Research Article An Approach of Vulnerability Testing for Third...

Hindawi Publishing CorporationThe Scientific World JournalVolume 2013 Article ID 609254 11 pageshttpdxdoiorg1011552013609254

Research ArticleAn Approach of Vulnerability Testing for Third-PartyComponent Based on Condition and Parameter Mutation

Jinfu Chen1 Jiamei Chen1 Yongzhao Zhan1 Weihe Chen1 and Rubing Huang2

1 School of Computer Science and Tele Engineering Jiangsu University Zhenjiang 212013 China2 School of Computer Science and Tech Huazhong University of Science and Technology Wuhan 430074 China

Correspondence should be addressed to Jinfu Chen jinfuchenujseducn

Received 6 June 2013 Accepted 10 July 2013

Academic Editors J Pavon and J H Sossa

Copyright copy 2013 Jinfu Chen et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

The research on component vulnerability testing is critical In this paper an approach of vulnerability testing is proposed based oncondition mutation and parameter mutation in order to effectively detect the explicit vulnerabilities of third-party components Tostart with the Pre-condition Mutation Algorithm (PCMA) is presented to generate mutants set of the pre-condition and test casesare generated based on these mutants Then the Single Parameter Mutated Values (SPMV) procedure is addressed to generateparameter values based on mutation operators of parameter specification These values are then taken as the input of the TestCase Generation Algorithm based on the Parameter Constraint (TCGPC) which is addressed to generate test case set violating theparameter constraint The explicit vulnerabilities can be detected by the vulnerability detecting algorithm based on the test casesof condition and parameter mutation The experiments show that our approach can detect explicit vulnerability faults of third-party components Furthermore the proposed approach can detect more vulnerability faults than other related approaches such ascondition coverage methods fuzzy testing method and boundary value method

1 Introduction

With the development of component technologies the num-ber of the applications of the third-party components isincreasing in some safety-critical software such as medicalsoftware and bank software Over the past 30 years theresearch mainly has focused on functionality testing whichdoes its best to find faults in developing and implemen-tation of components However vulnerability testing ofcomponents which detects component flaws threateningthe security of the computer system by violating securityrequirements including memory leak and buffer overflowhas been ignored in the current component developmentespecially in the development of third party componentsSince source codes of third party components are unavailableand third party components are highly independent white-box testing technologies cannot be successfully appliedwhich leads to the challenges and difficulties for testing thevulnerability of third party components In addition currentresearch on component security testing is rare which mainlyfocuses on security characterization security assessment

component deployment and wrapper testing method secu-rity testing based on fault injection formal methods Jabeenand Jaffar-Ur Rehman [1] proposed security requirementspecification for enhancing testability of component securitywhich provided specifications from the perspectives such asresources allocation environment deployment and methodinvocation However it did not figure out specific testingapproach Bertolino and Polini [2] addressed a frameworkfor component deployment testing which added a spy classin the tested component to collect and compare runningstate of the tested component and the resources allocationIn case of related running status and environment variablesviolating security requirement specification we can con-clude that security vulnerabilities exist Haddox et al [3]presented a wrapper testing method which wrapped testedcomponent Extra input and output interfaces are addedfor testing the component in the wrapper and the data areallowed to flow into and out the component at the publicwrapping interface level The wrapper method can analyzethird party components based on requirement specificationin the theory However a theory model was given in the

2 The Scientific World Journal

approach proposed by Bertolino and M Haddox whosefeasibility is not verified by some effective experiments Inaddition Chen et al [4] addressed a software security testingapproach based on fault injection which to some extentcould detect explicit security vulnerabilities of componentsBut its testing process is complex and the testing efficiencyis not very ideal without considering the effect of inter-face parameter constraint and method precondition Thedrawbacks of proposed methods are mainly lacking specificeffective experimental approaches to verify the efficiency ofthe proposed methods In order to address these drawbacksa testing approach is presented based on testing methodsequences Testing method sequences have higher statementand branch coverage quality which lead to better testingefficiency [5] Therefore considering the characteristics ofexplicit exceptions and the notion of specification muta-tion [6ndash8] this paper proposes an approach using condi-tion mutation and parameter mutation based on methodsequences Since security vulnerabilities of most software areoften caused by errors in judgment statements and condi-tional expressions condition mutation method is presentedFirstly the precondition is extracted from the requirementspecification and then test cases are generated which satisfyand violate the precondition expression Based on these testcases whether security vulnerabilities exist or not is judgedaccording to the postcondition expression In the parametermutation method the corresponding mutation operators arefirstly selected according to a parameter type to generate testvalues Then the test cases are generated based on value andrelation constraint extracted from the requirement specifica-tion Finally the security exceptions will be detected by usingcomponent vulnerability detecting algorithmThis paper notonly proposes a component vulnerability testing approachbut also figures out the framework of the vulnerability testingapproach Some experiments are conducted to verify thefeasibility of proposed approach

The remainder of this paper is organized as follows Thevulnerability testing framework is described in the next sec-tion Condition mutation testing algorithm is presented inSection 3 and parameter mutation testing algorithm is addre-ssed in Section 4 Some experiments are conducted to verifyour approach in Section 5 In the end the conclusions aredrawn in Section 6

2 Vulnerability Testing Framework

In this section a vulnerability testing framework will bedescribed A testing approach of condition and parametermutation was presented based on component requirementspecification which is the main part of the frameworkThe vulnerability testing framework proposed in this paperis shown in Figure 1 In order to accurately describe theframework several definitions are firstly given as follows

Definition 1 Precondition (Prc) is a series of constraint cond-itions which must be true before the method can be invoked

Definition 2 Postcondition (Poc) is the condition whichshould be true after a method is invoked and decides the

Tested method sequences

Generating methodconditions

Parameter specificationmutation

Precondition mutation

Test result setof condition

mutation

Security vulnerabilitiesdetecting algorithm for

condition mutation

Testing report of component security vulnerabilities


parameter mutation

Test result setof parameter

mutation

Figure 1 The framework of vulnerability testing

Table 1 RRF operator

Before mutation lt le gt ge = =

After mutation gt = gt lt = lt lt gt =

correctness of the operations performed Postcondition canbe expressed with such information as return value theoutput result parameter value and environment variables

Definition 3 Conditionmutation operator namely relationaloperator reference fault operator (RRF) can convert therelational operator in a simple relational expression to reverseoperator The detailed information is shown in Table 1

Definition 4 Requirement specification (RSF) of componentsecurity is described by XML format according to someschema which is provided by developers or obtained throughanalyzing function description and IDL information by com-ponent users Referring to requirement specification in theliterature [9] method precondition method postconditionvalue and relation constraint for method parameters areadded to RSF

Definition 5 Method sequences are feasible execution seque-nces that can be generated by data mining technology [10]

Based on the above definitions vulnerability testingframework is described as follows On the one hand theprecondition and postcondition of eachmethod are extractedfrom RSF and test data that meet precondition are generatedThen RRF mutation operator is applied to mutate precon-dition to generate precondition mutants and test data thatviolate precondition are generated as method input basedon precondition mutants Finally method sequences areexecuted to detect whether vulnerabilities exist in the com-ponent by vulnerabilities detecting algorithm for conditionmutation On the other hand parameter mutation generatestest data that easily trigger component exceptions throughusing related mutation operators according to the parametertypeThen combinational testingmethod is applied to reducethe number of test cases and test cases are selected by valueand relation constrains In the end the method sequences

The Scientific World Journal 3

are run and whether vulnerabilities exist will be judged bycorresponding vulnerabilities detecting algorithm

3 Condition Mutation Testing Algorithm

In this section condition mutation testing algorithm isaddressed Component security vulnerabilities are oftencaused by wrong judgment statements and condition expres-sions Incorrect relational operators usually lead the methodto execute a different branch so that the method returns mis-taken result Condition mutation aims to test the relationalexpression in method precondition Test cases that meet andviolate precondition statement are generated Combinedwithpostcondition test cases are input into method sequence toverify whether the vulnerabilities exist in judgment state-ment Some related definitions are firstly given as followsbefore specific algorithms are described

Definition 6 Precondition (Prc) consists of relational expres-sions and logical operators In boolean logic a boolean for-mula can be represented in the disjunctive normal form(DNF) whichmeans that a boolean formula is in DNF if it is adisjunction of cubes each of which is a conjunction of literals[11] Therefore Prc can be represented in DNF namelyExp11ampampExp

12 ampampExp

1119904 sdot sdot sdot Exp

1198981ampampExp

1198982 ampamp

Exp119898119905 A relational expression Exp

119894119895is regarded as a literal

in boolean logic and Exp11ampampExp

12 ampampExp

1119904is a cube

which is a conjunction of 119904 relational expressions

Method precondition and postcondition (see Definitions1 and 2) are the expressions connecting parameters environ-ment variables (properties) with relational operators logicoperators and arithmetic operators For example a bankingwithdrawmethod void withdraw (int119886) 119886 is the withdrawingamount 119887 is new balance after the method is invoked and1198871 is the balance before the method is invoked and thenpostcondition should be 119886 + 119887 == 1198871

Definition 7 Constraint equation set Prc is short for the pre-condition in DNF Prc = Exp

11ampampExp

12 ampampExp

1119904 sdot sdot sdot

Exp1198981ampampExp

1198982 ampampExp

119898119905 the corresponding 119898 constr-

aint equation sets are expressed as follows

Exp11

Exp12

Exp1119904

Exp1198981

Exp1198982

Exp119898119905

(1)

The relational expression Exp119894119895 119891(1199091 1199092 119909

119899) loz 0 loz is a

relational operator and 119909119894is a variable of the relational expre-

ssion so a constraint equation set is expressed as follows

1198911(1199091 1199092 119909

119899) 0

119891119896(1199091 1199092 119909

119899) 0

(2)

Definition 8 If an equation includes only one variable thenthe equation is simple otherwise it is complex

The subalgorithms on condition mutation are presentedas follows

(1) Test Case Generation Approach Based on ConstraintEquation Set (TCES) A precondition can be expressed as aconstraint equation set or several equation sets and TCES isdesigned for solving these sets to assign certain value to eachvariable in the set Finally the solutions of equation sets aremergedThe solution procedure of the relational equation setis described as follows [12]

Step 1 Define the initial domain for a variable 119909119894according

to the simple equation of 119909119894 and the initial domain of other

variables that do not appear in simple equations is (minusinfin+infin)After definition all simple equations are removed from theset

Step 2 Variable 119909119888is selected as current variable that appears

most frequently in complex equations or whose domain is thenarrowest Randomly select a value from the domain of 119909

119888

and assign the value to 119909119888

Step 3 Substitute the value of 119909119888into complex equations

Step 4 If simple equations appear in the set after 119909119888is

assigned then according to these simple equations redefinethe domain of variables that appear in simple ones If thesubset of two domains is empty backtrack algorithm will becalled

Step 5 Repeat the above process until all variables areassigned

There are several shortcomings in the above five stepsThe backtrack algorithm in this approach is very time-consuming and it restricts the efficiency of the algorithm ifthe equation set has no solution Thus a criterion is designedfor judging whether an equation set has solutions to avoidmany backtracks to insoluble equation set The criterion isshown as follows In each equation variables are moved tothe left of the relational operator and constants are movedto the right Then the algorithm can detect whether there isa group of equations whose left expression sum is equal tozero but right expression sum is not equal to zero If the abovesituation appears the equation set is insoluble

It is supposed that there are 119898 equation sets these equa-tion sets totally include V variables and each set averagely has119896 equations The order of the average complexity of TCES is119874(119898 sdot V sdot 119896) Precondition mutation algorithm is illustrated asin Algorithm 1

(2) Precondition Mutation Algorithm (PCMA) PCMAalgorithm is designed to generate all expressions that makeprecondition false Prc is supposed to have 119898 subitemsFirstlyMSA(119864

0) procedure is applied to obtain all mutants of

the first subitem and theses mutants are traversed if one ofthem for example 119905 and the mutant 119904 fromMSA(119864

119894) do not

own mutually exclusive relation expressions by IsExclusiveprocedure then 119905ampamp119904 is merged into 119879 After traverse isfinished the above procedure is repeated with 119879 and 119864

2up

to 119864119898 For analyzing the complexity of PCMA MSA(119864

119894) is

supposed averagely to have 119896mutants and then the order ofthe complexity of algorithm is 119874(119898 sdot 119896

2)


Stipulation119864 = Exp11ampamp11986411990911990112 ampamp1198641199091199011119904 1198641199091199011198981ampamp1198641199091199011198982 ampamp119864119909119901119898119905119864119894= 119864119909119901

1198941ampamp119864119909119901

119894119895 ampamp119864119909119901

119894119899 119864119894119895= 119864119909119901

119894119895 119879 is the mutant set of pre-conditions

Input119864Output T(01) 119878 =MSA(119864

0)

(02) 119879 = Φ(03) for(119894 = 1 119894 lt 119898 ++i)(04) (05) 119879 = Φ(06) for(each 119909 in 119878)(07) for(each 119910 inMSA(119864

119894)

(08) if (IsExclusive(x ampamp y)(09) 119879 = 119879 cup (x ampamp y )(10) 119878 = 119879(11) (12) return 119879

Algorithm 1 PCMA

Stipulation119864119894= Expi1ampamp119864119909119901119894119895ampamp ampamp119864119909119901119894119899

(01)119872119878119860 (119864119894)

(02) (03) RRF(119864119909119901

119894119896) = Mutants obtained after RRF operator is used to mutate 119864119909119901

119894119896

(04) 1198791198941= 119864119909119901

1198941 RRF(119864119909119901

1198941) 119879119894119895= 119864119909119901

119894119895 RRF(119864119909119901

119894119895) 119879119894119899= 119864119909119901

119894119899 RRF(119864119909119901

119894119899)

(05) 119878 = (1205901ampamp120590119895ampamp ampamp120590

119899) | 1205901isin 1198791198941 120590119895isin 119879119894119895 120590119899isin 119879119894119899

(06) 119878 = 119878 minus 119864119894

(07) return 119878(08)

Procedure 1 MSA(Mutation Sub-item Approach)

(01) 119868119904119864119909119888119897119906119904119894119907119890 (119864119894 119864119895)

(02) (03) if (exist(119864

119894119904 119864119895119905) ampamp (119864

119894119904cap 119864119895119905 = Φ))

(04) return true(05) else(06) return false(07)

Procedure 2 119868119904119864119909119888119897119906119904119894119907119890()

MSA(119864119894) procedure uses RRF operator to generate

mutants thatmake119864119894false IsExclusive procedure is designed

for judging whether two subterms have mutually exclu-sive relation expression Two procedures are respectivelydescribed as Procedure 1 (MSA) and Procedure 2 (IsExclu-sive)

MSA() procedure is designed to obtain all mutants ofsubitem 119864

119894 It is supposed that 119864

119894has 119899 relation expressions

Each expression generates several mutants using RRF oper-ator For example the expression is 119886 gt 119887 and its mutantset is 119886 = 119887 119886 lt 119887 The expression and correspondingmutants are seen as one term of ldquoCartesian ANDrdquo that issimilar to ldquoCartesian Productrdquo whose operator is replaced

by logic AND The final result removes 119864119894 MSA() at most

generates 3119899-1 mutantsThis procedure is defined to judge whether 119864

119894and 119864

119895are

mutually exclusive If 119864119894119904being from 119864

119894and 119864

119895119905being from

119864119895are mutually exclusive then true is returned For instance

119864119894= 119886 gt 0ampamp 119887 gt 10 119864

119895= 119886 lt 10ampamp 119887 = 3 119887 gt 10 in

119864119894 and 119887 = 3 in 119864

119895are mutually exclusive therefore 119864

119894and

119864119895are mutually exclusive Vulnerability detecting algorithms

based on condition mutation are described as follows

(3) Security Vulnerabilities Detection Algorithm Basedon Condition Mutation The SVDACM algorithm is shownas Algorithm 2 This algorithm can successively test eachmethod in the method sequence If the method has a precon-dition the TCES algorithm is invoked to generate legal datafor running themethod In case of any exception is thrown orthe postcondition is violated after the tested method is runthen security vulnerabilities exist In the meantime PCMAalgorithm is invoked to mutate the precondition and thentest cases are generated based on TCES algorithm to violateprecondition If the method is successfully run then thetested component is insecure In addition if the method hasno precondition test cases are generated by boundary valueand fuzzy testing approach combined with postcondition todetect whether the method is correct


Input method sequences Paths pre-conditions Pres post-conditions PostsOutput condition testing report CR(01) for (each Path in Paths)(02) for (eachmethod in Path)(03)

(04) if (method has pre-condition(Prc))(05)

(06) call TCES to generate test cases that meet Prc(07) runmethod(08) if (method throws exceptions)(09)

(10) catch the exceptions(11) The information including exceptions test cases method and pre-condition are recorded into CR(12)

(13) if (post-condition is violated)(14) The information including test cases method and pre-condition are recorded into CR(15) call PCMA to obtain mutated constraint equation set S(16) call TCES to solve S(17) runmethod(18) if (method is run successfully and actual result is different from expected result)(19) The information including test cases method and mutated condition are recorded into CR(20)

(21) else(22)

(23) some fuzzed values and boundary values are generated to runmethod(24) if (post-condition is violated)(25) The information including test cases method and post-condition information are recorded into CR(26)

(27)

(28) return CR

Algorithm 2 SVDACM

For analyzing the time complexity of SVDACM it issupposed that the method number of sequences is 119901 theaverage number of each sequence is 119902 precondition has119898 subitems every subitem includes 119896 expressions and Vvariables are included Since the order of the time of TCESis 119874(119898 sdot V sdot 119896) and that of PCMA is 119874(119898 sdot 3

2119896) the order of

the time complexity of SVDACM is 119874(119901 sdot 119902 sdot (119898 sdot V sdot 119896 + 119898sdot32119896))

4 Parameter Mutation Testing Algorithm

The purpose of parameter mutation is to generate the dataset that can easily trigger underlying errors in the componentmethod Firstly a series of values is generated through usingall related mutation operators according to the parametertype For numeric parameter values assigned to the param-eter which meet value constraint are selected so as to beinput into the tested method For a parameter of anothertype values which violate value constraint are selectedCombinational testing method is used to reduce the numberof test cases Final test cases which violate relation constraintare selected to trigger security exception If any exception istriggered in the methods or the postcondition is violated itis demonstrated that the method is insecure and exceptionalTest cases and method information are saved to further findout the location of security exception in the tested method

Several definitions are given as follows related to specificalgorithms

Definition 9 Value constraintmeans that the parameter valueis restricted in the certain scope For example index is theindex of an array and then value constraint of index is indexge0 For another example 119886 is denoted as an edge variable ofa triangle and then the constraint of 119886 is 119886 gt 0

Definition 10 Relation constraint means that constraint mayexist between parameters which is described as the expres-sion that is prone to be mistaken or be omitted For instancea method whose function is to judge the type of a triangle has3 parameters that is 119886 119887 119888 for three edges of a triangle andthen a programmer possibly makes a mistake or omits thejudgment statement of nontriangle Thus relation constraintof the method is such expression as 119886 + 119887 gt 119888ampamp 119886 + 119888 gt

119887ampamp 119887 + 119888 gt 119886

Definition 11 18 mutation operators related to parametersare proposed based on the literature [4] according to eightparameter types namely integer char float Boolean stringpointer array and structure They are shown in Table 2

In Table 2 AIV operator is designed for an array to gener-ate irregular values For example the sequence of elements of


Table 2 Mutation operators of parameters of different types

ID Operator Brief description Cases

01 PSN Set the value of a nullableparameter to be Null

Set the value of a parameter whose value can be Null such as String a = Null objectb = Null

02 IPOInsert Parameter Operator

into the value assigned to theparameter

Insert absolute value symbol or unary operator(++minusminusminussim) into the value assignedto the parameter

03 PFB Parameter Flip Bit Flip the value or flip the value of a bit04 IIV Integer Irregular Value 0 plusmn (1 28 minus 1 28 28 + 1 216 minus 1 216 216 + 1 232 minus 1 232 232 + 1 264 minus 1 264 264 + 1)

05 FIV Float Irregular Value 0 plusmn (1 340282311986438 340282311986438 + 1 340282311986438 minus 1 179769313486232119864308179769313486232119864

308+ 1 179769313486232119864308 minus 1)

06 CIV Char Irregular Value lsquoArsquo lsquoZrsquo null lsquoarsquo lsquozrsquo lsquo rsquo lsquo rsquo lsquo(rsquo lsquo[rsquo lsquonrsquo lsquo0rsquo lsquosrsquo lsquodrsquo07 BIV Boolean Irregular Value Correct Incorrect Tru Fal minus1 108 RSV Random String Value Escape character stringldquoenrdxsrdquo ldquoxffxfex00x01x42xb5nnnnh9ccrdquo

09 LSV Long String Value Generate String(int n) such asldquoAAA (256)rdquo ldquoAAA (1024)rdquo ldquoAAA (15000)rdquo

10 FSV Format the Value of String ldquon n (256 chars)rdquo ldquos s (1024 chars)rdquo11 DSV the Value of Directory String ldquordquo ldquordquo ldquordquo ldquoAAA rdquo

12 USV URL and Value of File PathString

ldquohttpdddddddeeeeerrtttttrdquo ldquoCsytem32Notepadexerdquo ldquoHABCkillviruseserdquoldquoDAAexeexerdquo

13 CSV the Value of Command String ldquocmdexec dirrdquo ldquodel lowastlowast srdquo14 SSI SQL String Injection ldquoa or 1 = 1rdquo ldquodeleterdquo ldquodrop table usersrdquo15 CSS Cross Site Scripting ldquoltscriptgtalert(document location)ltscriptgtrdquo16 PIV Pointer Irregular Value Null minus1 the pointer pointing to freed memory or to the end of the allocated memory

17 AIV Array Irregular Value

Change the order of array elements into ascending descending or disorder orderchange the value of array element to plusmn (maximum minus 1 maximum + 1 maximumminimum minimum + 1 and minimum minus 1) set the index of the array to (the lengthof array) plusmn 1

18 SIV Structure Irregular Value Set members of a structure to boundary values Set every member to irregular valuesaccording to the memberrsquos type

the array is changed into ascending order descending orderand disorderThe value of the element located into particularposition is changed just as a[0] which stores the length of thearray assigned to a negative numberThe value of the elementis set to certain value such as119898119894119899119894119898119906119898plusmn1119898119886119909119894119898119906119898plusmn1 andnormal valueThe length of the array is changed SIV operatoris designed for a structure type parameter which is used tomutate simple members of a structure If the parameter typeis integer these operators including PSN IPO PFB and IIVare used to generate mutation integer values If the parametertype is char these operators including PSN IPO PFB andCIV are used to generate irregular values and change thevalue of a char parameter into mutated values SimilarlyPSN and FIV operators are used to mutate a parameter oftype float and PSN and BIV operators are used to mutate aparameter of type Boolean PSN RSV LSV FSV DSV USVCSV SSI andCSS operators are applied for a string parameterto generate random string and other strings which can triggersecurity exceptions PSN and PIV operators are conductedto make pointer parameter point to freed memory and theend of the allocated memory to trigger security exceptionsFor an array parameter PSN and AIV operators are used togenerate mutated values PSN and SIV operators are applied

for a structure parameter to generate irregular values andspecial values which can trigger explicit exceptions for everymember of the structure

The test case generation algorithms based parameterconstraint are described as follows

(1) Test Case Generation Based on Parameter Constraint(TCGPC) Data set is generated by calling single parametermutated values (SPMV) procedure corresponding parametertype Since the size of this set is very large combinationaltesting method is applied to reduce the size of test case setTest cases which do not meet relation constraint are selectedto trigger security exceptions TCGPC algorithm is describedas in Algorithm 3

The main steps of TCGPC algorithm are illustrated asfollows Firstly parameter values are generated by callingSPMV procedure corresponding parameter type for eachparameter of the tested method Then if the parameter typeis numeric values which meet value constraint are selectedOtherwise values which do notmeet value constraint are alsoselected If the tested method includes only one parameterthen the corresponding result set is returned If the numberof parameters is two then pairwising testing is applied If


Stipulation n is denoted as the number of parameters type[119899] is an array of n parameter types ps[119894][119895] is the jth value of theith parameter valCS is defined as value constraint sets relCS is denoted as relation constraint setsInput type[119899] n ps[119894][119895] valCS relCSOutput Test case set ts(01) for 119894 = 0 to 119899 minus 1(02) the value set of the ith parameter ps[119894] = SPMV(type[119894])(03) for (each p in ps[119894])(04) if(the type of p is numeric type ampamp p does not meet valCS[119894])(05) 119901119904 = 119901119904[119894] minus 119901(06) else if(the type of p is other type ampamp pmeets valCS[119894])(07) 119901119904 = 119901119904[119894] minus 119901(08)

(09)

(10) if(119899 == 1) return ps[0](11) else if(119899 == 2)(12) using pair-wise combinational testing method to generate test cases ts(13) else if(n gt= 3)(14) using 3-tuple combinational testing method to generate test cases ts(15) for (each t in ts)(16) if(t meets relCS)(17) 119905119904 = 119905119904 minus t(18)

(19) return ts

Algorithm 3 TCGPC

(01) object[] SPMV(T type)(02) (03) swich(type)(04)

(05) case integer PSN IPO PFB and IIV are used to test values ts break(06) case char PSN IPO PFB and CIV are used to test values ts break(07) case float PSN and FIV are used to test values ts break(08) case Boolean PSN and BIV are used to test values ts break(09) case string PSN RSV LSV FSV DSV USV CSV SSI and CSS are used to test values ts break(10) case pointer PSN and PIV are used to test values ts break(11) case array PSN and AIV are used to test values ts break(12) case structure PSN and SIV are used to test values ts break(13)

(14) return ts(15)

Procedure 3 SPMV()

the tested method includes no less than 3 parameters then3-tuple combinational testing method is used for generatingcombinational test cases Finally test cases which do notmeetrelation constraint are selected to trigger errors For analyzingthe time complexity of TCGPC algorithm it is supposed thatthe tested method has 119899 (119899 ge 3) parameters and the numberof the 119894th parameter value is denoted as V[119894] these V[119894] areobtained after SPMV procedure is called In addition 119889 isdenoted as V[0] (V[0] ge V[1] ge sdot sdot sdot ge V[119899 minus 1]) Theorder of the time complexity before combinational testingis 119874(119899 sdot 119889) Referring to the literature [13] the order of thetime complexity of combinational testing is 119874(119889119899+3 sdot 1198992 + 1198894 sdot1198992sdot log(119899)) and then the order of the time complexity after

combinational testing is 119874(1198623119899sdot 1198893) Thus the order of the

time complexity of TCGPC is 119874(1198623119899sdot 1198893+ 119889119899+3

sdot 1198992+ 1198894sdot 1198992sdot

log(119899))

(2) Single Parameter Mutated Values (SPMV) This pro-cedure uses all related operators according to the parametertype to generate test cases It is shown as in Procedure3 SPMV procedure generates parameter values for eighttypes of parameters using corresponding operators that arelisted in Table 2 Vulnerability detecting algorithms based onparameter mutation are described as follows

(3) Security Vulnerability Detecting Algorithm Based onParameter Mutation The SVDAPM algorithm is shownas Algorithm 4 SVDAPM will scan each method of eachsequence If a method includes at least one parameter TCES


Input Paths is defined as method sequences setOutput Parameter Mutation Report (PMR)(01) for(each Path in Paths)(02) for(each Method in Path)(03)

(04) if(Method has parameters)(05)

(06) call TCGPC to generate test cases TS(07) for(each test in TS)(08)

(09) test is substituted intoMethod and runMethod(10) if(actual result is different from exception result)(11) Method parameters and test information are recorded into PMR(12)

(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM

algorithm is invoked to obtain test cases which are inputtedinto the method then the tested method is run If the actualresult is different from exception result then it is shown thatthe test case is effective Furthermore the testing result willbe written into PMR It is assumed that there are 119901 sequencesand each sequence includes 119898 methods and then the orderof the time complexity of SVDAPM algorithm is119874(119901sdot119898sdot(1198623

119899sdot

1198893+ 119889119899+3

sdot 1198992+ 1198894sdot 1198992sdot log(119899))

5 Experiments and Analyses

In order to verify the feasibility of the proposed approach andcorresponding algorithms some experiments are respec-tively conducted based on condition and parametermutationapproach The experiments are performed in C languagebased on common environment such as Windows XP VisualStudio NET 2008 development environment PC with 2GBmemory 293GHz CPU and 500GB compatible hard diskThe complete testing process is described as follows (1)Analyze the interface information of the third party com-ponent based on type library to obtain component interfaceinformation (2) security requirement specification is definedaccording to component description and IDL information(3) the precondition and postcondition of the tested methodare extracted from specification and method sequences aremutated (4) value and relation constraints are extracted fromspecification and method sequences are mutated (5) vul-nerability detecting algorithms are called and vulnerabilitytesting report is generated The testing process is shown inFigure 2

51 Experiment and Analysis of Condition Mutation TestingIn order to verify the feasibility of condition mutationapproach two components which exist in explicit vulnera-bilities that is TestCondiDll1dll and TestCondiDll2dll aretested in the experiment The detail information of two com-ponents is shown inTable 3 TestCondiDll1dll has 6methodsand the number of code line is 63 TestCondiDll2dll is

Tested component

Interface analysis

XML file of component interfaceinformation

Security requirement specification

Generate method sequences

Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng

Obtain the testing report

Figure 2The testing process of condition and parameter mutation

composed of 7 methods which includes 70 code lines AnRRF fault is injected into each method and thus the firstcomponent has 6 faults injected and the second one has 7faults injected

The experimental result of TestCondiDll1 is shown inTable 4 which lists some information including methodname precondition of the method mutated Prc using RRFoperator type-number of test cases that meet Prc(type-number of detecting the fault) and type-number of test casesthat violate Prc (type-number of detecting the fault) Forexample subtract method has 5 types of test cases that meetPrc which are 119886 gt 119887ampamp 119887 gt 119888 and 119886 gt 119887ampamp 119887 = 119888 119886 gt

119887ampamp 119887 lt 119888 119886 lt 119887ampamp 119887 gt 119888 119886 = 119887ampamp 119887 gt 119888 among which119886 lt 119887ampamp 119887 gt 119888 can detect the fault 119886 = 119887ampamp 119887 = 119888 119886 =

119887ampamp 119887 lt 119888 119886 lt 119887ampamp 119887 = 119888 119886 lt 119887ampamp 119887 lt 119888 are 4 types


Table 3 The information of two tested component

ID Component name Method number Code line number Number of faults injected01 TestCondiDll1dll 6 63 602 TestCondiDll2dll 7 70 7

Table 4 Testing result for TestCondiDll1 using condition mutation

Method name Pre-condition(Prc) Mutated Prc(Prc1015840)Type-number ofTest cases that

meet Prc

Type-number ofTest cases thatviolate Prc

JudgeTriangle 50 gt 119886 gt 0ampamp50 gt 119887 gt0ampamp50 gt 119888 gt 0

50 gt 119886 ge 0ampamp50 ge 119887 gt 0ampamp119888 gt50

1 (1) 124 (4)

GetLargest (119886 gt 100 119887 lt 100)ampamp119888 gt 0 (119886 lt 100 119887 le 100)ampamp119888 gt 0 5 (1) 22 (3)Withdraw 0 lt 119886 lt 100 119886 ge 100 1 (1) 4 (2)Subtract 119886 gt 119887 119887 gt 119888 119886 ge 119887 119887 lt 119888 5 (1) 4 (3)

Multiply (0 lt 119886 lt 400 100 lt 119887 lt800)ampamp100 gt 119888 gt 0

(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)

And 0 lt 119886 lt 400 100 lt 119887 lt 800 0 lt 119886 lt 400 119887 gt 800 9 (4) 16 (4)

of test cases that violate Prc among which 119886 = 119887ampamp 119887 =

119888 119886 = 119887ampamp 119887 lt 119888 119886 lt 119887ampamp 119887 lt 119888 can distinguish Prcand Prc1015840 It is shown from the table that type-number of testcases is related to the number of relational expressions andopening (closing) interval of a variable The more relationalexpressions are the larger the number of types is In additionthere are more types if a variable has opening interval ratherthan closing interval It is also shown that conditionmutationcan effectively detect faults caused by RRF operator

In addition to verify and analyze the testing capabilityabout detecting component explicit exception conditionmutation approach is compared with decision coveragecondition coverage and multiple condition coverage bytesting six methods of TestCondiDll1 The comparison resultis shown in Table 5 Two test cases are obtained whichrespectively make Prc be true and false in decision coverageapproach Test cases are generated by making each relationalexpression of Prc be true and false in condition coverageapproachMultiple condition coverage requires test cases thatcover all the conditions in a decision By analyzing Table 5we can see that the number of test cases that are generatedby other 3 methods is the subset of that of the conditionmutation However other 3 methods uncertainly can findall faults injected Condition mutation approach generatesmost test cases but it can find all faults caused by RRFoperator It is obvious that the conditionmutation approach iseffective

52 Experiment and Analysis of Parameter Mutation TestingThe experiment is conducted for verifying the feasibility ofparameter mutation TestParamdll is tested in the experi-ment TestParamdll has 7methods 85 code lines and 7 faultsinjected The detail information is shown in Table 6

The experimental result is shown in Table 7 for TestPa-ramdll component Table 7 shows some testing informationsuch as name of a method value constraint of correspondingparameter relation constraint of parameters time generating

Table 5 The comparison with related testing approaches

Testing approaches Number oftest cases

Number of faultsfound

Condition mutation 316 6Decision coverage 12 0sim6Condition coverage 12 0sim6Multiple condition coverage 34 0sim6

Table 6 The information of TestParamdll

ID Componentname

Methodnumber

Code linenumber

Number offaults

injected03 TestParamdll 7 85 7

cases number of all cases number of cases that find faultsand detecting rate It is obvious that our approach is effective

In order to obverse the validity of parameter mutationparametermutation is comparedwith boundary value testingand fuzzy testing method Boundary value testing meansthat test cases are designed by using variable values at theirextreme points such as maximum (max) maxminus1 minimum(min) min+1 and nominal value (nom) [14] Fuzzy testingis a security testing method which injects random inputvalue into the parameters of a function in order to obtainan unexpected behavior and identify potential vulnerabilities[15 16] The comparison result is shown in Figure 3 fromwhich we can see that the more test cases generated are themore effective cases areThe detecting efficiency of boundaryvalue method is the lowest that of fuzzy testing method isin the middle and that of parameter mutation is the highestWith the number of test cases increasing the advantage ofparameter mutation tends to be more obvious


Table 7 The testing result of parameter mutation

Method name Value constraint Relationalconstraint

Time forgenerating test

cases

Number of alltest cases

Number oftest cases thatfind faults

detectingrate

JudgeTriangle(int a int b int c) 119886 gt 0 119887 gt 0119888 gt 0

119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113

Add(int a int b) 119886 gt minus10119887 gt minus10

119886 ge 119887 62ms 60 15 25

Query(String s) mdash mdash 422ms 9 1 1111

GetCharacterCount(String s) mdash mdashAn infinite loopis caused by data

overflow9 1 1111

IsAcuteTriangle(int a int b intc)

119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633

CIsLargest(int a int b int c) 119886 gt 0 119887 gt 0119888 gt 0

119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821

IsQuotient(int a int b int c) 119887 = 0 119886 ge 0119888 ge 0

119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults

Number of test cases

Parameter mutationBoundary value testingFuzz

Figure 3The comparison with fuzzy testing method and boundaryvalue method

6 Conclusions and Future Work

Since some detailed design information and source codes areunavailable in the third party component it brings a largenumber of difficulties into component vulnerability testingIn this paper the approach of vulnerability testing-basedcondition and parameter mutation is proposed accordingto the characteristics of explicit exceptions The advantagesand disadvantages of proposed approach are summarized asfollows

(1) Condition mutation approach addresses TCES algo-rithm to generate test cases that meet precondition andmutation PCMA algorithm to get several mutants By com-bining these mutants with TCES test cases that violateprecondition are generated and then component vulnera-bilities can be detected by SVDACM algorithm Parametermutation approach adopts TCGPC algorithm to generate

test data through using all related operators correspondingparameter type In addition test cases set becomes smallerwhen combinational testing method is used Some testcases that violate relation constraint are selected SVDAPMalgorithm is applied to detect component vulnerabilities fromthe perspective of the parameter fault

(2) Component security specification that is used in ourapproach is comprehensive which not only records com-ponent information of methods and properties but alsoincludes some detailed information such as method pre-condition method postcondition and parameter constraintCondition and parameter mutation algorithms (PCMA andSPMV) are presented to generate mutated precondition andparameter value based on security testing framework Vul-nerabilities detecting algorithms (SVDACM and SVDAPM)are addressed to detect whether the component is secureor not In the end the experiments show that the pro-posed approach can detect some explicit exceptions andthe proposed approach is feasible Furthermore the experi-ments also show that condition mutation method can detectmore vulnerability faults than decision coverage conditioncoverage and multiple condition coverage methods Theparameter mutation method is also compared with fuzzytesting and boundary value methods and the comparisonresult shows that the effectiveness of parameter mutationmethod is higher than the other two methods

(3) However the proposed approach could not obtaingood testing result if themethod of tested component did nothave this information such as precondition postconditionand parameter constraints In addition the approach inthis paper is designed for detecting explicit exceptions as aresult implicit exceptions of component cannot be effectivelydetected In the future state mutation approach for methodsequences will be explored in detail according to character-istics of implicit security vulnerabilities It is promising thatsome meaningful changes are made into method sequencesto generate insecure or unreachablemethod sequencesThese


insecure sequences are executed and then the executed resultis observed by judging whether they are successfully run todetect implicit exceptions of the tested component

Acknowledgments

This work is in part supported by the National Natural Scie-nce Foundation of China (NSFC) under Grant no 61202110no 61063013 and no 61170126 Natural Science Foundationof Jiangsu Province under Grant no BK2012284 and theResearch Fund for the Doctoral Program of Higher Educa-tion of China under Grant no 20103227120005

References

[1] F Jabeen and M Jaffar-Ur Rehman ldquoA framework for objectoriented component testingrdquo in Proceedings of the IEEE Inter-national Conference on Emerging Technologies (ICET rsquo05) pp451ndash460 September 2005

[2] A Bertolino and A Polini ldquoA framework for componentdeployment testingrdquo in Proceedings of the 25th InternationalConference on Software Engineering pp 221ndash231 May 2003

[3] J M Haddox G M Kapfhammer and C C Michael ldquoAnapproach for understanding and testing third party softwarecomponentsrdquo in Proceedings of the Annual Reliability andMain-tainability Symposium (RAMS rsquo02) pp 293ndash299 January 2002

[4] J Chen Y Lu and X Xie ldquoComponent security testingapproach by using interface fault injectionrdquo Journal of ChineseComputer Systems vol 31 no 6 pp 1090ndash1096 2010

[5] C-J Hsu and C-Y Huang ldquoAn adaptive reliability analysisusing path testing for complex component-based software sys-temsrdquo IEEE Transactions on Reliability vol 60 no 1 pp 158ndash170 2011

[6] Y Jia and M Harman ldquoAn analysis and survey of the devel-opment of mutation testingrdquo IEEE Transactions on SoftwareEngineering vol 37 no 5 pp 649ndash678 2011

[7] V Okun Specification Mutation For Test Generation and Analy-sis University of Maryland Baltimore 2004

[8] P E Black V Okun and Y Yesha ldquoMutation operators forspecificationsrdquo in Proceedings of the 15th IEEE InternationalConference on Automated Software Engineering (ASE rsquo00) pp81ndash88 2000

[9] J-F Chen Y-S Lu W Zhang and X-D Xie ldquoA fault injectionmodel-oriented testing strategy for component securityrdquo Jour-nal of Central South University of Technology vol 16 no 2 pp258ndash264 2009

[10] S Kumar S-C Khoo A Roychoudhury and D Lo ldquoMiningmessage sequence graphsrdquo in Proceedings of the 33rd Interna-tional Conference on Software Engineering (ICSE rsquo11) pp 91ndash100May 2011

[11] L Zhang ldquoSolving QBF with combined conjunctive and dis-junctive normal formrdquo in Proceedings of the 21st NationalConference on Artificial Intelligence (AAAI rsquo06) pp 143ndash149AAAI Press Cambridge Mass USA July 2006

[12] X Xu and K Hu ldquoTest case generation strategy based on con-straint satisfaction searching algorithmrdquoComputer Engineeringvol 34 no 18 pp 75ndash84 2008

[13] L Shi C-H Nie and B-W Xu ldquoPairwise test data generationbased on solution space treerdquoChinese Journal of Computers vol29 no 6 pp 849ndash857 2006

[14] W Feng ldquoA generalization of boundary value analysis for inputparameters with functional dependencyrdquo in Proceedings of the9th IEEEACIS International Conference on Computer and Infor-mation Science (ICIS rsquo10) pp 776ndash781 August 2010

[15] S Bekrar C Bekrar R Groz and LMounier ldquoFinding softwarevulnerabilities by smart fuzzingrdquo in Proceedings of the 4th IEEEInternational Conference on Software Testing Verification andValidation (ICST rsquo11) pp 427ndash430 March 2011

[16] J Wan Research on Automatic Test Case Generation For Com-plex Data Types in Component Testing Huazhong University ofScience and Technology 2009

Submit your manuscripts athttpwwwhindawicom

Computer Games Technology

International Journal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Distributed Sensor Networks


Advances in

FuzzySystems

Hindawi Publishing Corporationhttpwwwhindawicom

Volume 2014


ReconfigurableComputing

Hindawi Publishing Corporation httpwwwhindawicom Volume 2014


Applied Computational Intelligence and Soft Computing

thinspAdvancesthinspinthinsp

Artificial Intelligence

HindawithinspPublishingthinspCorporationhttpwwwhindawicom Volumethinsp2014

Advances inSoftware EngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Electrical and Computer Engineering

Journal of

Journal of

Computer Networks and Communications


Hindawi Publishing Corporation

httpwwwhindawicom Volume 2014

Advances in

Multimedia


Biomedical Imaging


ArtificialNeural Systems

Advances in


RoboticsJournal of



Computational Intelligence and Neuroscience

Industrial EngineeringJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Human-ComputerInteraction

Advances in

Computer EngineeringAdvances in



approach proposed by Bertolino and M Haddox whosefeasibility is not verified by some effective experiments Inaddition Chen et al [4] addressed a software security testingapproach based on fault injection which to some extentcould detect explicit security vulnerabilities of componentsBut its testing process is complex and the testing efficiencyis not very ideal without considering the effect of inter-face parameter constraint and method precondition Thedrawbacks of proposed methods are mainly lacking specificeffective experimental approaches to verify the efficiency ofthe proposed methods In order to address these drawbacksa testing approach is presented based on testing methodsequences Testing method sequences have higher statementand branch coverage quality which lead to better testingefficiency [5] Therefore considering the characteristics ofexplicit exceptions and the notion of specification muta-tion [6ndash8] this paper proposes an approach using condi-tion mutation and parameter mutation based on methodsequences Since security vulnerabilities of most software areoften caused by errors in judgment statements and condi-tional expressions condition mutation method is presentedFirstly the precondition is extracted from the requirementspecification and then test cases are generated which satisfyand violate the precondition expression Based on these testcases whether security vulnerabilities exist or not is judgedaccording to the postcondition expression In the parametermutation method the corresponding mutation operators arefirstly selected according to a parameter type to generate testvalues Then the test cases are generated based on value andrelation constraint extracted from the requirement specifica-tion Finally the security exceptions will be detected by usingcomponent vulnerability detecting algorithmThis paper notonly proposes a component vulnerability testing approachbut also figures out the framework of the vulnerability testingapproach Some experiments are conducted to verify thefeasibility of proposed approach

The remainder of this paper is organized as follows Thevulnerability testing framework is described in the next sec-tion Condition mutation testing algorithm is presented inSection 3 and parameter mutation testing algorithm is addre-ssed in Section 4 Some experiments are conducted to verifyour approach in Section 5 In the end the conclusions aredrawn in Section 6

2 Vulnerability Testing Framework

In this section a vulnerability testing framework will bedescribed A testing approach of condition and parametermutation was presented based on component requirementspecification which is the main part of the frameworkThe vulnerability testing framework proposed in this paperis shown in Figure 1 In order to accurately describe theframework several definitions are firstly given as follows

Definition 1 Precondition (Prc) is a series of constraint cond-itions which must be true before the method can be invoked

Definition 2 Postcondition (Poc) is the condition whichshould be true after a method is invoked and decides the

Tested method sequences

Generating methodconditions

Parameter specificationmutation

Precondition mutation

Test result setof condition

mutation


condition mutation

Testing report of component security vulnerabilities


parameter mutation

Test result setof parameter

mutation

Figure 1 The framework of vulnerability testing

Table 1 RRF operator

Before mutation lt le gt ge = =

After mutation gt = gt lt = lt lt gt =

correctness of the operations performed Postcondition canbe expressed with such information as return value theoutput result parameter value and environment variables

Definition 3 Conditionmutation operator namely relationaloperator reference fault operator (RRF) can convert therelational operator in a simple relational expression to reverseoperator The detailed information is shown in Table 1

Definition 4 Requirement specification (RSF) of componentsecurity is described by XML format according to someschema which is provided by developers or obtained throughanalyzing function description and IDL information by com-ponent users Referring to requirement specification in theliterature [9] method precondition method postconditionvalue and relation constraint for method parameters areadded to RSF

Definition 5 Method sequences are feasible execution seque-nces that can be generated by data mining technology [10]

Based on the above definitions vulnerability testingframework is described as follows On the one hand theprecondition and postcondition of eachmethod are extractedfrom RSF and test data that meet precondition are generatedThen RRF mutation operator is applied to mutate precon-dition to generate precondition mutants and test data thatviolate precondition are generated as method input basedon precondition mutants Finally method sequences areexecuted to detect whether vulnerabilities exist in the com-ponent by vulnerabilities detecting algorithm for conditionmutation On the other hand parameter mutation generatestest data that easily trigger component exceptions throughusing related mutation operators according to the parametertypeThen combinational testingmethod is applied to reducethe number of test cases and test cases are selected by valueand relation constrains In the end the method sequences






12 ampampExp


1198981ampampExp

1198982 ampamp




12 ampampExp

1119904is a cube




11ampampExp

12 ampampExp


Exp1198981ampampExp

1198982 ampampExp



Exp11

Exp12

Exp1119904

Exp1198981

Exp1198982

Exp119898119905

(1)





1198911(1199091 1199092 119909

119899) 0

119891119896(1199091 1199092 119909

119899) 0

(2)









119888











119894) do not


2up


119894) is


2)



1198941ampamp119864119909119901

119894119895 ampamp119864119909119901

119894119899 119864119894119895= 119864119909119901



0)


119894)


Algorithm 1 PCMA


(01)119872119878119860 (119864119894)

(02) (03) RRF(119864119909119901


119894119896

(04) 1198791198941= 119864119909119901

1198941 RRF(119864119909119901

1198941) 119879119894119895= 119864119909119901

119894119895 RRF(119864119909119901

119894119895) 119879119894119899= 119864119909119901

119894119899 RRF(119864119909119901

119894119899)


119899) | 1205901isin 1198791198941 120590119895isin 119879119894119895 120590119899isin 119879119894119899

(06) 119878 = 119878 minus 119864119894

(07) return 119878(08)


(01) 119868119904119864119909119888119897119906119904119894119907119890 (119864119894 119864119895)

(02) (03) if (exist(119864

119894119904 119864119895119905) ampamp (119864

119894119904cap 119864119895119905 = Φ))


Procedure 2 119868119904119864119909119888119897119906119904119894119907119890()










119894and 119864

119895are


119894and 119864



119864119894= 119886 gt 0ampamp 119887 gt 10 119864

119895= 119886 lt 10ampamp 119887 = 3 119887 gt 10 in

119864119894 and 119887 = 3 in 119864


119894and










(21) else(22)


(27)

(28) return CR

Algorithm 2 SVDACM









119887ampamp 119887 + 119888 gt 119886













308+ 1 179769313486232119864308 minus 1)

















(09)


(19) return ts

Algorithm 3 TCGPC



(14) return ts(15)

Procedure 3 SPMV()




sdot 1198992+ 1198894sdot 1198992sdot

log(119899))








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in








12 ampampExp


1198981ampampExp

1198982 ampamp




12 ampampExp

1119904is a cube




11ampampExp

12 ampampExp


Exp1198981ampampExp

1198982 ampampExp



Exp11

Exp12

Exp1119904

Exp1198981

Exp1198982

Exp119898119905

(1)





1198911(1199091 1199092 119909

119899) 0

119891119896(1199091 1199092 119909

119899) 0

(2)









119888











119894) do not


2up


119894) is


2)



1198941ampamp119864119909119901

119894119895 ampamp119864119909119901

119894119899 119864119894119895= 119864119909119901



0)


119894)


Algorithm 1 PCMA


(01)119872119878119860 (119864119894)

(02) (03) RRF(119864119909119901


119894119896

(04) 1198791198941= 119864119909119901

1198941 RRF(119864119909119901

1198941) 119879119894119895= 119864119909119901

119894119895 RRF(119864119909119901

119894119895) 119879119894119899= 119864119909119901

119894119899 RRF(119864119909119901

119894119899)


119899) | 1205901isin 1198791198941 120590119895isin 119879119894119895 120590119899isin 119879119894119899

(06) 119878 = 119878 minus 119864119894

(07) return 119878(08)


(01) 119868119904119864119909119888119897119906119904119894119907119890 (119864119894 119864119895)

(02) (03) if (exist(119864

119894119904 119864119895119905) ampamp (119864

119894119904cap 119864119895119905 = Φ))


Procedure 2 119868119904119864119909119888119897119906119904119894119907119890()










119894and 119864

119895are


119894and 119864



119864119894= 119886 gt 0ampamp 119887 gt 10 119864

119895= 119886 lt 10ampamp 119887 = 3 119887 gt 10 in

119864119894 and 119887 = 3 in 119864


119894and










(21) else(22)


(27)

(28) return CR

Algorithm 2 SVDACM









119887ampamp 119887 + 119888 gt 119886













308+ 1 179769313486232119864308 minus 1)

















(09)


(19) return ts

Algorithm 3 TCGPC



(14) return ts(15)

Procedure 3 SPMV()




sdot 1198992+ 1198894sdot 1198992sdot

log(119899))








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





1198941ampamp119864119909119901

119894119895 ampamp119864119909119901

119894119899 119864119894119895= 119864119909119901



0)


119894)


Algorithm 1 PCMA


(01)119872119878119860 (119864119894)

(02) (03) RRF(119864119909119901


119894119896

(04) 1198791198941= 119864119909119901

1198941 RRF(119864119909119901

1198941) 119879119894119895= 119864119909119901

119894119895 RRF(119864119909119901

119894119895) 119879119894119899= 119864119909119901

119894119899 RRF(119864119909119901

119894119899)


119899) | 1205901isin 1198791198941 120590119895isin 119879119894119895 120590119899isin 119879119894119899

(06) 119878 = 119878 minus 119864119894

(07) return 119878(08)


(01) 119868119904119864119909119888119897119906119904119894119907119890 (119864119894 119864119895)

(02) (03) if (exist(119864

119894119904 119864119895119905) ampamp (119864

119894119904cap 119864119895119905 = Φ))


Procedure 2 119868119904119864119909119888119897119906119904119894119907119890()










119894and 119864

119895are


119894and 119864



119864119894= 119886 gt 0ampamp 119887 gt 10 119864

119895= 119886 lt 10ampamp 119887 = 3 119887 gt 10 in

119864119894 and 119887 = 3 in 119864


119894and










(21) else(22)


(27)

(28) return CR

Algorithm 2 SVDACM









119887ampamp 119887 + 119888 gt 119886













308+ 1 179769313486232119864308 minus 1)

















(09)


(19) return ts

Algorithm 3 TCGPC



(14) return ts(15)

Procedure 3 SPMV()




sdot 1198992+ 1198894sdot 1198992sdot

log(119899))








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in









(21) else(22)


(27)

(28) return CR

Algorithm 2 SVDACM









119887ampamp 119887 + 119888 gt 119886













308+ 1 179769313486232119864308 minus 1)

















(09)


(19) return ts

Algorithm 3 TCGPC



(14) return ts(15)

Procedure 3 SPMV()




sdot 1198992+ 1198894sdot 1198992sdot

log(119899))








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in













308+ 1 179769313486232119864308 minus 1)

















(09)


(19) return ts

Algorithm 3 TCGPC



(14) return ts(15)

Procedure 3 SPMV()




sdot 1198992+ 1198894sdot 1198992sdot

log(119899))








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





(09)


(19) return ts

Algorithm 3 TCGPC



(14) return ts(15)

Procedure 3 SPMV()




sdot 1198992+ 1198894sdot 1198992sdot

log(119899))








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in








(13)

(14)

(15) return PMR

Algorithm 4 SVDAPM


119899sdot

1198893+ 119889119899+3





Tested component

Interface analysis




Para

met

ers m

utat

ion

testi

ng

Con

ditio

n m

utat

ion

testi

ng












meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in








meet Prc




1 (1) 124 (4)



(0 lt 119886 le 400 119887 = 800)ampamp100 gt119888 gt 0

9 (3) 116 (4)












ID Componentname

Methodnumber

Code linenumber

Number offaults








cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in







cases



detectingrate


119886 + 119887 gt 119888119886 + 119888 gt 119887119887 + 119888 gt 119886

218ms 663 339 5113


119886 ge 119887 62ms 60 15 25



overflow9 1 1111


119886 gt 0 119887 gt 0119888 gt 0

119886 lowast 119886 + 119887 lowast 119887 ==

119888 lowast 11988863ms 964 543 5633


119888 ge 119886 ampamp 119888 ge 119887 157ms 615 112 1821


119888 lowast 119887 == 119886 250ms 981 327 3333

050

100150200250300350400

0 100 200 300 400 500 600 700Num

ber o

f te

st ca

ses t

hat fi

nd fa

ults












Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in





Acknowledgments


References
























Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in










Advances in

FuzzySystems


Volume 2014












Journal of

Journal of





Advances in

Multimedia


Biomedical Imaging



Advances in


RoboticsJournal of










Advances in



Research Article An Approach of Vulnerability Testing for Third...

Documents

Transcript of Research Article An Approach of Vulnerability Testing for Third...