CN1752945A

CN1752945A - Method for Generating Test Cases of Security Database Management System

Info

Publication number: CN1752945A
Application number: CN 200510086761
Authority: CN
Inventors: 张敏; 冯登国; 徐震; 吕双双; 陈驰; 黄亮
Original assignee: Institute of Software of CAS
Current assignee: Institute of Software of CAS
Priority date: 2005-11-02
Filing date: 2005-11-02
Publication date: 2006-03-29

Abstract

本发明首次提出了一种用于生成安全数据库管理系统测试用例的系统化、可操作的方法，包含如下步骤：1)生成测试规约，依据描述系统操作功能的形式化规约与操作的安全公理要求生成系统中各个操作的测试规约；2)生成测试模板，按照一定的重写规则对测试规约进行等价变换，将其表示成析取范式形式，从而将操作的测试规约等价表示为一组测试模板；3)类型划分，对系统中存在的类型进行启发式等价变换，进一步细分每个测试模板所代表的测试空间；4)生成测试向量，检验各测试子域，并将其实例化，生成相应的测试向量。该方法以被测系统的安全模型为依据，测试的结果具有完备性、科学性、可重复性和内在一致性。The present invention proposes for the first time a systematic and operable method for generating test cases of a security database management system, which includes the following steps: 1) generating a test protocol, based on the formalized protocol describing the system operation function and the security axiom requirements of the operation Generate test specifications for each operation in the system; 2) Generate test templates, perform equivalent transformations on test specifications according to certain rewriting rules, and express them in the form of disjunctive normal form, so that the test specifications of operations can be equivalently represented as a set Test template; 3) type division, perform heuristic equivalent transformation on the types existing in the system, and further subdivide the test space represented by each test template; 4) generate test vectors, test each test sub-domain, and instance to generate corresponding test vectors. This method is based on the security model of the system under test, and the test results are complete, scientific, repeatable and internally consistent.

Description

Method for Generating Test Cases of Security Database Management System

技术领域technical field

本发明属于计算机软件的测试与评估领域，主要涉及安全数据库管理系统(SecureDataBase Management System，简称SDBMS)的测试与评估，更确切地是基于SDBMS安全策略模型的高安全等级安全数据库管理系统测试用例生成方法。The invention belongs to the field of testing and evaluation of computer software, and mainly relates to the testing and evaluation of a secure database management system (SecureDataBase Management System, referred to as SDBMS), more precisely, the generation of test cases for a high-security database management system based on the SDBMS security strategy model method.

背景技术Background technique

软件测试是检验软件实现与其功能规约之间的一致性、并保证软件质量的一种有效手段。在基于安全评估标准实现信息安全产品评估的过程中，评估方对安全系统的安全功能实施全面、系统的第三方测试是评估中一个不可缺少的重要环节。但由于多种原因，目前独立的安全功能测试在我国安全数据库管理系统评估中并没有占据重要的地位。其关键问题在于如何实现测试用例的组织与设计，目前缺乏一种系统的方法快速生成针对特定信息安全产品/系统(包括SDBMS)的测试用例集。Software testing is an effective means to check the consistency between software implementation and its functional specifications, and to ensure software quality. In the process of evaluating information security products based on security evaluation standards, it is an indispensable and important link in the evaluation that the evaluator conducts comprehensive and systematic third-party testing of the security functions of the security system. However, due to many reasons, the independent security function test does not occupy an important position in the evaluation of our country's security database management system. The key problem is how to implement the organization and design of test cases. At present, there is a lack of a systematic method to quickly generate test case sets for specific information security products/systems (including SDBMS).

由于软件著作权利等限制，第三方独立测试大多采用基于规约的测试。系统规约来源于系统需求，它完整地定义了系统的行为。基于规约的测试可以确定输入输出之间的影响关系，有效保证软件功能测试的全面性。形式化规约是系统规约的一种更为精确的表达形式，能更好地消除系统需求中的二义性。同时，形式化规约提供一种规范的表达形式，因而便于对其进行自动化处理。依据形式化安全规约自动生成测试用例将大大的减少测试工作量。目前存在的一种做法是，通过功能规约建模，按照一定的重写规则划分测试空间，自动生成测试用例。Due to restrictions such as software copyright rights, third-party independent testing mostly uses protocol-based testing. The system specification is derived from the system requirements, which completely defines the behavior of the system. Protocol-based testing can determine the impact relationship between input and output, effectively ensuring the comprehensiveness of software functional testing. Formal specification is a more precise expression form of system specification, which can better eliminate the ambiguity in system requirements. At the same time, the formal specification provides a canonical form of expression, thus facilitating its automatic processing. Automatically generating test cases according to the formal safety specification will greatly reduce the testing workload. A current practice is to divide the test space according to certain rewriting rules through functional specification modeling, and automatically generate test cases.

然而，上述方法在针对SDBMS系统的测试评估中直接应用会导致一些特殊问题：上述形式化功能规约重写规则(或是启发式)纯粹只与语法相关，与语义无关，因此产生的测试用例缺乏针对性，难于发现具体系统中的问题。另外，SDBMS系统中每个操作的输入变量空间有限，但系统内部状态空间十分庞大，几乎是无限的。上述方法只适用于较小规模的系统，也不能直接应用于SDBMS系统的测评。However, the direct application of the above methods in the test and evaluation of SDBMS systems will lead to some special problems: the above-mentioned formal functional specification rewriting rules (or heuristics) are purely related to syntax and have nothing to do with semantics, so the generated test cases lack Targeted, it is difficult to find problems in specific systems. In addition, the input variable space of each operation in the SDBMS system is limited, but the internal state space of the system is very large, almost infinite. The above method is only suitable for smaller-scale systems, and cannot be directly applied to the evaluation of SDBMS systems.

更为重要的是，对于包括SDBMS在内的大多数信息安全产品，系统规约并不能真实地反映现实系统的行为。因为系统中的操作除了要完成其预定的功能外，同时必须满足安全策略要求。安全策略描述一个信息安全产品(或系统)所要保护的对象，以及采取的所有保护措施。存在不同抽象层次的安全策略，如系统的安全目标，与系统的安全策略模型等。高安全等级SDBMS中存在形式化的安全策略模型。More importantly, for most information security products including SDBMS, the system specification cannot truly reflect the behavior of the real system. Because the operations in the system must meet the security policy requirements in addition to completing their intended functions. A security policy describes the objects to be protected by an information security product (or system) and all protective measures taken. There are security policies at different levels of abstraction, such as the system's security goals, and the system's security policy model. There is a formal security policy model in the high security level SDBMS.

另一种做法是通过对非形式化的安全目标建模，建立精确的形式化安全功能模型。这种做法存在的问题是：因为存在测评人员的人工建模过程，所以模型与最终的测试结果严重依赖于建模人员对开发者提供的非形式化的安全目标的正确理解。另外，安全目标中的安全策略粒度比较粗，需要测评人员将安全策略中的主客体与实际系统对象一一对应。Another approach is to build precise formal safety function models by modeling informal safety goals. The problem with this approach is that because of the manual modeling process of the evaluators, the model and the final test results are heavily dependent on the correct understanding of the informal security goals provided by the developers. In addition, the granularity of the security policy in the security target is relatively coarse, requiring the evaluators to correspond the subjects and objects in the security policy with the actual system objects one by one.

发明内容Contents of the invention

针对上述问题，本发明的目的在于提供一种基于SDBMS安全策略模型的测试用例生成方法。该测试方法的基本前提要求包括：In view of the above problems, the object of the present invention is to provide a test case generation method based on the SDBMS security policy model. Basic prerequisites for this test method include:

1.一个SDBMS安全策略模型：1. An SDBMS security policy model:

该模型的正确性经形式化工具证明。一个典型的形式化SDBMS安全策略模型中具备以下要素：(1)状态集(STATES)，描述系统合法状态；(2)安全公理集(ANXIOMS)，安全公理是模型中定义的一组性质，某个系统状态S是安全的当且仅当它满足这些性质；(3)操作集(OPS)，系统状态的转换由系统操作实现，每个操作都是受控的，只有在其产生一个安全状态时，才允许其执行，即它满足模型中的所有性质；(4)安全定理集(THEOREMS)，可以证明的抽象安全模型所满足的一些安全性质。The correctness of the model is proved by formal tools. A typical formalized SDBMS security policy model has the following elements: (1) state set (STATES), which describes the legal state of the system; (2) security axiom set (ANXIOMS), security axioms are a set of properties defined in the model, a certain A system state S is safe if and only if it satisfies these properties; (3) operation set (OPS), the transition of the system state is realized by the system operation, and each operation is controlled, only when it produces a safe state Only when it is allowed to execute, that is, it satisfies all the properties in the model; (4) Security theorem set (THEOREMS), which can prove some security properties satisfied by the abstract security model.

2.待测SDBMS产品一套：2. A set of SDBMS products to be tested:

该产品依据前述SDBMS安全策略模型实现，两者经开发者确认保持一致。The product is implemented based on the aforementioned SDBMS security policy model, and the two have been confirmed to be consistent by the developer.

3.待测SDBMS的高层规约，以及该产品的具体接口定义文档。3. The high-level specification of the SDBMS to be tested, and the specific interface definition document of the product.

本发明所提供的基于SDBMS安全模型的测试用例生成方法是基于以下的构思：形式化安全策略模型是生成SDBMS安全功能测试用例的基础，生成测试用例方法的基本思想是确定测试状态空间，并对测试空间(包括输入状态空间以及中间状态空间)进行划分。因为根据测试理论中的统一假设(unified hypothesis)思想，每个划分中的所有输入与状态的表现应该相同。因此在每个划分中选取其中的一个或几个实例进行测试。The test case generation method based on the SDBMS security model provided by the present invention is based on the following ideas: the formalized security policy model is the basis for generating SDBMS security function test cases, and the basic idea of the test case generation method is to determine the test state space, and The test space (including the input state space and the intermediate state space) is divided. Because according to the unified hypothesis (unified hypothesis) idea in test theory, all inputs and states in each partition should behave the same. Therefore, one or several examples are selected for testing in each division.

本方法中包括两类测试空间的划分策略：一类是子域划分。将测试空间划分成测试子域。每个子域由一个抽象的测试模板描述；另一类是类型划分。将变量所属的类型值划分，测试模板被实例化为具体的测试用例。This method includes two types of test space division strategies: one is sub-domain division. Divide the test space into test subdomains. Each subdomain is described by an abstract test template; the other is type division. The type value of the variable is divided, and the test template is instantiated into a specific test case.

具体来说，该方法包括以下四个步骤：Specifically, the method includes the following four steps:

步骤一：生成测试规约。因为生成测试用例的前提是精确、完整的形式化测试规约，所以在步骤一中必须依据描述操作功能的形式化规约与操作的安全公理要求等生成测试规约。Step 1: Generate test specification. Because the premise of generating test cases is an accurate and complete formal test specification, so in the first step, the test specification must be generated according to the formal specification describing the operation function and the safety axiom requirements of the operation.

步骤二：生成测试模板。步骤二通过测试规约重写对测试规约所限定的测试空间进行子域划分。子域间互不相交，并且每个测试子域对应一个测试模板。Step 2: Generate a test template. Step 2 divides the test space defined by the test protocol into sub-domains by rewriting the test protocol. The subdomains are disjoint, and each test subdomain corresponds to a test template.

步骤三：类型划分。步骤三提供与步骤二不同的划分方式——类型划分。类型划分在测试子域的基础上进一步划分测试空间。Step 3: Type division. Step 3 provides a division method different from Step 2—type division. Type partitioning further divides the test space on the basis of test sub-domains.

步骤四：生成测试向量。综合上述两种划分方式，步骤四中检验各测试子域，并将其实例化，生成相应的测试向量，构成一个完整的测试用例。Step 4: Generate test vectors. Combining the above two division methods, in step 4, each test sub-domain is checked and instantiated to generate corresponding test vectors to form a complete test case.

下面以Z语言描述的SDBMS模型为例说明上述四个步骤的内容，该步骤思想可以自然地应用于其他形式化语言描述的SDBMS模型，此处Z语言仅用于说明本发明内容，对本发明不构成任何限制。The following uses the SDBMS model described in Z language as an example to illustrate the contents of the above four steps. The idea of this step can be naturally applied to SDBMS models described in other formal languages. constitute any restrictions.

步骤一：生成测试规约Step 1: Generate a test specification

SDBMS系统中一个操作的测试规约全面、准确地反映了该操作的行为。具体来说，SDBMS安全模型操作集中某个成员操作op的测试规约由以下三部分构成：The test specification of an operation in the SDBMS system fully and accurately reflects the behavior of the operation. Specifically, the test specification for a member operation op in the SDBMS security model operation set consists of the following three parts:

(1)操作op在SDBMS模型中的基础定义：(1) The basic definition of the operation op in the SDBMS model:

操作op在SDBMS模型中的基础定义的声明部分包括操作的输入变量集合ins，输出变量集合outs，以及操作前后的中间状态变量集合Δstate。操作基础定义中的谓词部分可按语义分为两类：一类是操作op发生的预条件约束，标记为P；另一类是该操作所导致系统状态变化，标记为Q。它们的含义是：当且仅当预条件约束P满足时，操作op执行，正确执行后导致系统的状态变化满足Q。例如，以Z语言shcema形式表示的操作op的基础定义为：The declaration part of the basic definition of the operation op in the SDBMS model includes the input variable set ins of the operation, the output variable set outs, and the intermediate state variable set Δstate before and after the operation. The predicate part in the basic definition of operation can be divided into two categories according to semantics: one is the precondition constraint of operation op, marked as P; the other is the change of system state caused by the operation, marked as Q. Their meanings are: if and only if the precondition constraint P is satisfied, the operation op is executed, and the state change of the system will satisfy Q after the correct execution. For example, the basic definition of the operation op expressed in Z language shcema form is:

操作的形式化定义必须满足一致性要求与完整性要求。一致性要求指操作的预条件约束是可满足的；完整性要求指不存在任何遗留的定义域，它的操作结果没有定义。若在操作基础定义上补充操作约束不满足时的描述，增添如上述定义操作non_op，Success，与Fail。则构成如下形式的操作：The formal definition of the operation must meet the requirements of consistency and completeness. The consistency requirement means that the precondition constraints of the operation are satisfyable; the completeness requirement means that there is no remaining definition domain, and its operation result is not defined. If the description of when the operation constraint is not satisfied is supplemented on the basic operation definition, add the operations non_op, Success, and Fail as defined above. Then constitute an operation of the following form:

因为pre op_full＝true，操作op_full为一个一致且完整的操作。Because pre op_full=true, the operation op_full is a consistent and complete operation.

(2)SDBMS模型中与操作相关的安全公理(集)：(2) Operation-related security axioms (sets) in the SDBMS model:

SDBMS安全策略模型中的大多数操作都必须满足特定的安全公理(集)。例如某个SDBMS安全策略模型要求数据对象上的插入、删除操作应该满足基于角色的访问控制模型中的静态约束与动态约束。操作op必须满足的安全公理集表示为函数axioms(op)。安全公理通常表现为谓词约束，它与系统定义的安全策略直接相关，反映系统所要求的安全性质。本方法将安全性质约束与操作自身语义约束区分，使得SDBMS安全策略模型结构更清晰。Most operations in the SDBMS security policy model must satisfy certain security axioms (sets). For example, a certain SDBMS security policy model requires that the insert and delete operations on data objects should satisfy the static constraints and dynamic constraints in the role-based access control model. The set of security axioms that an operation op must satisfy is expressed as a function axioms(op). Security axioms are usually expressed as predicate constraints, which are directly related to the security policies defined by the system and reflect the security properties required by the system. This method distinguishes the security property constraints from the semantic constraints of the operation itself, making the structure of the SDBMS security policy model clearer.

加入安全公理约束后的操作op的基础定义及补充定义分别调整为op′与non_op′：The basic definition and supplementary definition of the operation op after adding the security axiom constraints are adjusted to op′ and non_op′ respectively:

类似的，加入安全公理约束后完整的操作表示为：Similarly, the complete operation after adding the security axiom constraint is expressed as:

(3)系统相关中间状态变量中存在的固定约束：(3) Fixed constraints existing in system-related intermediate state variables:

实际上，操作op除了受预条件P约束外，还必须满足一些与操作非直接相关的约束。这些约束限制系统中间变量之间的关系，只有满足这些固定约束的状态才可能是一个合法的系统状态。因此操作op发生的前状态隐含着这些约束。若以符号TCB表示这些固定约束，则操作规约实际上应该是：

操作op的基础定义及补充定义可进一步调整为op″与non_op″：In fact, in addition to being constrained by the precondition P, the operation op must also satisfy some constraints not directly related to the operation. These constraints limit the relationship between the intermediate variables of the system, and only a state that satisfies these fixed constraints can be a legal system state. These constraints are thus implied by the state before the operation op occurred. If these fixed constraints are represented by the symbol TCB, the operation specification should actually be:

The basic definition and supplementary definition of the operation op can be further adjusted to op" and non_op":

完整的操作表示为：The complete operation is expressed as:

因为系统任何状态都必须满足TCB约束，状态

TCB在实际系统中是不可达的。若SDBMS安全模型中存在类似的初始化定理并予以证明，则考虑到操作的完整性要求，操作op的完整定义仍然等价于op_full′。Because any state of the system must satisfy the TCB constraint, the state

TCB is not reachable in practical systems. If a similar initialization theorem exists in the SDBMS security model and is proved, then considering the integrity requirements of the operation, the complete definition of the operation op is still equivalent to op_full'.

综上所述，对于SDBMS安全策略模型中的操作op，根据是否存在经证明的初始化定理，上述三部分组成其测试规约op_test可以最终表示为如下形式：To sum up, for the operation op in the SDBMS security policy model, according to whether there is a proven initialization theorem, the test specification op_test composed of the above three parts can be finally expressed as the following form:

$op_test \hat{=} op_{full}^{''}$ 或 $op_test \hat{=} op_{full}^{'}$ $op_test \hat{=} op_{full}^{''}$ or $op_test \hat{=} op_{full}^{'}$

步骤二：生成测试模板Step 2: Generate a test template

操作的测试规约准确地描述了操作的行为特征，同时也限定了该操作的测试空间。但在生成针对该操作的测试用例前，必须先将该测试空间划分，成为一系列互不相交的测试子域空间。我们按照特定的重写规则对测试规约中的谓词约束部分进行等价变换，将其化简成析取范式(DNF)形式，从而将操作op的测试规约op_test等价表示为一组测试模板。The test specification of an operation accurately describes the behavioral characteristics of the operation, and also limits the test space of the operation. But before generating test cases for this operation, the test space must be divided into a series of disjoint test sub-domain spaces. According to specific rewriting rules, we perform equivalent transformation on the predicate constraint part in the test specification, and simplify it into the form of disjunctive normal form (DNF), so that the test specification op_test of the operation op is equivalently expressed as a set of test templates.

等价变换所使用的重写规则无法一一列举，其中主要的几个规则包括：The rewriting rules used by the equivalent transformation cannot be listed one by one, and the main rules include:

(1)存在量词消除规则(单点规则)：(1) There are quantifier elimination rules (single-point rules):

(2)全称量词消除规则：(2) full quantifier elimination rule:

(3)分配律规则：(3) Distributive rules:

重写后的测试规约表示为n个测试模板的析取式：

其中第i个测试模版op_templatei为单纯合取式，表示为按照所代表的语义分为三类：p_i表示第i个测试模版的约束，它是一个谓词或多个谓词的合取式，

q_i表示操作执行后第f个测试模版的状态变化，

r_i为第i个测试模版的输出结果集，

The rewritten test specification is expressed as a disjunction of n test templates:

Among them, the i-th test template op_templatei is a simple conjunction, expressed as According to the represented semantics, it is divided into three categories: p _i represents the constraint of the i-th test template, which is a predicate or a conjunction of multiple predicates,

q _i represents the state change of the fth test template after the operation is executed,

r _i is the output result set of the i-th test template,

生成的测试模板集合{op_template_i}，(1≤i≤n)满足下述两点性质：The generated test template set {op_template _i }, (1≤i≤n) satisfies the following two properties:

①i，j：1..n·i≠j|pi∧p_j＝false。①i, j: 1..n·i≠j|pi∧p _j = false.

性质①说明测试模板集合每个测试模板的约束之间无交集，生成的测试模板将测试空间划分成互不相交的一组测试子域，每个测试模板代表一个测试子域。性质②说明测试模版集合是完整的，覆盖了被测操作的所有测试空间。即该操作的预条件为永真式，pre op_test＝true。Property ① It shows that there is no intersection between the constraints of each test template in the test template set, and the generated test template divides the test space into a group of disjoint test sub-domains, and each test template represents a test sub-domain. Property ② shows that the set of test templates is complete, covering all the test space of the operation under test. That is to say, the precondition of this operation is eternal truth, pre op_test=true.

需要指出的是，上述规则应用次序与数目可能不同，给定的测试规约经过等价变换后得到的析取范式(DNF)不是唯一的。并且等价变换可能会为操作引入一些间接输入变量。It should be pointed out that the application order and number of the above rules may be different, and the disjunctive normal form (DNF) obtained after equivalent transformation of a given test specification is not unique. And the equivalence transformation may introduce some indirect input variables to the operation.

步骤三：类型划分Step 3: Type division

大多数情况下，步骤二中生成的测试模板的数目非常有限，步骤三通过类型划分对每个测试模板进行启发式等价变换，进一步细分测试空间。首先澄清一下与类型划分概念。In most cases, the number of test templates generated in step 2 is very limited, and step 3 performs heuristic equivalent transformation on each test template by type division to further subdivide the test space. First, clarify the concept of division and type.

设A是一个非空类型，如果存在一个A的子集族π(πP(A))满足以下条件：Let A be a non-empty type, if there exists a subset family π(πP(A)) of A that satisfies the following conditions:

(1) (1)

(2)π中任意两个元素不交(2) Any two elements in π do not intersect

(3)π中所有元素的并集等于A(3) The union of all elements in π is equal to A

则称π为类型A的一个划分，且称π中的元素为划分块。π中所有元素的并集称为类型A的π划分表示。Then π is called a partition of type A, and the elements in π are called partition blocks. The union of all elements in π is called a π-partitioned representation of type A.

SDBMS安全策略模型上的划分归结为下述四种情况。The division on the SDBMS security policy model comes down to the following four situations.

情况1：预设值划分：Case 1: Preset value division:

若类型T中存在一系列特殊预设值s₁，s₂，…s_n，则类型T的预设值划分将类型划分π为：π＝{{s₁)，{s₂}，…，{s_n}，{t：T|t≠s₁∧t≠s₂∧…∧t≠s_n}}，根据划分π，类型T可表示为T＝{s₁}∨{s₂}∨…{s_n}∨{t：T|t≠s₁∧t≠s₂∧…∧t≠s_n}。If there is a series of special preset values s ₁ , s ₂ , ... s _n in type T, then the preset value division of type T divides the type into π: π={{s ₁ ), {s ₂ }, ..., {s _n }, {t: T|t≠s ₁ ∧t≠s ₂ ∧…∧t≠s _n }}, according to the division π, the type T can be expressed as T={s ₁ }∨{s ₂ } ∨…{s _n }∨{t: T|t≠s ₁ ∧t≠s ₂ ∧…∧t≠s _n }.

类型中的特殊值是系统预设，与该类型中的其他值相比存在较为特殊的意义，应该单独测试。并且由于这些值不存在交集，所以类型中每个特殊值都是类型空间划分中的一个子集，满足划分的定义要求。Special values in a type are system defaults, have special meaning compared to other values in that type, and should be tested individually. And because there is no intersection of these values, each special value in the type is a subset of the type space partition, which satisfies the definition requirements of the partition.

情况2：函数值划分：Case 2: Function value division:

若存在由类型T到类型V上的函数f：T→V，且类型V为有限集，ran(f)＝{v₁，v₂，…v_n)。则类型T的函数值划分π为：π＝{{t：T|f(t)＝v₁}，{t：T|f(t)＝v₂}，…，{t：T|f(t)＝v_n}}。若类型V虽为无限集，但存在重要的划分π₀＝{{s₁}，{s₂}，…，{s_n}}，则类型T存在扩展的函数值划分：π′＝{{t：T|f(t)∈s₁)，{t：T|f(t)∈s₂}，…，{t：T|f(t)∈s_n}}。If there is a function f from type T to type V: T→V, and type V is a finite set, ran(f)={v ₁ , v ₂ ,...v _n ). Then the function value of type T is divided into π as: π={{t: T|f(t)=v ₁ }, {t: T|f(t)=v ₂ }, ..., {t: T |f(t)=v _n }}. If the type V is an infinite set, but there is an important partition π ₀ ={{s ₁ },{s ₂ },...,{s _n }}, then the type T has an extended function value partition: π′={{ t: T|f(t)∈s ₁ ), {t: T|f(t)∈s ₂ }, ..., {t: T|f(t)∈s _n }}.

SDBMS模型中每个类型上都可能存在一些函数，函数值相同的一组变量代表具备某种相同性质的一类值，而不同的函数值在模型中可能对应不同的行为，因此可以根据不同的函数取值将类型中的变量划分为不同的子集进行测试。There may be some functions on each type in the SDBMS model. A group of variables with the same function value represents a class of values with the same property, and different function values may correspond to different behaviors in the model, so it can be based on different Function evaluation divides the variables in the type into different subsets for testing.

情况3：集合划分：Case 3: Set partitioning:

若类型T上存在多个数据集合，分别表示为ts₁，ts₂，…ts_n，即对于任何1≤i≤n，满足ts_i＝ρ(T)。则类型T的集合划分可以如下递归表示：If there are multiple data sets on type T, they are expressed as ts ₁ , ts ₂ , . . . ts _n respectively, that is, for any 1≤i≤n, ts _i =ρ(T). Then the set division of type T can be expressed recursively as follows:

1)

1)

2)对于任何1＜i≤n：

2) For any 1<i≤n:

3)类型T最终可以表示为：T＝T_test(n)。3) The type T can finally be expressed as: T=T_test(n).

与函数类似，SDBMS模型中类型上每个数据集合代表具备某种相同性质的一类值，集合划分最大限度的考虑了这些性质的组合情况。由于大多数数据集合是构成系统状态的一部分，通常集合划分只适用于输入变量。Similar to functions, each data set in the SDBMS model represents a class of values with the same properties, and the combination of these properties is considered to the greatest extent in the division of sets. Since most data sets form part of the system state, set partitioning is usually only applied to input variables.

情况4：数据划分：Case 4: Data partitioning:

这种情况涉及一些常见的数据类型，如整数类型，自然数类型，布尔型等等。这些数据类型的特殊取值是与类型相关的固有特殊值，例如，布尔类型上存在的数据划分为{true，false}。数据划分形式上与预设值划分十分近似，主要的区别在于数据划分应用于成员己知的类型，而预设值划分应用于成员数目与内容不确定的类型。This situation involves some common data types, such as integer types, natural number types, Boolean types, and so on. The special values of these data types are inherently special values related to the type, for example, the data that exists on the Boolean type is divided into {true, false}. Data division is very similar to default value division in form, the main difference is that data division is applied to types whose members are known, while default value division is applied to types whose number of members and content are uncertain.

理论上说，若某类型上存在函数则应该采用函数划分；若存在集合则应该采用集合划分；依此类推。若同一个类型同时存在上述多种划分，则需要计算它们的综合划分。综合划分的计算取决于这些划分之间的关系。若划分A中的任一划分块与划分B中的任一划分块相交，称两个划分正交类关系；同一个类型上的正交类关系的两个划分的综合划分结果为所有分属A、B的划分块之间的交集的并集。若划分A中的任一划分块都属于划分B中的某个划分块，称两者间存在重叠类关系。重叠类关系的两个划分的综合划分等价于B的划分。还有一类介于正交类与重叠类之间，即部分划分块相交，部分划分块重叠。该类关系综合划分计算也是两种的综合。Theoretically, if there is a function on a certain type, function division should be used; if there is a set, set division should be used; and so on. If the above-mentioned multiple divisions exist at the same time for the same type, their comprehensive division needs to be calculated. The calculation of composite partitions depends on the relationship between these partitions. If any partition block in partition A intersects with any partition block in partition B, it is said that the two partitions are in an orthogonal class relationship; The union of the intersection between the division blocks of A and B. If any partition block in partition A belongs to a certain partition block in partition B, it is said that there is an overlapping class relationship between the two. The composite partition of the two partitions of overlapping class relations is equivalent to the partition of B. There is another class between the orthogonal class and the overlapping class, that is, some partition blocks intersect and some partition blocks overlap. The comprehensive division calculation of this type of relationship is also a combination of the two.

可以想象若某个类型上存在的正交类划分较多，且每个划分中包含大量的划分块，则很有可能出现测试空间划分的组合爆炸。因此需要对划分应用某些原则进行取舍。此处我们给出了两种正交类划分取舍原则：It is conceivable that if there are many orthogonal class divisions on a certain type, and each division contains a large number of division blocks, it is very likely that the combination explosion of the test space division will occur. Therefore, some trade-offs need to be made for the application of partitioning principles. Here we give two orthogonal class division and trade-off principles:

(1)优先m-选-n原则(m≥n)。若类型T上存在m个正交划分π_i(1≤i≤m)，将其按照重要性非降次序排列，优先m-选-n原则计算其中前n个划分的综合划分。(1) Prioritize m-select-n principle (m≥n). If there are m orthogonal partitions π _i (1≤i≤m) on the type T, arrange them in non-decreasing order of importance, and calculate the comprehensive partition of the first n partitions based on the m-select-n principle.

类型T按不同的划分可分为表示为T_test_i(1≤i≤m)，其长度为|π_i|。按照重要性非降次序排列后，前n个划分为π_i(1≤i≤n)。类型T上优先m-选-n原则的综合划分P为：The type T can be divided into T_test _i (1≤i≤m) according to different divisions, and its length is | _πi |. After sorting in non-decreasing order of importance, the first n are divided into π _i (1≤i≤n). The comprehensive division P of the priority m-select-n principle on type T is:

综合划分的长度最大为： $num = \underset{1 \leq i \leq n}{Π} (| π_{i} |),$ 其内容为：The maximum length of the comprehensive division is: $num = \underset{1 \leq i \leq no}{Π} (| π_{i} |),$ Its content is:

(partion_i∈π_i)

(partition _i ∈ π _i )

(2)正交m-选-n原则(m≥n)。若类型T上存在m个正交划分π_i(1≤i≤m)，正交m-选-n原则计算的综合划分包含其中任何n个划分的综合划分的划分块。(2) Orthogonal m-select-n principle (m≥n). If there are m orthogonal partitions π _i (1≤i≤m) on the type T, the comprehensive partition calculated by the orthogonal m-select-n principle includes the partition blocks of the comprehensive partition of any n partitions.

类型T按不同的划分可分为表示为T_test_i(1≤i≤m)，其长度为|π_i|。按照划分长度非递增顺序排列后，前n个的划分记为πi(1≤i≤n)。令P表示类型T上正交m-选-n原则的综合划分。P′表示类型T上任何n个划分的综合划分，P′中的任何一个划分块p′_i(p′_i∈P′)，在综合划分P中至少存在一个划分块p_i(p_i∈P)，满足：p_jp′_i。The type T can be divided into T_test _i (1≤i≤m) according to different divisions, and its length is | _πi |. After being arranged in non-increasing order according to the division length, the first n divisions are recorded as πi (1≤i≤n). Let P denote a synthetic partition of the orthogonal m-select-n principle on type T. P′ represents the comprehensive partition of any n partitions on type T, any partition block p′ _i (p′ _i ∈ P′) in P′, and there is at least one partition block p _i (p _i ∈ P′) in the comprehensive partition P P), satisfying: p _j p′ _i .

将类型T上正交划分的m-选-n取舍原则的综合划分表示成析取范式。综合划分的长度为 $num = \underset{1 \leq i \leq n}{Π} (| π_{i} |) .$ 其内容为：The comprehensive partition of the m-choose-n-choose principle for orthogonal partitions on type T is expressed as a disjunctive normal form. The length of the composite division is $num = \underset{1 \leq i \leq no}{Π} (| π_{i} |) .$ Its content is:

(partioni∈π_i)

( _{partioni∈πi} )

计算出的综合划分既可以直接应用于对输入变量的划分，也可以间接的应用于内部状态空间的划分。因为归根结底，内部状态是由内部变量集合及其所对应的取值构成。The calculated comprehensive partition can be directly applied to the partition of the input variables, and can also be indirectly applied to the partition of the internal state space. Because in the final analysis, the internal state is composed of a set of internal variables and their corresponding values.

步骤四：生成测试向量Step 4: Generate test vectors

实际上SDBMS模型中的被测操作的测试空间划分是步骤二所述的子域划分与步骤三所述的类型划分的综合。一个完整的测试向量是待测SDBMS产品测评的依据。具体的说，测试向量是一组向量之和，即由输入向量、当前状态向量、输出向量、与状态变化向量构成的四元组：(IN，pre_STATE，OUT，post_STATE)。In fact, the test space division of the tested operation in the SDBMS model is a combination of the sub-domain division described in step two and the type division described in step three. A complete test vector is the basis for evaluating the SDBMS product to be tested. Specifically, the test vector is the sum of a set of vectors, that is, a quadruple composed of input vector, current state vector, output vector, and state change vector: (IN, pre_STATE, OUT, post_STATE).

输入向量由操作op的输入变量集与每个变量取值构成，输入变量取值依赖于具体的测试模板与类型划分块，它是测试空间划分的实例化。除输入向量之外，操作op的执行结果还取决于与测试时系统内部状态变量的值，只有在已知系统状态下才能确定某输入向量所产生的输出向量与状态变化向量的值。对于某个内部状态，某个类型划分块与测试模板之间的关系可能是三种：划分块完全满足测试模板，即划分块中任选一个成员都可以作为划分实例化输入；划分块完全不满足测试模板，即划分块中的任何一个成员都无法满足测试模板；或划分块部分满足测试模板。即划分块中的部分成员可满足测试模板，部分无法满足。此时结果是否满足测试模板依赖于具体的输入。The input vector is composed of the input variable set of the operation op and the value of each variable. The value of the input variable depends on the specific test template and type division block, which is the instantiation of the test space division. In addition to the input vector, the execution result of the operation op also depends on the value of the internal state variables of the system during the test. Only when the system state is known can the values of the output vector and state change vector generated by an input vector be determined. For a certain internal state, the relationship between a certain type of division block and the test template may be three types: the division block completely satisfies the test template, that is, any member of the division block can be used as the input of the division instantiation; the division block is not at all Satisfy the test template, that is, none of the members in the division block can satisfy the test template; or the division block partially satisfies the test template. That is, some members in the division block can satisfy the test template, and some cannot. At this time, whether the result satisfies the test template depends on the specific input.

虽然所有的内部状态变量最终可归结为单类型集合，复合类型集合，与类型函数等几种，也可以通过类型划分方法对其进行划分，但存在两个问题：一是由于内部状态变量的数目过大，这种划分将导致状态爆炸。二是状态的可控性问题，并不是任何合法的状态都是可达的。即使是可达状态，计算出路径也是一个NP问题。因此，我们选取某些特殊已知状态为测试预设状态，例如包括初始状态，以及与间接输入类型相关的状态集(必须是某己测操作的后状态)。具体的状态生成、选择及遍历方法在现有技术文献中已有大量详细的记载，本领域的一般技术人员都能够了解，因此本说明书中就不再具体解释。Although all internal state variables can be classified into single-type collections, compound-type collections, and type functions, they can also be divided by type division methods, but there are two problems: one is that the number of internal state variables Too large, this division will lead to state explosion. The second is the controllability of the state, not any legal state is reachable. Even for reachable states, computing the path is an NP problem. Therefore, we select some special known states as test preset states, for example, including the initial state, and a set of states related to indirect input types (must be the post-state of a tested operation). Specific state generation, selection, and traversal methods have been well documented in prior art documents, and those skilled in the art can understand them, so they will not be explained in detail in this specification.

对于测试模板

若给定某输入向量IN＝(INs，VALs)，与系统状态pre_STATE，可以计算出逻辑变量(p_k∧pre_STATE)[VALs/INs]的值，若其为真，则该测试用例的预期输出结果为r_k，状态变化为q_k；生成的测试向量为：(IN，pre_STATE，r_k，q_k)。否则不生成测试用例。因为pre op_test＝true，所以对于任何一个状态与输入向量，不论是操作成功或是失败的，必然有一个测试模板使该逻辑变量为真，从而生成相应的测试向量。For test template

Given a certain input vector IN=(INs, VALs) and the system state pre_STATE, the value of the logic variable (p _k ∧ pre_STATE)[VALs/INs] can be calculated, and if it is true, the expected output of the test case The result is r _k , the state change is q _k ; the generated test vector is: (IN, pre_STATE, r _k , q _k ). Otherwise no test cases are generated. Because pre op_test=true, for any state and input vector, whether the operation succeeds or fails, there must be a test template to make the logic variable true, so as to generate the corresponding test vector.

本发明的技术效果在于，本发明首次提出了一种用于生成安全数据库管理系统测试用例的系统化、可操作的方法，有助于对该类系统的安全功能进行科学、全面、准确的测试。该方法以被测系统的安全模型为依据，测试的结果具有完备性、科学性、可重复性和内在一致性。与现行的手工随机测评方式相比，其能更好地发现系统实现的缺陷，大幅度提高了测试质量。该方法结合形式化辅助工具使用，能够减少测试过程中的重复劳动，降低生成大量测试用例所付出的代价，有利于实现测试自动化。The technical effect of the present invention is that the present invention proposes a systematic and operable method for generating test cases of a security database management system for the first time, which is helpful for scientific, comprehensive and accurate testing of the security functions of such systems . This method is based on the security model of the system under test, and the test results are complete, scientific, repeatable and internally consistent. Compared with the current manual random evaluation method, it can better find the defects of system implementation and greatly improve the test quality. This method combined with formal auxiliary tools can reduce duplication of labor in the testing process, reduce the cost of generating a large number of test cases, and is conducive to the realization of test automation.

具体实施方式Detailed ways

下面以中国科学院软件研究所信息安全国家重点实验室研发的LOIS安全数据库管理系统为例，详细说明本发明提供的安全数据库管理系统测试用例生成方法。Taking the LOIS security database management system developed by the State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences as an example, the test case generation method for the security database management system provided by the present invention will be described in detail below.

该系统的SDBMS模型中自主授权相关的操作有两种模式：一种是直接授权给用户，另一种是先授权给角色，再由用户激活角色。直接授权操作GrantPermToUser是管理操作，要求被授权的用户存在，未被授予过该权限。它依赖于多个操作，如创建用户的操作、创建安全标签的操作、创建数据对象的操作、连接操作等。在执行对该操作的测试之前，应该确保已经执行过对以上操作的测试。并且系统中限定任何类型用户不能向系统管理员、安全管理员和审计管理员授权。该操作改变了系统状态中的访问控制矩阵，其具体描述如下：There are two modes of autonomous authorization related operations in the SDBMS model of the system: one is to authorize users directly, and the other is to authorize roles first, and then activate roles by users. The direct authorization operation GrantPermToUser is an administrative operation that requires the existence of an authorized user who has not been granted this permission. It depends on multiple operations, such as creating a user, creating a security label, creating a data object, connecting, etc. Before performing a test for this operation, you should ensure that you have performed a test for the above operation. And any type of users in the system cannot authorize system administrators, security administrators and audit administrators. This operation changes the access control matrix in the system state, which is described in detail as follows:

补充完整性后操作规约为：The operating statute after supplementing completeness is:

操作GrantPermToUser应满足公理GrantPermToUser_axiom，即授权者曾经被授予该权限，并且被允许传播该权限：或者授权者是该对象特权的属主。所有对象特权的分类如下：The operation GrantPermToUser should satisfy the axiom GrantPermToUser_axiom, that is, the grantor has been granted the permission and is allowed to propagate the permission: or the grantor is the owner of the object privilege. All object privileges are categorized as follows:

dbOwnerPrivs＝＝{ConnectDatabase，CreateDomain，CreateTable，CreateView}dbOwnerPrivs=={ConnectDatabase, CreateDomain, CreateTable, CreateView}

dmOwnerPrivs＝＝{CreateonDomain，DroponDomain，UseDomain，DropDomain}dmOwnerPrivs=={CreateonDomain, DroponDomain, UseDomain, DropDomain}

tbOwnerPrivs＝＝{CreateRule，DropRule，SelectTable，Insert，Delete，DropTable}tbOwnerPrivs=={CreateRule, DropRule, SelectTable, Insert, Delete, DropTable}

viOwnerPrivs＝＝{SelectView，DropView}viOwnerPrivs=={SelectView, DropView}

公理GrantPermToUser_axiom的形式化描述为：The formal description of the axiom GrantPermToUser_axiom is:

Transition·GrantPermToUserTransition·GrantPermToUser

cur-trans-class(T)＝osi-class(o？)cur-trans-class(T)=osi-class(o?)

∧ $(&Exists; g : USERS \cdot (trans - user (T, o ?, p ?, g, true) &Element; access - matrix))$ ∧ $(&Exists; g : USERS &Center Dot; (trans - user (T, o ?, p ?, g, true) &Element; access - matrix))$

∨(owner(database-osi(session-database(trans-session(T))))＝trans-user(T)∨(owner(database-osi(session-database(trans-session(T))))=trans-user(T)

∧p？∈dbOwnerPrivs)∧p? ∈dbOwnerPrivs)

经过步骤一后，操作GrantPermToUser的测试规约test_GrantPermToUser完整的表达式为：After step 1, the complete expression of the test specification test_GrantPermToUser that operates GrantPermToUser is:

$test test__GrantPermToUser GrantPermToUser \overset{^^}{= =} GrantPermToUser GrantPermToUser__{full full}^{' '}$

((﹁GrantPermToUser﹁GrantPermToUser_axiom)∧Fail))((GrantPermToUser﹃GrantPermToUser_axiom)∧Fail))

对测试规约应用重写规则并变换成析取范式形式。其中操作成功部分共有8个测试模版，分别为：Apply rewriting rules to the test specification and transform into Disjunctive Normal Form form. Among them, there are 8 test templates in the successful operation part, which are:

(Transition·cur-trans-class(T)＝osi-class(o？)(Transition·cur-trans-class(T)=osi-class(o?)

∧ $(&Exists; g : USERS \cdot (trans - user (T), o ?, p ?, g, true) &Element; access - matrix)$ ∧ $(&Exists; g : USERS &Center Dot; (trans - user (T), o ?, p ?, g, true) &Element; access - matrix)$

∧((owner(database-osi(session-database(trans-session(T))))∧((owner(database-osi(session-database(trans-session(T))))

＝trans-user(T))=trans-user(T))

∧p？∈dbOwnerPrivs)∧p? ∈dbOwnerPrivs)

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧ $(u ?, o ?, p ?, trans - user (T), a ?) &NotElement; access - matrix$ ∧ $(u ?, o ?, p ?, trans - user (T), a ?) &NotElement; access - matrix$

∧access-matrix′＝access-matrix∪{(u？，o？，p？，trans-user(T)，a？)}∧access-matrix'=access-matrix∪{(u?, o?, p?, trans-user(T), a?)}

∧re！＝ok)∧re! = ok)

∨(Transition·cur-trans-class(T)＝osi-class(o？)∨(Transition·cur-trans-class(T)=osi-class(o?)

∧ $(&Exists; d : DOMAINS \cdot domain - osi (d) = o ?)$ ∧ $(&Exists; d : DOMAINS &Center Dot; domain - osi (d) = o ?)$

∧owner(o？)＝trans-user(T)∧owner(o?)=trans-user(T)

∧p？∈dmOwnerPrivs∧p? ∈ dmOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧re！＝ok)∧re! = ok)

∧ $(&Exists; t : MREAL - IDS \cdot real - osi (t) = o ?)$ ∧ $(&Exists; t : MREAL - IDS \cdot real - osi (t) = o ?)$

∧owner(o？)＝trans-user(T)∧owner(o?)=trans-user(T)

∧p？∈tbOwnerPrivs∧p? ∈ tbOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧re！＝ok)∧re! = ok)

∧ $(&Exists; g : USERS \cdot (trans - user (T), o ?, p ?, g, true) &Element; access - matrix)$ ∧ $(&Exists; g : USERS \cdot (trans - user (T), o ?, p ?, g, true) &Element; access - matrix)$

∧ $(&Exists; t : MVIEW - IDS \cdot view - osi (t) = o ?)$ ∧ $(&Exists; t : MVIEW - IDS &Center Dot; view - osi (t) = o ?)$

∧owner(o？)＝trans-user(T)∧owner(o?)=trans-user(T)

∧p？∈viOwnerPrivs∧p? ∈viOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧re！＝ok)∧ re! = ok)

$&Not; &Not; ((&Exists; &Exists; g g : : USERS USERS \cdot \cdot ((trans trans - - user user ((T T)),, o o ? ?,, p p ? ?,, g g,, true true)) &Element; &Element; access access - - matrix matrix))$

＝trans-user(T))=trans-user(T))

∧p？∈dbOwnerPrivs)∧p? ∈dbOwnerPrivs)

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧re！＝ok)∧re! = ok)

∧ $&Not; (&Exists; g : USERS \cdot (trans - user (T), o ?, p ?, g, true) &Element; access - matrix)$ ∧ $&Not; (&Exists; g : USERS &Center Dot; (trans - user (T), o ?, p ?, g, true) &Element; access - matrix)$

∧ $(&Exists; d : DOMAINS \cdot domain - osi (d) = o ?)$ ∧ $(&Exists; d : DOMAINS \cdot domain - osi (d) = o ?)$

∧owner(o？)＝trans-user(T)∧owner(o?)=trans-user(T)

∧p？∈dmOwnerPrivs∧p? ∈ dmOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧re！＝ok)∧ re! = ok)

∧(Transition·cur-trans-class(T)＝osi-class(o？)∧(Transition·cur-trans-class(T)=osi-class(o?)

∧owner(o？)∈trans-user(T)∧owner(o?)∈trans-user(T)

∧p？∈tbOwnerPrivs∧p? ∈ tbOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧ $(u ? . o ?, p ?, trans - user (T), a ?) &NotElement; access - matrix$ ∧ $(u ? . o ?, p ?, trans - user (T), a ?) &NotElement; access - matrix$

∧re！＝ok)∧re! = ok)

∧owner(o？)＝trans-user(T)∧owner(o?)=trans-user(T)

∧p？∈viOwnerPrivs∧p? ∈viOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧re！＝ok)∧re! = ok)

上例中第四个测试模版补充完整后，可以表示为如下形式：After the fourth test template in the above example is completed, it can be expressed as follows:

$test test__template template 44 \overset{^^}{= =} [[signature signature | | cur cur - - trans trans - - class class ((T T)) = = osi osi - - class class ((o o ? ?))$

∧owner(o？)＝trans-user(T)∧owner(o?)=trans-user(T)

∧p？∈tbOwnerPrivs∧p? ∈ tbOwnerPrivs

∧u？∈user-exists∧u? ∈ user-exists

∧﹁user-adm(u？)∧ “user-adm(u?)

∧o？∈osi-exists∧o? ∈ osi-exists

∧ $(u ?, o ?, p ?, trans - user (T,) a ?) &NotElement; access - matrix$ ∧ $(u ?, o ?, p ?, trans - user (T,) a ?) &NotElement; access - matrix$

∧re！＝ok]∧re! = ok]

可以对测试模版中的谓词进一步化简，表示成标准形式。下面以owner(o？)＝trans-user(T)为例，解释细化过程。The predicates in the test template can be further simplified and expressed in standard form. Next, take owner(o?)=trans-user(T) as an example to explain the refinement process.

(owner(o？)＝trans-user(T))∧TCB(owner(o?)=trans-user(T))∧TCB

$&DoubleLeftRightArrow; &DoubleLeftRightArrow; ((&Exists; &Exists; u u 11 : : USERS USERS \cdot \cdot owner owner ((o o ? ?)) = = u u 11$

∧trans-user(T)＝u1∧trans-user(T)=u1

∧dom owner∈osi_exist∧dom owner ∈ osi_exist

∧dom tran-user∈tran_exist∧dom tran-user ∈ tran_exist

∧ran owner∈user_exist∧ ran owner ∈ user_exist

∧ran tran-user∈user_exist∧ran tran-user ∈ user_exist

u1∈USERSu1∈USERS

∧o？∈osi_exist∧o? ∈ osi_exist

∧u1∈user_exist∧u1 ∈ user_exist

∧T∈tran_exist∧T∈tran_exist

∧owner(o？)＝u1∧owner(o?)=u1

∧trans-user(T)＝u1∧trans-user(T)=u1

u1∈user_existu1 ∈ user_exist

∧o？∈osi_exist∧o? ∈ osi_exist

∧T∈tran_exist∧T∈tran_exist

模板4中的函数owner、trans-user、osi-class、cur-trans-class、user-admin等均可以以类似方法再细化。将测试模版4生成的所有函数细化后得到的标准形式如下：The functions owner, trans-user, osi-class, cur-trans-class, user-admin, etc. in template 4 can be refined in a similar way. The standard form obtained after refining all the functions generated by test template 4 is as follows:

依据步骤二要求，该模板可以表示为：

按语义及表达形式可以区分出操作输入应满足的约束为：According to the requirements of step 2, the template can be expressed as:

According to the semantics and expression forms, the constraints that the operation input should satisfy can be distinguished as:

∧t∈real_exist∧clss∈CLASSES∧p？∈tbOwnerPrivs∧t∈real_exist∧clss∈CLASSES∧p? ∈ tbOwnerPrivs

∧u？∈user_exist∧u？≠sysadmin∧u？≠audadmin∧u？≠secadmin∧u? ∈user_exist∧u? ≠sysadmin∧u? ≠audadmin∧u? ≠secadmin

∧ $(u ?, o ?, p ?, u 1, a ?) &NotElement; access - matrix$ ∧ $(u ?, o ?, p ?, u 1, a ?) &NotElement; access - matrix$

操作导致的状态变化为：The state change caused by the operation is:

${q q}_{44} \overset{^^}{= =} access access - - {matrix matrix}^{' '} = = access access - - matrix matrix \cup \cup {{((u u ? ?,, o o ? ?,, p p ? ?,, u u 11,, a a ? ?))}}$

操作导致的输出结果为：The output resulting from the operation is:

${r r}_{44} \overset{^^}{= =} re re!! = = ok ok$

其中，直接输入变量为：o？，p？，u？，a？，分别属于类型OSI，PRIVILEGES，USERS，与BOOLEAN。间接输入变量为：T，u1，t，clss，分别属于类型TRANSACTIONS，USERS，TUPLES与CLASSES。直接输出变量：re！，间接输出变量：access-matrix。Among them, the direct input variable is: o? , p? , u? , a? , belonging to types OSI, PRIVILEGES, USERS, and BOOLEAN, respectively. The indirect input variables are: T, u1, t, clss, belonging to the types TRANSACTIONS, USERS, TUPLES and CLASSES respectively. Output variables directly: re! , indirect output variable: access-matrix.

在操作模板确定后，接下来针对输入变量类型确定应用类型上的划分。其中输入变量u？表示被授权的用户，属于类型USERS。该类型上存在三个特殊值，分别为：系统管理员sysadmin，审计管理员audadmin，与安全管理员secadmin。因此类型USERS上的特殊值划分为：π₀＝{u＝sysadm，u＝secadm，u＝audadm，u≠sysadm∧u≠Sec adm∧u≠audadm}。划分块数目为4。After the operation template is determined, the division of the application type is then determined for the input variable type. where the input variable u? Indicates authorized users, of type USERS. There are three special values for this type: system administrator sysadmin, audit administrator audadmin, and security administrator secadmin. The special value division on type USERS is thus: π ₀ ={u=sysadm, u=secadm, u=audadm, u≠sysadm∧u≠Sec adm∧u≠audadm}. The number of divided blocks is four.

类型USERS上存在四个函数，分别为：There are four functions on the type USERS, namely:

user-adm：USERS-|→BOOLEAN，值域为{true，false}user-adm: USERS-|→BOOLEAN, the value field is {true, false}

user-status：USERS-|→BOOLEAN，值域为{true，false}user-status: USERS-|→BOOLEAN, the value range is {true, false}

user-kind：USERS-|→SKIND，值域为{Sys，See，Aud，Common}user-kind: USERS-|→SKIND, the value range is {Sys, See, Aud, Common}

user-class：USERS-|→CLASSES，值域特殊值为{SysHigh，SysLow，Trusted}。user-class: USERS-|→CLASSES, the special value of the value field is {SysHigh, SysLow, Trusted}.

类型USERS上的四个函数划分分别为：The four function divisions on type USERS are:

π₁＝(user-adm(u)：true，user_adm(u)＝false}，π₂＝{user_status(u)＝true，user-status(u)＝false}，π ₁ =(user-adm(u):true, user_adm(u)=false}, π ₂ ={user_status(u)=true, user-status(u)=false},

π₃＝{user_kind(u)＝sys，user_kind(u)＝Sec，user_kind(u)＝Aud，user_kind(u)＝Common}，π ₃ = {user_kind(u)=sys, user_kind(u)=Sec, user_kind(u)=Aud, user_kind(u)=Common},

π₄＝{user_class(u)＝SysHigh，user_class(u)＝SysLow，user_class(u)＝Trusted，π ₄ = {user_class(u)=SysHigh, user_class(u)=SysLow, user_class(u)=Trusted,

user_class(u)≠SysHigh∧user_class(u)≠SysLow∧user_class(u)≠Trusted}。user_class(u)≠SysHigh∧user_class(u)≠SysLow∧user_class(u)≠Trusted}.

它们的划分块数目分别为2，2，4，4。The numbers of their divided blocks are 2, 2, 4, 4 respectively.

类型USERS上存在一个集合user_exists，其集合划分为 $π_{5} = {u &Element; user_exists, u &NotElement; user_exists},$ 类型划分数目为2。There is a collection user_exists on type USERS, and its collection is divided into $π_{5} = {u &Element; user_exists, u &NotElement; user_exists},$ The number of type divisions is 2.

由于上述划分中函数user-admin存在如下约束：user-admin(sysadmin)＝true，user-admin(audadmin)＝true，user-admin(secadmin)＝true。且Because the function user-admin in the above division has the following constraints: user-admin (sysadmin) = true, user-admin (audadmin) = true, user-admin (secadmin) = true. and

u∈user-existsou≠sysadm∧u≠secadm∧u≠audadmuser-admin(u)＝false，所以划分π₀与π₁是从属关系。两者的综合划分等价于π₀。u∈user-exists ou≠sysadm∧u≠secadm∧u≠audadmuser-admin(u)=false, so dividing π ₀ and π ₁ is a subordination relationship. The comprehensive division of the two is equivalent to π ₀ .

因为函数user-status存在如下约束：user-status(sysadmin)＝true，user-status(audadmin)＝true，user-status(secadmin)＝true。所以划分π₀与划分π₂之间存在部分从属关系，部分正交关系。其综合划分数目为3+1×2＝5。类似的，划分π₀与划分π₃之间存在部分从属关系，部分正交关系。(π₀，π₁，π₂，π₃)的综合划分数目为3+2×4＝11。划分π₄与π₀，π₂，π₃均是正交关系，(π₀，π₁，π₂，π₃，π₄)的综合划分数目为11×4＝44。Because the function user-status has the following constraints: user-status (sysadmin) = true, user-status (audadmin) = true, user-status (secadmin) = true. Therefore, there is a partial subordination relationship and a partial orthogonal relationship between the division of π ₀ and the division of π ₂ . The number of comprehensive divisions is 3+1×2=5. Similarly, there is a partial dependency relationship and a partial orthogonal relationship between the division of π ₀ and the division of π ₃ . The number of comprehensive divisions of (π ₀ , π ₁ , π ₂ , π ₃ ) is 3+2×4=11. The division of π ₄ and π ₀ , π ₂ , and π ₃ are all orthogonal relations, and the number of comprehensive divisions of (π ₀ , π ₁ , π ₂ , π ₃ , π ₄ ) is 11×4=44.

由于上述函数的定义域上存在如下限制：domuser-status＝user-exists，dom user-adm＝user-exists。dom user-kind＝user-exists，dom user-class＝user-exists。π₁，π₂，π₃，π₄与π₅之间存在从属关系，其综合划分数目为44+1＝45。Due to the following restrictions on the definition domain of the above function: domuser-status=user-exists, dom user-adm=user-exists. dom user-kind=user-exists, dom user-class=user-exists. There is a subordinate relationship among π ₁ , π ₂ , π ₃ , π ₄ and π ₅ , and the number of their comprehensive divisions is 44+1=45.

类似的，类型PRIVILEGES上的综合划分数目为16，类型OSI上的综合划分数目为4，类型BOOLEAN上的数据划分数目为2。Similarly, the number of integrated divisions on type PRIVILEGES is 16, the number of integrated divisions on type OSI is 4, and the number of data divisions on type BOOLEAN is 2.

多个类型上的综合划分构成了输入向量集。因为类型PRIVILEGES上的划分与类型OSI上的划分相关，操作test_GrantPermToUser的输入向量数目为45×16×2＝1440。在步骤四中，对于某预设状态pre_STATEi与输入向量IN＝(u？＝alice，p？＝Insert，o？＝10481112，a？＝true)，利用工具计算出谓词(fest_GrantPermToUser∧pre-STATEi)[u？/alice，o？/1048l112，p？/Insert，a？/true]的值。其值为‘true’，所以生成测试向量。其中输出向量OUT＝(re！＝ok)，状态变化向量 $post_STATE \hat{=} access - {matrix}^{'} = access - matrix \cup {(u ?, o ?, p ?, u 1, a ?)} .$ 最终测试向量为(IN，pre_STATEi，OUT，post_STATE)。Comprehensive partitioning over multiple types forms the set of input vectors. Since partitions on type PRIVILEGES are related to partitions on type OSI, the number of input vectors for the operation test_GrantPermToUser is 45*16*2=1440. In step 4, for a preset state pre_STATEi and input vector IN=(u?=alice, p?=Insert, o?=10481112, a?=true), use the tool to calculate the predicate (fest_GrantPermToUser∧pre-STATEi) [u? / alice, o? /1048l112, p? /Insert, a? /true] value. Its value is 'true', so test vectors are generated. Where the output vector OUT=(re!=ok), the state change vector $post_STATE \hat{=} access - {matrix}^{'} = access - matrix \cup {(u ?, o ?, p ?, u 1, a ?)} .$ The final test vector is (IN, pre_STATEi, OUT, post_STATE).

以上通过具体的实施例描述了本发明所提供的方法，本领域的技术人员应当理解，在不脱离本发明的精神和实质的范围内，可以对本发明进行修改或等同替换。The method provided by the present invention has been described above through specific embodiments. Those skilled in the art should understand that the present invention can be modified or equivalently replaced within the scope of not departing from the spirit and essence of the present invention.

Claims

1, a kind of test example generation method of safety data base management system comprises following steps:

1) generates test specification, according to the test specification of each operation in the safe axiom requirement generation system of the formalization stipulations of descriptive system operating function and operation;

2) generate test template, test specification is carried out equivalence transformation, it is expressed as the disjunctive normal form form, thereby be one group of test template the test specification equivalent representation of operation according to certain rewriting rule;

3) type is divided, and the type that exists in the system is carried out heuristic equivalence transformation, further segments the test space of each test template representative;

4) generate test vector, subdomain is respectively tested in check, and with the exampleization, generates corresponding test vector.

2, the method for claim 1 is characterized in that, described test specification comprises:

Operate in the definition in the security of system model;

In the security of system model with the relevant safe axiom collection of operation;

The fixed constraint that exists in the relevant intermediateness variable of system.

3, the method for claim 1, it is characterized in that, the set of the test template that generates described step 2) is divided into mutually disjoint one group of test subdomain with the test space of operation, each test template is represented a test subdomain, and described test template set is complete, has covered all test spaces of tested operation.

4, the method for claim 1, it is characterized in that, described type division kind comprises one or more in the following dividing mode: preset value is divided, functional value is divided, set is divided, the data division, and the division on certain type is the comprehensive division of calculating according to above-mentioned division.

5, method as claimed in claim 4 is characterized in that, in described type partition process, if having a plurality of orthogonal division on certain type, then can divide these and use certain choice principle, reduces the test case number that is generated.

6, the method for claim 1 is characterized in that, described test vector comprises: input vector, current state vector, output vector, state variation vector.