CN1752945A - Test example generation method of safety data base management system - Google Patents

Abstract

The present invention has proposed a kind of systematization, operable approach that is used to generate the secure database manugement system test case first, comprise following steps: 1) generate test specification, according to the test specification of each operation in the safe axiom requirement generation system of the formalization stipulations of descriptive system operating function and operation; 2) generate test template, test specification is carried out equivalence transformation, it is expressed as the disjunctive normal form form, thereby be one group of test template the test specification equivalent representation of operation according to certain rewriting rule; 3) type is divided, and the type that exists in the system is carried out heuristic equivalence transformation, further segments the test space of each test template representative; 4) generate test vector, subdomain is respectively tested in check, and with the exampleization, generates corresponding test vector.This method is a foundation with the security model of system under test (SUT), and the result of test has completeness, science, repeatability and inherent consistance.

Description

Test example generation method of safety data base management system

Technical field

The invention belongs to the test and evaluation field of computer software, relate generally to secure database manugement system (SecureDataBase Management System, be called for short SDBMS) test and evaluation, more properly be based on the high safety grade test example generation method of safety data base management system of SDBMS Security Policy Model.

Background technology

Software test is consistance between the realization of check software and its functional specification and a kind of effective means that guarantees software quality.Realizing based on the safety assessment standard in the process of safety information product assessment that it is important key link in the assessment that assessment side implements third party's test comprehensive, system to the security function of security system.But owing to multiple reason, independently the security function test does not occupy consequence in the assessment of safety of China data base management system (DBMS) at present.Its key issue is how to realize the tissue and the design of test case, and the method that lacks a kind of system at present generates fast at customizing messages safety product/system test use cases of (comprising SDBMS).

Because the test based on stipulations is adopted in restrictions such as software copyright profit, third party's independent test mostly.System's stipulations derive from system requirements, and it has intactly defined the behavior of system.Can determine that based on the test of stipulations the influence between the input and output concerns, effectively guarantees the comprehensive of software function test.The formalization stipulations are a kind of more accurate expression-forms of system's stipulations, can eliminate the ambiguity in the system requirements better.Simultaneously, the formalization stipulations provide a kind of expression-form of standard, thereby are convenient to it is carried out the robotization processing.Automatically generate test case according to the formalization secure protocol and will reduce the test job amount greatly.A kind of way that exists is at present, by the functional specification modeling, divides the test space according to certain rewriting rule, generates test case automatically.

Yet, said method direct application at the testing evaluation of SDBMS system can cause some specific questions: above-mentioned formalization functional specification rewriting rule (or heuristic) is pure only relevant with grammer, irrelevant with semanteme, therefore the test case that produces lacks specific aim, is difficult to find concrete intersystem problem.In addition, the input variable space of each operation in the SDBMS system is limited, but the internal system state space is very huge, almost is unlimited.Said method only is applicable to system on a small scale, can not directly apply to the test and appraisal of SDBMS system.

What is more important, for the most of safety information products that comprise SDBMS, can not reflect reality the truly behavior of system of system's stipulations.Because the operation in the system except will finishing its intended function, must be satisfied the security strategy requirement simultaneously.Security strategy is described the claimed object of a safety information product (or system), and all safeguard measures of taking.The security strategy that has different abstraction hierarchies is as the Security Target of system, with Security Policy Model of system etc.The Security Policy Model of existence formization among the high safety grade SDBMS.

Another kind of way is by to non-formal Security Target modeling, sets up accurate formalization security function model.The problem that this way exists is: because there is test and appraisal personnel's artificial modeling process, so model and final test result depend critically upon the correct understanding that the modeling personnel split the non-formal Security Target that a person provides.In addition, the security strategy size ratio in the Security Target is thicker, needs the test and appraisal personnel that the Subjective and Objective in the security strategy is corresponding one by one with the real system object.

Summary of the invention

At the problems referred to above, the object of the present invention is to provide a kind of method for generating test case based on the SDBMS Security Policy Model.The basic premise of this method of testing requires to comprise:

1. SDBMS Security Policy Model:

The correctness of this model proves through the formalization instrument.Possesses following key element in the typical formalization SDBMS Security Policy Model: (1) state set (STATES), descriptive system legal state; (2) safe axiom collection (ANXIOMS), safe axiom are the one group of character that defines in the model, and certain system state S is that safe and if only if that it satisfies these character; (3) operation set (OPS), the conversion of system state are realized that by system operation each operation all is controlled, only when it produces a safe condition, just allow it to carry out, and promptly it satisfies all character in the model; (4) safe theorem collection (THEOREMS), some security properties that abstract security model satisfied that can prove.

2. SDBMS product one cover to be measured:

This product realizes that according to aforementioned SDBMS Security Policy Model both confirm to be consistent through the developer.

3. the high-rise stipulations of SDBMS to be measured, and the physical interface of this product definition document.

Method for generating test case based on the SDBMS security model provided by the present invention is based on following design: formal security policy model is the basis that generates SDBMS security function test case, the basic thought that generates the test case method is to determine the test mode space, and the test space (comprising input state space and intermediateness space) is divided.Because according to unified hypothesis (unified hypothesis) thought in the theory of testing, all inputs during each is divided should be identical with the performance of state.Therefore in dividing, each chooses one of them or several example is tested.

Comprise two class testing space dividing strategies in this method: a class is that subdomain is divided.The test space is divided into the test subdomain.Each subdomain is described by an abstract test template; Another kind of is that type is divided.Types value under the variable is divided, and test template is instantiated as concrete test case.

Specifically, this method comprises following four steps:

Step 1: generate test specification.Because generating the prerequisite of test case is accurate, complete formalization test specification, so in step 1, must generate test specification according to the formalization stipulations of describing operating function and the safe axiom requirement of operation etc.

Step 2: generate test template.Step 2 rewrites by test specification carries out the subdomain division to the test space that test specification limited.Mutually disjoint between subdomain, and the corresponding test template of each test subdomain.

Step 3: type is divided.Step 3 provides the dividing mode different with step 2---and type is divided.Type is divided in and further divides the test space on the basis of testing subdomain.

Step 4: generate test vector.Comprehensive above-mentioned two kinds of dividing mode, subdomain is respectively tested in check in the step 4, and with the exampleization, generates corresponding test vector, constitutes a complete test case.

SDBMS model with the Z language description is the content that example illustrates above-mentioned four steps below, this step thought can be applied to the SDBMS model of other formalization language descriptions naturally, the Z language only is used to content of the present invention is described herein, and the present invention is not constituted any limitation.

Step 1: generate test specification

The test specification of an operation has reflected the behavior of this operation comprehensively, exactly in the SDBMS system.Specifically, the test specification that certain member operates op in the SDBMS security model operation set is made of following three parts:

(1) the basis definition of operation op in the SDBMS model:

The statement of the basis definition of operation op in the SDBMS model partly comprises the input variable set ins of operation, output variable set outs, and the set of the intermediateness variable before and after operation Δ state.Predicate part in the definition of operation basis can be divided into two classes by semanteme: a class is the pre-constraint that operation op takes place, and is labeled as P; Another kind of is system state change that this operation causes, and is labeled as Q.Their implication is: and if only if when pre-constraint P satisfies, and operation op carries out, and causes the state variation of system to satisfy Q after the correct execution.For example, the basis of the operation op that represents with Z language shcema form is defined as:

The formalization definition of operation must be satisfied coherence request and integrality requirement.Coherence request refers to that the pre-constraint of operating is satiable; Integrality requires to refer to not exist any field of definition of leaving over, and its operating result is definition not.If the description when the complement operation constraint is not satisfied in the definition of operation basis increases as above-mentioned defining operation non_op, Success is with Fail.Then be constructed as follows the operation of form:

Because pre is op_full=true, operation op_full is a unanimity and complete operation.

(2) in the SDBMS model with the relevant safe axiom (collection) of operation:

Great majority operation in the SDBMS Security Policy Model all must be satisfied specific safe axiom (collection).For example certain SDBMS Security Policy Model requires insertion, deletion action on the data object should satisfy based on static constraint in role's the access control model and dynamic constrained.The safe axiom set representations that operation op must satisfy is function axioms (op).Safe axiom is usually expressed as the predicate constraint, and it is directly related with the security strategy of system definition, the desired security property of reflection system.This method is distinguished security property constraint and operation self semantic constraint, makes that SDBMS Security Policy Model structure is more clear.

The basis definition and the complementary definition that add the operation op after safe axiom retrains are adjusted into op ' and non_op ' respectively:

Similarly, adding the complete operation table in safe axiom constraint back is shown:

(3) fixed constraint that exists in the relevant intermediateness variable of system:

In fact, operation op also must satisfy some and the non-directly related constraint of operation except being subjected to pre-condition P constraint.Relation between these constrained system intermediate variables, having only the state that satisfies these fixed constraints just may be a legal system state.Therefore the preceding state of operating the op generation is implying these constraints.If represent these fixed constraints, then operate stipulations and in fact should be with symbol TCB:

The basis definition of operation op and complementary definition can further be adjusted into op " with non_op ":

Complete operation table is shown:

Because any state of system all must satisfy TCB constraint, state

TCB is inaccessible in real system.If have similar initialization theorem in the SDBMS security model and proved that then consider the integrality requirement of operation, the complete definition of operation op still is equivalent to op_full '.

In sum, for the operation op in the SDBMS Security Policy Model, according to whether having verified initialization theorem, above-mentioned three parts are formed its test specification op_test can finally be expressed as form:

$\mathrm{op}\_\mathrm{test}\widehat{=}\mathrm{op}\_{\mathrm{full}}^{\′\′}$ Or $\mathrm{op}\_\mathrm{test}\widehat{=}\mathrm{op}\_{\mathrm{full}}^{\′}$

Step 2: generate test template

The test specification of operation has been described the behavioural characteristic of operation exactly, also defines the test space of this operation simultaneously.But before the test case that generates at this operation, must earlier this test space be divided, become a series of mutually disjoint test subdomains space.We carry out equivalence transformation according to specific rewriting rule to the predicate constraint portions in the test specification, and its abbreviation is become disjunctive normal form (DNF) form, thereby the test specification op_test equivalent representation that will operate op is one group of test template.

The employed rewriting rule of equivalence transformation can't be enumerated one by one, and wherein main several rules comprise:

(1) rule (single-point rule) eliminated in existential quantifier:

(2) generality quantifier is eliminated rule:

(3) law of distribution rule:

Test specification after the rewriting is expressed as the disjunction expression of n test template:

Wherein i test masterplate op_templatei is simple conjunction expression, is expressed as Semanteme according to representative is divided three classes: p _iRepresent the constraint of i test masterplate, it is the conjunction expression of a predicate or a plurality of predicates,

q _iThe state variation of f the test in back masterplate is carried out in the expression operation,

r _iBe the output result set of i test masterplate,

Test template set { the op_template that generates _i, (1≤i≤n) satisfies following 2 character:

①i，j：1..n·i≠j|pi∧p _j＝false。

1. character illustrate that test template is gathered between the constraint of each test template not have occurs simultaneously, and the test template of generation is divided into mutually disjoint one group of test subdomain with the test space, and each test template represent one to test subdomain.2. character illustrate that the set of test masterplate is complete, covered all test spaces of tested operation.The pre-condition of i.e. this operation is an identically true formula, pre op_test=true.

It is pointed out that above-mentioned rule application order and number may be different, given test specification is not unique through the disjunctive normal form (DNF) that obtains after the equivalence transformation.And equivalence transformation may be introduced some indirect input variables for operation.

Step 3: type is divided

In most cases, the number of the test template that generates in the step 2 is very limited, and step 3 is divided by type each test template is carried out heuristic equivalence transformation, further segments the test space.At first clarify and divide notion with type.

If A is a non-NULL type, if exist the family of subsets π (π P (A)) of an A to meet the following conditions:

(1)

(2) any two elements are not handed among the π

(3) union of all elements equals A among the π

Claim that then π is the division of type A, and claim that the element among the π is a divided block.The union of all elements is called the π division expression of type A among the π.

Division on the SDBMS Security Policy Model is summed up as following four kinds of situations.

Situation 1: preset value is divided:

If have a series of special preset value s among the type T ₁, s ₂... s _n, then the preset value of type T is divided and type to be divided π is: π={ { s ₁), { s ₂..., { s _n, { t:T|t ≠ s ₁∧ t ≠ s ₂∧ ... ∧ t ≠ s _n, according to dividing π, type T can be expressed as T={s ₁∨ { s ₂∨ ... { s _n∨ { t:T|t ≠ s ₁∧ t ≠ s ₂∧ ... ∧ t ≠ s _n.

Particular value in the type is a systemic presupposition, compares the comparatively special meaning of existence with other values in the type, should test separately.And,, satisfy the definition requirement of division so each particular value all is a subclass during type space is divided in the type because there are not common factor in these values.

Situation 2: functional value is divided:

If there is the function f to the type V: T → V by type T, and type V is finite set, ran (f)={ v ₁, v ₂... v _n).Then the functional value of type T division π is: π={ { t:T|f (t)=v ₁, { t:T|f (t)=v ₂..., { t:T|f (t)=v _n.Though, have important division π if type V is an infinite set ₀={ { s ₁, { s ₂..., { s _n, then type T exists the functional value of expansion to divide: π '={ { t:T|f (t) ∈ s ₁), { t:T|f (t) ∈ s ₂..., { t:T|f (t) ∈ s _n.

All may there be some functions on each type in the SDBMS model, one group of variable representative that functional value is identical possesses a class value of certain same nature, and therefore the corresponding different behavior of possibility in model of different functional values can be divided into different subclass with the variable in the type according to different function values and test.

Situation 3: set is divided:

If have a plurality of data acquisitions on the type T, be expressed as ts respectively ₁, ts ₂... ts _n, promptly, satisfy ts for any 1≤i≤n _i=ρ (T).Then the set of type T is divided and can following recurrence be represented:

1)

2) for any 1＜i≤n:

3) type T finally can be expressed as: T=T_test (n).

And function is similar, in the SDBMS model on the type representative of each data acquisition possess a class value of certain same nature, the combined situation of having considered these character is to greatest extent divided in set.Because most of data acquisitions are parts of construction system state, set is divided and only is applicable to input variable usually.

Situation 4: data are divided:

This situation relates to some common data types, as integer type, and natural number type, Boolean type or the like.The special value of these data types is intrinsic particular values relevant with type, and for example, the data that exist on the Boolean type are divided into { true, false}.Divide very approximately with preset value on the data zoned format, main difference is that data are divided and is applied to oneself type of knowing of member, and preset value is divided and is applied to number of members and the uncertain type of content.

In theory, if exist function then should adopt function to divide on certain type; Then should adopt set to divide if there is set; The rest may be inferred.If there is above-mentioned multiple division simultaneously in same type, then need to calculate their comprehensive division.The relation between these divisions is depended in the calculating of comprehensive division.If arbitrary divided block of dividing among the A intersects with arbitrary divided block of dividing among the B, claim two to divide quadrature class relation; The comprehensive division result of two divisions of quadrature class on same type relation adheres to the union of the common factor between the divided block of A, B separately for all.If arbitrary divided block of dividing among the A all belongs to certain divided block of dividing among the B, claim to exist overlapping class relation between the two.The comprehensive division of two divisions of overlapping class relation is equivalent to the division of B.Also have a class between quadrature class and overlapping class, promptly the part divided block intersects, and the part divided block is overlapping.Such concerns that it also is two kinds comprehensive that comprehensive division is calculated.

Can imagine more, and comprise a large amount of divided block in each division, the shot array that the test space is divided then probably occur if the quadrature class that exists on certain type is divided.Therefore need accept or reject dividing some principle of application.We have provided two kinds of quadrature classes and have divided the choice principle herein:

(1) preferential m-choosing-n principle (m 〉=n).If have m orthogonal division π on the type T _i(1≤i≤m), it is arranged n comprehensive division of dividing before preferential m-choosing-n principle is calculated wherein according to the non-order that falls of importance.

Type T can be divided into by different divisions and is expressed as T_test _i(1≤i≤m), its length is | π _i|.Fall after order arranges according to importance is non-, preceding n is divided into π _i(1≤i≤n).The comprehensive division P that type T goes up preferential m-choosing-n principle is:

The length of comprehensive division is to the maximum: $\mathrm{num}=\underset{1\≤i\≤n}{\mathrm{\Π}}\left(\right|{\mathrm{\π}}_i\left|\right),$ Its content is:

(partion _i∈π _i)

(2) quadrature m-choosing-n principle (m 〉=n).If have m orthogonal division π on the type T _i(1≤i≤m), the comprehensive division that quadrature m-choosing-n principle is calculated comprises the divided block of wherein any n comprehensive division of dividing.

Type T can be divided into by different divisions and is expressed as T_test _i(1≤i≤m), its length is | π _i|.After arranging according to the non-incremental order of partition length, preceding n division is designated as π i (1≤i≤n).Make P represent that type T goes up the comprehensive division of quadrature m-choosing-n principle.P ' expression type T goes up any n comprehensive division of dividing, any one the divided block p ' among the P ' _i(p ' _i∈ P '), in comprehensive division P, there is a divided block p at least _i(p _i∈ P), satisfy: p _j p ' _i

The comprehensive division that type T is gone up the m-choosing-n choice principle of orthogonal division is expressed as disjunctive normal form.The length of comprehensive division is $\mathrm{num}=\underset{1\≤i\≤n}{\mathrm{\Π}}\left(\right|{\mathrm{\π}}_i\left|\right).$ Its content is:

(partioni∈π _i)

The comprehensive division that calculates both can directly apply to the division to input variable, also can be indirect be applied to the internal state space dividing.Because after all, internal state is to be made of built-in variable set and pairing value thereof.

Step 4: generate test vector

In fact the division of the test space of the tested operation in the SDBMS model is comprehensive that the described subdomain of step 2 is divided and the described type of step 3 is divided.A complete test vector is the foundation of SDBMS product test and appraisal to be measured.Specifically, test vector is one group of vector sum, i.e. the four-tuple that constitutes by input vector, current state vector, output vector, with the state variation vector: (IN, pre_STATE, OUT, post_STATE).

Input vector is made of input variable collection and each variable-value of operation op, and the input variable value depends on concrete test template and type divided block, and it is the instantiation that the test space is divided.Except that input vector, the execution result of operation op also depends on the value with when test internal system state variable, only could determine the output vector that certain input vector produces and the value of state variation vector under the known system state.For certain internal state, the relation between certain type divided block and the test template may be three kinds: divided block satisfies test template fully, and promptly an optional member can be as dividing the instantiation input in the divided block; Divided block does not satisfy test template fully, and promptly any one member in the divided block can't satisfy test template; Or divided block partly satisfies test template.Be that part member in the divided block can satisfy test template, part can't satisfy.Whether the result satisfied test template and depended on concrete input this moment.

Though all internal state variable finally can be summed up as single type set, the compound type set, several with type of functions etc., also can divide it by the type division methods, but there are two problems: the one, because the number of internal state variable is excessive, this division will cause state explosion.The 2nd, the controllability problem of state is not that any legal state all can reach.Even accessible state, calculating the path also is a np problem.Therefore, we choose some special known state for the test preset state, for example comprise original state, and the state set relevant with indirect input type (must be the back state of certain oneself survey operation).Concrete state generation, selection and traversal method be existing a large amount of detailed records in the prior art document, and one of ordinary skill in the art can both be understood, so specific explanations no longer just in this instructions.

For test template

(INs VALs), with system state pre_STATE, can calculate logical variable (p as if given certain input vector IN= _k∧ pre_STATE) value of [VALs/INs], if it is true, then the expection of this test case output result is r _k, state variation is q _kThe test vector that generates is: (IN, pre_STATE, r _k, q _k).Otherwise do not generate test case.Because pre is op_test=true, so,, must have a test template to make this logical variable, thereby generate corresponding test vector for true no matter be to operate successfully or fail for any one state and input vector.

Technique effect of the present invention is that the present invention has proposed a kind of systematization, operable approach that is used to generate the secure database manugement system test case first, helps the security function of this type systematic is carried out science, test comprehensively and accurately.This method is a foundation with the security model of system under test (SUT), and the result of test has completeness, science, repeatability and inherent consistance.Compare with existing craft test and appraisal mode at random, the defective that its discovery system better realizes has increased substantially test mass.This method combining form aid uses, and can reduce the duplication of labour in the test process, reduces to generate the cost that the substantive test use-case is paid, and helps realizing test automation.

Embodiment

LOIS secure database manugement system with the research and development of information security National Key Laboratory of the Institute of Software, Chinese Academy of Science is an example below, describes test example generation method of safety data base management system provided by the invention in detail.

The relevant operation of autonomous mandate has two kinds of patterns in the SDBMS model of this system: a kind of is directly to license to the user, and another kind is to license to the role earlier, activates the role by the user again.Directly Authorized operation GrantPermToUser is a bookkeeping, requires authorized users to exist, and is not awarded this authority.It depends on a plurality of operations, as the operation of creating the user, the operation of creating safety label, the operation of creating data object, attended operation etc.Before the test of carrying out this operation, should guarantee to have carried out test to above operation.And limiting any kind user in the system can not authorize to system manager, safety officer and audit management person.This operation change the access control matrix in the system state, its specific descriptions are as follows:

The operation stipulations are after replenishing integrality:

Operation GrantPermToUser should satisfy axiom GrantPermToUser_axiom, and promptly the authorized person once was awarded this authority, and was allowed to propagate this authority: perhaps the authorized person is the owner of this object privilege.Being classified as follows of all object privileges:

dbOwnerPrivs＝＝{ConnectDatabase，CreateDomain，CreateTable，CreateView}

dmOwnerPrivs＝＝{CreateonDomain，DroponDomain，UseDomain，DropDomain}

tbOwnerPrivs＝＝{CreateRule，DropRule，SelectTable，Insert，Delete，DropTable}

viOwnerPrivs＝＝{SelectView，DropView}

The formalized description of axiom GrantPermToUser_axiom is:

Transition·GrantPermToUser

cur-trans-class(T)＝osi-class(o？)

∧ $(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}(T,o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix}))$

∨(owner(database-osi(session-database(trans-session(T))))＝trans-user(T)

∧p？∈dbOwnerPrivs)

Through after the step 1, the complete expression formula of test specification test_GrantPermToUser of operation GrantPermToUser is:

$\mathrm{test}\_\mathrm{GrantPermToUser}\widehat{=}\mathrm{GrantPermToUser}\_{\mathrm{full}}^{\′}$

((﹁GrantPermToUser﹁GrantPermToUser_axiom)∧Fail))

Test specification is used rewriting rule and is transformed into the disjunctive normal form form.Wherein operate successfully partly having 8 test masterplates, be respectively:

(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧((owner(database-osi(session-database(trans-session(T))))

＝trans-user(T))

∧p？∈dbOwnerPrivs)

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧ $(\∃d:\mathrm{DOMAINS}\·\mathrm{domain}-\mathrm{osi}\left(d\right)=o?)$

∧owner(o？)＝trans-user(T)

∧p？∈dmOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧ $(\∃t:\mathrm{MREAL}-\mathrm{IDS}\·\mathrm{real}-\mathrm{osi}\left(t\right)=o?)$

∧owner(o？)＝trans-user(T)

∧p？∈tbOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧ $(\∃t:\mathrm{MVIEW}-\mathrm{IDS}\·\mathrm{view}-\mathrm{osi}\left(t\right)=o?)$

∧owner(o？)＝trans-user(T)

∧p？∈viOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)

$\⫬(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧((owner(database-osi(session-database(trans-session(T))))

＝trans-user(T))

∧p？∈dbOwnerPrivs)

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $\⫬(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧ $(\∃d:\mathrm{DOMAINS}\·\mathrm{domain}-\mathrm{osi}\left(d\right)=o?)$

∧owner(o？)＝trans-user(T)

∧p？∈dmOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∧(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $\⫬(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧ $(\∃t:\mathrm{MREAL}-\mathrm{IDS}\·\mathrm{real}-\mathrm{osi}\left(t\right)=o?)$

∧owner(o？)∈trans-user(T)

∧p？∈tbOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?.o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)

∧ $\⫬(\∃g:\mathrm{USERS}\·(\mathrm{trans}-\mathrm{user}\left(T\right),o?,p?,g,\mathrm{true})\∈\mathrm{access}-\mathrm{matrix})$

∧ $(\∃t:\mathrm{MVIEW}-\mathrm{IDS}\·\mathrm{view}-\mathrm{osi}\left(t\right)=o?)$

∧owner(o？)＝trans-user(T)

∧p？∈viOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}\left(T\right),a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok)

In the last example the 4th test masterplate replenish complete after, can be expressed as form:

$\mathrm{test}\_\mathrm{template}4\widehat{=}\left[\mathrm{signature}\right|\mathrm{cur}-\mathrm{trans}-\mathrm{class}\left(T\right)=\mathrm{osi}-\mathrm{class}(o?)$

∧ $(\∃t:\mathrm{MREAL}-\mathrm{IDS}\·\mathrm{real}-\mathrm{osi}\left(t\right)=o?)$

∧owner(o？)＝trans-user(T)

∧p？∈tbOwnerPrivs

∧u？∈user-exists

∧﹁user-adm(u？)

∧o？∈osi-exists

∧ $(u?,o?,p?,\mathrm{trans}-\mathrm{user}(T,)a?)\∉\mathrm{access}-\mathrm{matrix}$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}

∧re！＝ok]

Can be expressed as canonical form to the further abbreviation of predicate in the test masterplate.Below with owner (o? )=trans-user (T) is an example, explains thinning process.

(owner(o？)＝trans-user(T))∧TCB

$\⇔(\∃u1:\mathrm{USERS}\·\mathrm{owner}(o?)=u1$

∧trans-user(T)＝u1

∧dom?owner∈osi_exist

∧dom?tran-user∈tran_exist

∧ran?owner∈user_exist

∧ran?tran-user∈user_exist

u1∈USERS

∧o？∈osi_exist

∧u1∈user_exist

∧T∈tran_exist

∧owner(o？)＝u1

∧trans-user(T)＝u1

u1∈user_exist

∧o？∈osi_exist

∧T∈tran_exist

Function owner, trans-user in the template 4, osi-class, cur-trans-class, user-admin etc. all can be with similar approach refinements again.The canonical form that obtains after all function refinements with 4 generations of test masterplate is as follows:

According to the step 2 requirement, this template can be expressed as:

Can distinguish being constrained to that operation input should satisfy by semanteme and expression-form:

∧t∈real_exist∧clss∈CLASSES∧p？∈tbOwnerPrivs

∧u？∈user_exist∧u？≠sysadmin∧u？≠audadmin∧u？≠secadmin

∧ $(u?,o?,p?,u1,a?)\∉\mathrm{access}-\mathrm{matrix}$

The state variation that operation causes is:

$q_4\widehat{=}\mathrm{access}-{\mathrm{matrix}}^{\′}=\mathrm{access}-\mathrm{matrix}\∪\left\{(u?,o?,p?,u1,a?)\right\}$

The output result that operation causes is:

$r_4\widehat{=}\mathrm{re}!=\mathrm{ok}$

Wherein, directly is input variable: o?, p?, u?, a?, belong to type OSI respectively, PRIVILEGES, USERS is with BOOLEAN.Input variable is indirectly: T, and u1, t, clss belongs to type TRANSACTIONS respectively, USERS, TUPLES and CLASSES.Direct output variable: re! , indirect output variable: access-matrix.

After the operation template is determined, next determine division on the application type at the input variable type.Input variable u wherein? the expression authorized users belongs to type USERS.Have three particular values on the type, be respectively: system manager sysadmin, audit management person audadmin is with safety officer secadmin.Therefore the particular value on the type USERS is divided into: π ₀={ u=sysadm, u=secadm, u=audadm, u ≠ sysadm ∧ u ≠ Sec adm ∧ u ≠ audadm}.The divided block number is 4.

Type USERS goes up and has four functions, is respectively:

User-adm:USERS-| → BOOLEAN, codomain is { true, false}

User-status:USERS-| → BOOLEAN, codomain is { true, false}

User-kind:USERS-| → SKIND, codomain is { Sys, See, Aud, Common}

User-class:USERS-| → CLASSES, codomain particular value are { SysHigh, SysLow, Trusted}.

Four functions on the type USERS are respectively:

π ₁＝(user-adm(u)：true，user_adm(u)＝false}，π ₂＝{user_status(u)＝true，user-status(u)＝false}，

π ₃＝{user_kind(u)＝sys，user_kind(u)＝Sec，user_kind(u)＝Aud，user_kind(u)＝Common}，

π ₄＝{user_class(u)＝SysHigh，user_class(u)＝SysLow，user_class(u)＝Trusted，

user_class(u)≠SysHigh∧user_class(u)≠SysLow∧user_class(u)≠Trusted}。

Their divided block number is respectively 2,2,4,4.

Type USERS goes up and has a set user_exists, and its set is divided into ${\mathrm{\π}}_5=\{u\∈\mathrm{user}\_\mathrm{exists},u\∉\mathrm{user}\_\mathrm{exists}\},$ It is 2 that type is divided number.

Because there is following constraint: user-admin (sysadmin)=true in function user-admin, user-admin (audadmin)=true, user-admin (secadmin)=true in the above-mentioned division.And

u ∈ user-existsou ≠ sysadm ∧ u ≠ secadm ∧ u ≠ audadm  user-admin (u)=false is so divide π ₀With π ₁It is subordinate relation.Both comprehensive division are equivalent to π ₀

Because there is following constraint: user-status (sysadmin)=true in function user-status, user-status (audadmin)=true, user-status (secadmin)=true.So divide π ₀With division π ₂Between have the part subordinate relation, the part orthogonality relation.Its comprehensive division number is 3+1 * 2=5.Similarly, divide π ₀With division π ₃Between have the part subordinate relation, the part orthogonality relation.(π ₀, π ₁, π ₂, π ₃) the comprehensive division number be 3+2 * 4=11.Divide π ₄With π ₀, π ₂, π ₃All are orthogonality relations, (π ₀, π ₁, π ₂, π ₃, π ₄) the comprehensive division number be 11 * 4=44.

Owing to have following restriction: domuser-status=user-exists, dom user-adm=user-exists on the field of definition of above-mentioned function.dom?user-kind＝user-exists，dom?user-class＝user-exists。π ₁, π ₂, π ₃, π ₄With π ₅Between have subordinate relation, its comprehensive division number is 44+1=45.

Similarly, the comprehensive division number on the type PRIVILEGES is 16, and the comprehensive division number on the type OSI is 4, and it is 2 that the data on the type B OOLEAN are divided number.

Comprehensive division on a plurality of types has constituted the input vector collection.Because the division on the type PRIVILEGES is relevant with division on the type OSI, the input vector number of operation test_GrantPermToUser is 45 * 16 * 2=1440.In step 4, for certain preset state pre_STATEi and input vector IN=(u?=alice, p?=Insert, o?=10481112, a?=true), utilize instrument to calculate predicate (fest_GrantPermToUser ∧ pre-STATEi) [u? / alice, o? / 1048l112, p? / Insert, a? / true] value.Its value is ' true ', so generate test vector.Wherein output vector OUT=(re!=ok), the state variation vector $\mathrm{post}\_\mathrm{STATE}\widehat{=}\mathrm{access}-{\mathrm{matrix}}^{\′}=\mathrm{access}-\mathrm{matrix}\∪\left\{(u?,o?,p?,u1,a?)\right\}.$ The final test vector be (IN, pre_STATEi, OUT, post_STATE).

More than by specific embodiment method provided by the present invention has been described, it will be understood by those of skill in the art that in the scope that does not break away from spirit of the present invention and essence, can make amendment or be equal to replacement the present invention.

Claims (6)

1, a kind of test example generation method of safety data base management system comprises following steps:

1) generates test specification, according to the test specification of each operation in the safe axiom requirement generation system of the formalization stipulations of descriptive system operating function and operation;

2) generate test template, test specification is carried out equivalence transformation, it is expressed as the disjunctive normal form form, thereby be one group of test template the test specification equivalent representation of operation according to certain rewriting rule;

3) type is divided, and the type that exists in the system is carried out heuristic equivalence transformation, further segments the test space of each test template representative;

4) generate test vector, subdomain is respectively tested in check, and with the exampleization, generates corresponding test vector.

2, the method for claim 1 is characterized in that, described test specification comprises:

Operate in the definition in the security of system model;

In the security of system model with the relevant safe axiom collection of operation;

The fixed constraint that exists in the relevant intermediateness variable of system.

3, the method for claim 1, it is characterized in that, the set of the test template that generates described step 2) is divided into mutually disjoint one group of test subdomain with the test space of operation, each test template is represented a test subdomain, and described test template set is complete, has covered all test spaces of tested operation.

4, the method for claim 1, it is characterized in that, described type division kind comprises one or more in the following dividing mode: preset value is divided, functional value is divided, set is divided, the data division, and the division on certain type is the comprehensive division of calculating according to above-mentioned division.

5, method as claimed in claim 4 is characterized in that, in described type partition process, if having a plurality of orthogonal division on certain type, then can divide these and use certain choice principle, reduces the test case number that is generated.

6, the method for claim 1 is characterized in that, described test vector comprises: input vector, current state vector, output vector, state variation vector.