Relational Test Tables: A Practical Specification Language for Evolution and Security

TL;DR

This paper introduces relational test tables, a new specification language extension for expressing and verifying relational properties like security and equivalence in programs, making such verification more accessible to practitioners.

Contribution

It presents relational test tables as a practical extension of generalised test tables, enabling specification and verification of relational properties including asynchronous behaviors.

Findings

Successfully specified and verified relational properties in automated product systems

Supported asynchronous program runs through stuttering in test tables

Demonstrated practical applicability of the approach

Abstract

A wide range of interesting program properties are intrinsically relational, i.e., they relate two or more program traces. Two prominent relational properties are secure information flow and conditional program equivalence. By showing the absence of illegal information flow, confidentiality and integrity properties can be proved. Equivalence proofs allow using an existing (trusted) software release as specification for new revisions. Currently, the verification of relational properties is hardly accessible to practitioners due to the lack of appropriate relational specification languages. In previous work, we introduced the concept of generalised test tables: a table-based specification language for functional (non-relational) properties of reactive systems. In this paper, we present relational test tables -- a canonical extension of generalised test tables for the specification of relational properties, which refer to two or more program runs or traces. Regression test tables support asynchronous program runs via stuttering. We show the applicability of relational test tables, using them for the specification and verification of two examples from the domain of automated product systems.