problems, enabling better informed decisions by both developers and customers.

查看原文本刊更多论文

朝着量化容错、软件保证和计算机安全方面的可扩展方法迈进

在容错、软件保证和计算机安全领域，迫切需要定量评估工具。在各种组合中典型使用的评估方法是故障注入、形式化验证和测试。然而，这些方法是昂贵的，因为它们是劳动密集型的，成本至少与测试的软件模块的数量成线性关系。此外，它们容易受到人为失误和疏忽的影响，因为它们需要每个系统的两种不同的表示，然后基于直接或间接表示比较的结果。Ballista项目发现，健壮性测试形成了一个利基，在这个利基中，可扩展的定量评估可以以低成本实现。这种可伸缩性源于两种技术。将状态设置信息与基于数据类型的测试用例关联起来，并对所有模块使用一个通用的，但是狭窄的行为规范。既然这种方法已经成功地比较了各种操作系统的健壮性，那么很自然地要问它是否可以更普遍地适用。看起来，类似ballista的测试可以用于容错领域，以测量各种API实现的通用健壮性，特别是识别可重复的导致软件崩溃和挂起的方法。在软件保证中，它可以用作异常处理的质量检查，特别是作为增强黑盒测试的一种手段。将其应用于计算机安全似乎更成问题，但如果有一种方法可以将与安全相关的系统状态的各个方面正交地分解为Ballista数据类型的类似物，则可能实现。虽然类似弹道器的测试不能替代传统方法，但它可以提供有用的质量保证检查，以相对较低的成本增加现有的实践。另外，它可以用来量化潜在问题的程度，使开发人员和客户都能做出更明智的决策。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358)

自引率

0.00%

发文量