Academic Press is an imprint of Elsevier 50 Hampshire Street, 5th Floor, Cambridge, MA 02139, USA 525 B Street, Suite 1800, San Diego, CA 92101-4495, USA The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, UK 125 London Wall, London, EC2Y 5AS, UK First edition 2016 Copyright © 2016 Elsevier Inc All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein) Notices Knowledge and best practice in this field are constantly changing As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein ISBN: 978-0-12-805158-0 ISSN: 0065-2458 For information on all Academic Press publications visit our web site at http://store.elsevier.com/ PREFACE This volume of Advances in Computers is the 101st in this series This series, which has been continuously published since 1960, presents in each volume four to seven chapters describing new developments in software, hardware, or uses of computers This 101st volume is the second in a miniseries of volumes based on the theme “Advances in Software Testing.” The need for such a thematic miniseries came up when I was teaching my graduate class “Fundamentals of Software Testing,” in which students were asked to study and report on recent (years 2010–15) advances in various topics surrounding software testing They failed to find up-to-date survey papers on almost all topics In this miniseries, I have invited leaders in their respective fields of software testing to write about recent advances In the first volume in the miniseries (Volume 99), we focused on combinatorial testing, constraint-based testing, automated fault localization, automatic black-box testing, and testing access control Volume 101 focuses on five important topics In Chapter 1, entitled “Security Testing: A Survey,” Felderer et al provide an overview of recent security testing techniques They first summarize the required background of testing and security engineering Then, they discuss the basics and recent developments of security testing techniques applied during secure software development, ie, model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing They illustrate security testing techniques by adopting them for an example three-tiered web-based business application In Chapter 2, entitled “Recent Advances in Model-Based Testing,” Utting et al provide an overview of the field of model-based testing (MBT), particularly, the recent advances in the last decade They give a summary of the MBT process, the modeling languages currently used by various communities who practice MBT, the technologies used to generate tests from models, and best practices, such as traceability between models and tests They also briefly describe several findings from a recent survey of MBT users in industry, outline the increasingly popular use of MBT for security testing, and discuss future challenges for MBT In Chapter 3, “On Testing Embedded Software,” Banerjee et al describe the unique challenges associated with testing embedded software, which is vii viii Preface specialized software intended to run on embedded devices As embedded devices have expanded their reach into major aspects of human lives, from small handheld devices (such as smartphones) to advanced automotive systems (such as antilock braking systems), the complexity of embedded software has also grown, creating new challenges for testing In particular, embedded software are required to satisfy several nonfunctional constraints, in addition to functionality-related constraints Such nonfunctional constraints may include (but not limited to) timing/energy consumption-related constraints or reliability requirements Additionally, embedded systems are often required to operate in interaction with the physical environment, obtaining their inputs from environmental factors (such as temperature or air pressure) The need to interact with a dynamic, often nondeterministic physical environment, further increases the challenges associated with testing embedded software The authors discuss advances in software testing methodologies in the context of embedded software They introduce key challenges in testing nonfunctional properties of software by means of realistic examples They also present an easy-to-follow, classification of existing research work on this topic The importance of test automation in web engineering comes from the widespread use of web applications and the associated demand for code quality Test automation is considered crucial for delivering the quality levels expected by users, since it can save a lot of time in testing and it helps developers to release web applications with fewer defects The main advantage of test automation comes from fast, unattended execution of a set of tests after some changes have been made to a web application Moreover, modern web applications adopt a multitier architecture where the implementation is scattered across different layers and run on different machines For this reason, end-to-end testing techniques are required to test the overall behavior of web applications In the last years, several approaches have been proposed for automated end-to-end web testing and the choice among them depends on a number of factors, including the tools used for web testing and the costs associated with their adoption In Chapter 4, “Advances in Web Application Testing, 2010–14,” Sampath and Sprenkle provide background on web applications and the challenges in testing these distributed, dynamic applications made up of heterogeneous components They then focus on the recent advances in web application testing that were published between 2010 and 2014, including work on test-case generation, oracles, testing evaluation, and regression testing Through this targeted survey, they identify trends in web application testing and open problems that still need to be Preface ix addressed In Chapter 5, entitled “Approaches and Tools for Automated End-to-End Web Testing,” Leotta et al provide a comprehensive overview of automated end-to-end web testing approaches and summarize the findings of a long-term research project aimed at empirically investigating their strengths and weaknesses I hope that you find these articles of interest If you have any suggestions of topics for future chapters, or if you wish to be considered as an author for a chapter, I can be reached at atif@cs.umd.edu PROF ATIF M MEMON, PH.D., College Park, MD, USA CHAPTER ONE Security Testing: A Survey Michael Felderer*, Matthias Büchler†, Martin Johns‡, Achim D Brucker‡, Ruth Breu*, Alexander Pretschner† *University of Innsbruck, Innsbruck, Austria Technische Universitaăt Muănchen, Munich, Germany SAP, Karlsruhe, Germany Contents Introduction Software Testing Security Engineering 3.1 Basic Concepts 3.2 Secure Software Development Life Cycle Security Testing 4.1 Basic Concepts 4.2 Security Testing in the Secure Software Development Life cycle Security Testing Techniques 5.1 Model-Based Security Testing 5.2 Code-Based Testing and Static Analysis 5.3 Penetration Testing and Dynamic Analysis 5.4 Security Regression Testing Application of Security Testing Techniques 6.1 Selection Criteria for Security Testing Approaches 6.2 A Three-Tiered Business Application Summary Acknowledgments References About the Authors 6 10 10 14 16 16 21 24 27 31 31 33 40 41 41 49 Abstract Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them This chapter fulfills this need and provides an overview of recent security testing techniques For this purpose, it first summarize the required Advances in Computers, Volume 101 ISSN 0065-2458 http://dx.doi.org/10.1016/bs.adcom.2015.11.003 # 2016 Elsevier Inc All rights reserved Michael Felderer et al background of testing and security engineering Then, basics and recent developments of security testing techniques applied during the secure software development life cycle, ie, model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application INTRODUCTION Modern IT systems based on concepts like cloud computing, location-based services, or social networking are permanently connected to other systems and handle sensitive data These interconnected systems are subject to security attacks that may result in security incidents with high severity affecting the technical infrastructure or its environment Exploited security vulnerabilities can cause drastic costs, eg, due to downtimes or the modification of data A high proportion of all software security incidents is caused by attackers who exploit known vulnerabilities [1] An important, effective, and widely applied measure to improve the security of software are security testing techniques which identify vulnerabilities and ensure security functionality Software testing is concerned with evaluation of software products and related artifacts to determine that they satisfy specified requirements, to demonstrate that they are fit for purpose and to detect defects Security testing verifies and validates software system requirements related to security properties like confidentiality, integrity, availability, authentication, authorization, and nonrepudiation Sometimes security properties come as classical functional requirements, eg, “user accounts are disabled after three unsuccessful login attempts” which approximates one part of an authorization property and is aligned with the software quality standard ISO/IEC 9126 [2] defining security as functional quality characteristic However, it seems desirable that security testing directly targets the above security properties, as opposed to taking the detour of functional tests of security mechanisms This view is supported by the ISO/IEC 25010 [3] standard that revises ISO/IEC 9126 and introduces Security as a new quality characteristic which is not included in the characteristic functionality any more Web application security vulnerabilities such as Cross-Site Scripting or SQL Injection, which can adequately be addressed by security testing techniques, are acknowledged problems [4] with thousands of vulnerabilities reported each year [5] Furthermore, surveys as published by the National Institute of Standards and Technology [6] show high cost of insecure Security Testing: A Survey software due to inadequate testing even on an economic level Therefore, support for security testing, which is still often considered as a “black art,” is essential to increase its effectiveness and efficiency in practice This chapter intends to contribute to the growing need for information on security testing techniques by providing an overview of actual security testing techniques This is of high value both for researchers to evaluate and refine existing techniques and practitioners to apply and disseminate them In this chapter, security testing techniques are classified (and also the discussion thereof ) according to their test basis within the secure software development life cycle into four different types: (1) model-based security testing is grounded on requirements and design models created during the analysis and design phase, (2) code-based testing and static analysis on source and byte code created during development, (3) penetration testing and dynamic analysis on running systems, either in a test or production environment, as well as (4) security regression testing performed during maintenance This chapter provides a comprehensive survey on security testing and is structured as follows Section provides an overview of the underlying concepts on software testing Section discusses the basic concepts of security engineering and the secure software development life cycle Section provides an overview of security testing and its integration in the secure software development life cycle Section discusses the security testing techniques model-based security testing, code-based testing and static analysis, penetration testing, and dynamic analysis as well as security regression testing in detail Section discusses the application of security testing techniques to three tiered business applications Finally, Section summarizes this chapter SOFTWARE TESTING According to the classic definition in software engineering [7], software testing consists of the dynamic verification that a program provides expected behaviors on a finite set of test cases, a so called test suite, suitably selected from the usually infinite execution domain This dynamic notion of testing, so called dynamic testing, evaluates software by observing its execution [8] The executed system is called system under test (SUT) More general notions of testing [9] consist of all life cycle activities, both static and dynamic, concerned with evaluation of software products and related artifacts to determine that they satisfy specified requirements, to demonstrate that they are fit for purpose and to detect defects This definition also takes static testing into account, which checks software development artifact Michael Felderer et al (eg, requirements, design, or code) without execution of these artifacts The most prominent static testing approaches are (manual) reviews and (automated) static analysis, which are often combined with dynamic testing, especially in the context of security For security testing, the general notion of testing comprising static and dynamic testing is therefore frequently applied [10–12], and thus also in this chapter testing comprises static and dynamic testing After running a test case, the observed and intended behaviors of a SUT are compared with each other, which then results in a verdict Verdicts can be either of pass (behaviors conform), fail (behaviors not conform), and inconclusive (not known whether behaviors conform) [13] A test oracle is a mechanism for determining the verdict The observed behavior may be checked against user or customer needs (commonly referred to as testing for validation), against a specification (testing for verification), A failure is an undesired behavior Failures are typically observed (by resulting in verdict fail) during the execution of the system being tested A fault is the cause of the failure It is a static defect in the software, usually caused by human error in the specification, design, or coding process During testing, it is the execution of faults in the software that causes failures Differing from active execution of test cases, passive testing only monitors running systems without interaction Testing can be classified utilizing the three dimensions objective, scope, and accessibility [14, 15] shown in Fig Test objectives are reason or purpose for designing and executing a test The reason is either to check the functional behavior of the system or its nonfunctional properties Functional testing is concerned with assessing the functional behavior of an SUT, whereas nonfunctional testing aims at assessing nonfunctional requirements with regard to quality characteristics like security, safety, reliability or performance The test scope describes the granularity of the SUT and can be classified into component, integration, and system testing It also determines the test basis, ie, the artifacts to derive test cases Component testing (also referred to as unit testing) checks the smallest testable component (eg, a class in an objectoriented implementation or a single electronic control unit) in isolation Integration testing combines components with each other and tests those as a subsystem, that is, not yet a complete system System testing checks the complete system, including all subsystems A specific type of system testing is acceptance testing where it is checked whether a solution works for the user of a system Regression testing is a selective retesting to verify that Security Testing: A Survey Objective Nonfunctional Scope System Integration Functional Component White-box Accessibility Black-box Figure Testing dimensions objective, scope, and accessibility modifications have not caused side effects and that the SUT still complies with the specified requirements [16] In terms of accessibility of test design artifacts, we can classifying testing methods into white- and black-box testing In white-box testing, test cases are derived based on information about how the software has been designed or coded [7] In black-box testing, test cases rely only on the input/output behavior of the software This classification is especially relevant for security testing, as black-box testing, where no or only basic information about the system under test is provided, enables to mimic external attacks from hackers In classical software testing, a related classification of test design techniques [17] distinguishes between structure-based testing techniques (ie, deriving test cases from internal descriptions like implementation code), specification-based testing techniques (ie, deriving test cases from external descriptions of software like specifications), and experience-based testing techniques (ie, deriving test cases based on knowledge, skills, and background of testers) The process of testing comprises the core activities test planning, design, implementation, execution, and evaluation [9] According to Refs [18] and [9], test planning is the activity of establishing or updating a test plan A test plan includes the test objectives, test scope, and test methods as well as the resources, and schedule of intended test activities It identifies, amongst Michael Felderer et al others, features to be tested and exit criteria defining conditions for when to stop testing Coverage criteria aligned with the tested feature types and the applied test design techniques are typical exit criteria Once the test plan has been established, test control begins It is an ongoing activity in which the actual progress is compared against the plan which often results in concrete measures During the test design phase the general testing objectives defined in the test plan are transformed into tangible test conditions and abstract test cases For test derivation, specific test design techniques can be applied, which can according to ISO/IEC/IEEE 29119 [17] be classified into specification-based, structure-based, and experience-based techniques Test implementation comprises tasks to make the abstract test cases executable This includes tasks like preparing test harnesses and test data, providing logging support or writing test scripts which are necessary to enable the automated execution of test cases In the test execution phase, the test cases are then executed and all relevant details of the execution are logged and monitored In manual test execution, testing is guided by a human, and in automated testing by a specialized application Finally, in the test evaluation phase the exit criteria are evaluated and the logged test results are summarized in a test report In model-based testing (MBT), manually selected algorithms automatically and systematically generate test cases from a set of models of the system under test or its environment [19] Whereas test automation replaces manual test execution with automated test scripts, MBT replaces manual test designs with automated test designs and test generation SECURITY ENGINEERING In this section, we cover basic concepts of security engineering as well as an overview of the secure software development life cycle 3.1 Basic Concepts Security testing validates software system requirements related to security properties of assets that include confidentiality, integrity, availability, authentication, authorization, and nonrepudiation These security properties can be defined as follows [20]: • Confidentiality is the assurance that information is not disclosed to unauthorized individuals, processes, or devices • Integrity is provided when data is unchanged from its source and has not been accidentally or maliciously modified, altered, or destroyed Subject Index WCET See Worst-case execution time (WCET) Wearable fall-detection application, 123, 123f Web applications See also First tier application architecture, 156–157, 156f HTML document, 157–158 HTTP request, 157, 157f regression testing cases creation for code, 175–176 empirical studies, 178 maintaining/repairing, 176–178 prioritization approaches, 171–175 test suite reduction, 175 testing adequacy criteria, 160–161, 169–170 cases, 159–160 concolic test case generation, 165–166 cross-browser, cross-platform compatibility, 159 distributed architecture, 158 dynamic behavior, 159 fast development cycle, 158 fault severity, 171 input generation, 167–168 large and complex code base, 159 maintenance of applications, 161 model-based test case generation, 162–164 multiple languages, 158 multiple outputs, 158 mutation testing, 170–171 oracle comparators, 160 257 oracles, 168–169 process, 159, 159f regenerating test suites, 167 requirements, 166 search-based approach, 166–167 Selenese, 160 statistical test case generation, 164–165 word cloud, 178–181, 179f Web application under test (WAUT), 199 Web Atomic Section Project (WASP), 162 Web elements changing their state, 218, 218f with complex interaction, 218–219, 219f WEBMATE, 163 White-box abstraction, 131 application layer variable-operating system interactions, 143–144, 144f cache thrashing, 142, 142f CPU and memory subsystems, 142 general-purpose graphics processing units, 143 hardware/software layers-tasks interactions, 143, 144f interrupt latency, 141, 141f multiple task dependencies, 143–145, 145f test oracles, 145–146 White-box testing, Word cloud, 178–181, 179f Worst case energy consumption (WCEC), 129 Worst-case execution time (WCET), 129 CONTENTS OF VOLUMES IN THIS SERIES Volume 60 Licensing and Certification of Software Professionals DONALD J BAGERT Cognitive Hacking GEORGE CYBENKO, ANNARITA GIANI, AND PAUL THOMPSON The Digital Detective: An Introduction to Digital Forensics WARREN HARRISON Survivability: Synergizing Security and Reliability CRISPIN COWAN Smart Cards KATHERINE M SHELFER, CHRIS CORUM, J DREW PROCACCINO, Shotgun Sequence Assembly MIHAI POP Advances in Large Vocabulary Continuous Speech Recognition GEOFFREY ZWEIG AND MICHAEL PICHENY AND JOSEPH DIDIER Volume 61 Evaluating Software Architectures ROSEANNE TESORIERO TVEDT, PATRICIA COSTA, AND MIKAEL LINDVALL Efficient Architectural Design of High Performance Microprocessors LIEVEN EECKHOUT AND KOEN DE BOSSCHERE Security Issues and Solutions in Distributed Heterogeneous Mobile Database Systems A R HURSON, J PLOSKONKA, Y JIAO, AND H HARIDAS Disruptive Technologies and Their Affect on Global Telecommunications STAN MCCLELLAN, STEPHEN LOW, AND WAI-TIAN TAN Ions, Atoms, and Bits: An Architectural Approach to Quantum Computing DEAN COPSEY, MARK OSKIN, AND FREDERIC T CHONG Volume 62 An Introduction to Agile Methods DAVID COHEN, MIKAEL LINDVALL, AND PATRICIA COSTA The Timeboxing Process Model for Iterative Software Development PANKAJ JALOTE, AVEEJEET PALIT, AND PRIYA KURIEN A Survey of Empirical Results on Program Slicing DAVID BINKLEY AND MARK HARMAN Challenges in Design and Software Infrastructure for Ubiquitous Computing Applications GURUDUTH BANAVAR AND ABRAHAM BERNSTEIN Introduction to MBASE (Model-Based (System) Architecting and Software Engineering) DAVID KLAPPHOLZ AND DANIEL PORT 259 260 Contents of Volumes in this Series Software Quality Estimation with Case-Based Reasoning TAGHI M KHOSHGOFTAAR AND NAEEM SELIYA Data Management Technology for Decision Support Systems SURAJIT CHAUDHURI, UMESHWAR DAYAL, AND VENKATESH GANTI Volume 63 Techniques to Improve Performance Beyond Pipelining: Superpipelining, Superscalar, and VLIW JEAN-LUC GAUDIOT, JUNG-YUP KANG, AND WON WOO RO Networks on Chip (NoC): Interconnects of Next Generation Systems on Chip THEOCHARIS THEOCHARIDES, GREGORY M LINK, NARAYANAN VIJAYKRISHNAN, AND MARY JANE IRWIN Characterizing Resource Allocation Heuristics for Heterogeneous Computing Systems SHOUKAT ALI, TRACY D BRAUN, HOWARD JAY SIEGEL, ANTHONY A MACIEJEWSKI, NOAH BECK, LADISLAU BOăLOăNI, MUTHUCUMARU MAHESWARAN, ALBERT I REUTHER, JAMES P ROBERTSON, MITCHELL D THEYS, AND BIN YAO Power Analysis and Optimization Techniques for Energy Efficient Computer Systems WISSAM CHEDID, CHANSU YU, AND BEN LEE Flexible and Adaptive Services in Pervasive Computing BYUNG Y SUNG, MOHAN KUMAR, AND BEHROOZ SHIRAZI Search and Retrieval of Compressed Text AMAR MUKHERJEE, NAN ZHANG, TAO TAO, RAVI VIJAYA SATYA, AND WEIFENG SUN Volume 64 Automatic Evaluation of Web Search Services ABDUR CHOWDHURY Web Services SANG SHIN A Protocol Layer Survey of Network Security JOHN V HARRISON AND HAL BERGHEL E-Service: The Revenue Expansion Path to E-Commerce Profitability ROLAND T RUST, P K KANNAN, AND ANUPAMA D RAMACHANDRAN Pervasive Computing: A Vision to Realize DEBASHIS SAHA Open Source Software Development: Structural Tension in the American Experiment COSKUN BAYRAK AND CHAD DAVIS Disability and Technology: Building Barriers or Creating Opportunities? PETER GREGOR, DAVID SLOAN, AND ALAN F NEWELL Volume 65 The State of Artificial Intelligence ADRIAN A HOPGOOD Software Model Checking with SPIN GERARD J HOLZMANN Contents of Volumes in this Series Early Cognitive Computer Vision JAN-MARK GEUSEBROEK Verification and Validation and Artificial Intelligence TIM MENZIES AND CHARLES PECHEUR Indexing, Learning and Content-Based Retrieval for Special Purpose Image Databases MARK J HUISKES AND ERIC J PAUWELS Defect Analysis: Basic Techniques for Management and Learning DAVID N CARD Function Points CHRISTOPHER J LOKAN The Role of Mathematics in Computer Science and Software Engineering Education PETER B HENDERSON Volume 66 Calculating Software Process Improvements Return on Investment RINI VAN SOLINGEN AND DAVID F RICO Quality Problem in Software Measurement Data PIERRE REBOURS AND TAGHI M KHOSHGOFTAAR Requirements Management for Dependable Software Systems WILLIAM G BAIL Mechanics of Managing Software Risk WILLIAM G BAIL The PERFECT Approach to Experience-Based Process Evolution BRIAN A NEJMEH AND WILLIAM E RIDDLE The Opportunities, Challenges, and Risks of High Performance Computing in Computational Science and Engineering DOUGLASS E POST, RICHARD P KENDALL, AND ROBERT F LUCAS Volume 67 Broadcasting a Means to Disseminate Public Data in a Wireless Environment—Issues and Solutions A R HURSON, Y JIAO, AND B A SHIRAZI Programming Models and Synchronization Techniques for Disconnected Business Applications AVRAHAM LEFF AND JAMES T RAYFIELD Academic Electronic Journals: Past, Present, and Future ANAT HOVAV AND PAUL GRAY Web Testing for Reliability Improvement JEFF TIAN AND LI MA Wireless Insecurities MICHAEL STHULTZ, JACOB UECKER, AND HAL BERGHEL The State of the Art in Digital Forensics DARIO FORTE 261 262 Contents of Volumes in this Series Volume 68 Exposing Phylogenetic Relationships by Genome Rearrangement YING CHIH LIN AND CHUAN YI TANG Models and Methods in Comparative Genomics GUILLAUME BOURQUE AND LOUXIN ZHANG Translocation Distance: Algorithms and Complexity LUSHENG WANG Computational Grand Challenges in Assembling the Tree of Life: Problems and Solutions DAVID A BADER, USMAN ROSHAN, AND ALEXANDROS STAMATAKIS Local Structure Comparison of Proteins JUN HUAN, JAN PRINS, AND WEI WANG Peptide Identification via Tandem Mass Spectrometry XUE WU, NATHAN EDWARDS, AND CHAU-WEN TSENG Volume 69 The Architecture of Efficient Multi-Core Processors: A Holistic Approach RAKESH KUMAR AND DEAN M TULLSEN Designing Computational Clusters for Performance and Power KIRK W CAMERON, RONG GE, AND XIZHOU FENG Compiler-Assisted Leakage Energy Reduction for Cache Memories WEI ZHANG Mobile Games: Challenges and Opportunities PAUL COULTON, WILL BAMFORD, FADI CHEHIMI, REUBEN EDWARDS, PAUL GILBERTSON, AND OMER RASHID Free/Open Source Software Development: Recent Research Results and Methods WALT SCACCHI Volume 70 Designing Networked Handheld Devices to Enhance School Learning JEREMY ROSCHELLE, CHARLES PATTON, AND DEBORAH TATAR Interactive Explanatory and Descriptive Natural-Language Based Dialogue for Intelligent Information Filtering JOHN ATKINSON AND ANITA FERREIRA A Tour of Language Customization Concepts COLIN ATKINSON AND THOMAS KUăHNE Advances in Business Transformation Technologies JUHNYOUNG LEE Phish Phactors: Offensive and Defensive Strategies HAL BERGHEL, JAMES CARPINTER, AND JU-YEON JO Reflections on System Trustworthiness PETER G NEUMANN Contents of Volumes in this Series 263 Volume 71 Programming Nanotechnology: Learning from Nature BOONSERM KAEWKAMNERDPONG, PETER J BENTLEY, AND NAVNEET BHALLA Nanobiotechnology: An Engineers Foray into Biology YI ZHAO AND XIN ZHANG Toward Nanometer-Scale Sensing Systems: Natural and Artificial Noses as Models for Ultra-Small, Ultra-Dense Sensing Systems BRIGITTE M ROLFE Simulation of Nanoscale Electronic Systems UMBERTO RAVAIOLI Identifying Nanotechnology in Society CHARLES TAHAN The Convergence of Nanotechnology, Policy, and Ethics ERIK FISHER Volume 72 DARPAs HPCS Program: History, Models, Tools, Languages JACK DONGARRA, ROBERT GRAYBILL, WILLIAM HARROD, ROBERT LUCAS, EWING LUSK, PIOTR LUSZCZEK, JANICE MCMAHON, ALLAN SNAVELY, JEFFERY VETTER, KATHERINE YELICK, SADAF ALAM, ROY CAMPBELL, LAURA CARRINGTON, TZU-YI CHEN, OMID KHALILI, JEREMY MEREDITH, AND MUSTAFA TIKIR Productivity in High-Performance Computing THOMAS STERLING AND CHIRAG DEKATE Performance Prediction and Ranking of Supercomputers TZU-YI CHEN, OMID KHALILI, ROY L CAMPBELL, JR., LAURA CARRINGTON, MUSTAFA M TIKIR, AND ALLAN SNAVELY Sampled Processor Simulation: A Survey LIEVEN EECKHOUT Distributed Sparse Matrices for Very High Level Languages JOHN R GILBERT, STEVE REINHARDT, AND VIRAL B SHAH Bibliographic Snapshots of High-Performance/High-Productivity Computing MYRON GINSBERG Volume 73 History of Computers, Electronic Commerce, and Agile Methods DAVID F RICO, HASAN H SAYANI, AND RALPH F FIELD Testing with Software Designs ALIREZA MAHDIAN AND ANNELIESE A ANDREWS Balancing Transparency, Efficiency, and Security in Pervasive Systems MARK WENSTROM, ELOISA BENTIVEGNA, AND ALI R HURSON Computing with RFID: Drivers, Technology and Implications GEORGE ROUSSOS Medical Robotics and Computer-Integrated Interventional Medicine RUSSELL H TAYLOR AND PETER KAZANZIDES 264 Contents of Volumes in this Series Volume 74 Data Hiding Tactics for Windows and Unix File Systems HAL BERGHEL, DAVID HOELZER, AND MICHAEL STHULTZ Multimedia and Sensor Security ANNA HAC´ Email Spam Filtering ENRIQUE PUERTAS SANZ, JOSE´ MARI´A GO´MEZ HIDALGO, AND JOSE´ CARLOS CORTIZO PE´REZ The Use of Simulation Techniques for Hybrid Software Cost Estimation and Risk Analysis MICHAEL KLAăS, ADAM TRENDOWICZ, AXEL WICKENKAMP, JUăRGEN MUăNCH, NAHOMI KIKUCHI, AND YASUSHI ISHIGAI An Environment for Conducting Families of Software Engineering Experiments LORIN HOCHSTEIN, TAIGA NAKAMURA, FORREST SHULL, NICO ZAZWORKA, VICTOR R BASILI, AND MARVIN V ZELKOWITZ Global Software Development: Origins, Practices, and Directions JAMES J CUSICK, ALPANA PRASAD, AND WILLIAM M TEPFENHART Volume 75 The UK HPC Integration Market: Commodity-Based Clusters CHRISTINE A KITCHEN AND MARTYN F GUEST Elements of High-Performance Reconfigurable Computing TOM VANCOURT AND MARTIN C HERBORDT Models and Metrics for Energy-Efficient Computing PARTHASARATHY RANGANATHAN, SUZANNE RIVOIRE, AND JUSTIN MOORE The Emerging Landscape of Computer Performance Evaluation JOANN M PAUL, MWAFFAQ OTOOM, MARC SOMERS, SEAN PIEPER, AND MICHAEL J SCHULTE Advances in Web Testing CYNTRICA EATON AND ATIF M MEMON Volume 76 Information Sharing and Social Computing: Why, What, and Where? ODED NOV Social Network Sites: Users and Uses MIKE THELWALL Highly Interactive Scalable Online Worlds GRAHAM MORGAN The Future of Social Web Sites: Sharing Data and Trusted Applications with Semantics SHEILA KINSELLA, ALEXANDRE PASSANT, JOHN G BRESLIN, STEFAN DECKER, AND AJIT JAOKAR Semantic Web Services Architecture with Lightweight Descriptions of Services TOMAS VITVAR, JACEK KOPECKY, JANA VISKOVA, ADRIANMOCAN, MICK KERRIGAN, AND DIETER FENSEL Issues and Approaches for Web 2.0 Client Access to Enterprise Data AVRAHAM LEFF AND JAMES T RAYFIELD Contents of Volumes in this Series 265 Web Content Filtering JOSE´ MARI´A GO´MEZ HIDALGO, ENRIQUE PUERTAS SANZ, FRANCISCO CARRERO GARCI´A, AND MANUEL DE BUENAGA RODRI´GUEZ Volume 77 Photo Fakery and Forensics HANY FARID Advances in Computer Displays JASON LEIGH, ANDREW JOHNSON, AND LUC RENAMBOT Playing with All Senses: HumanComputer Interface Devices for Games JOăRN LOVISCACH A Status Report on the P Versus NP Question ERIC ALLENDER Dynamically Typed Languages LAURENCE TRATT Factors Influencing Software Development Productivity—State-of-the-Art and Industrial Experiences ADAM TRENDOWICZ AND JUăRGEN MUăNCH Evaluating the Modifiability of Software Architectural Designs M OMOLADE SALIU, GUăNTHER RUHE, MIKAEL LINDVALL, AND CHRISTOPHER ACKERMANN The Common Law and Its Impact on the Internet ROBERT AALBERTS, DAVID HAMES, PERCY POON, AND PAUL D THISTLE Volume 78 Search Engine Optimization—Black and White Hat Approaches ROSS A MALAGA Web Searching and Browsing: A Multilingual Perspective WINGYAN CHUNG Features for Content-Based Audio Retrieval DALIBOR MITROVIC´, MATTHIAS ZEPPELZAUER, AND CHRISTIAN BREITENEDER Multimedia Services over Wireless Metropolitan Area Networks KOSTAS PENTIKOUSIS, JARNO PINOLA, ESA PIRI, PEDRO NEVES, AND SUSANA SARGENTO An Overview of Web Effort Estimation EMILIA MENDES Communication Media Selection for Remote Interaction of Ad Hoc Groups FABIO CALEFATO AND FILIPPO LANUBILE Volume 79 Applications in Data-Intensive Computing ANUJ R SHAH, JOSHUA N ADKINS, DOUGLAS J BAXTER, WILLIAM R CANNON, DANIEL G CHAVARRIA-MIRANDA, SUTANAY CHOUDHURY, IAN GORTON, DEBORAH K GRACIO, TODD D HALTER, NAVDEEP D JAITLY, JOHN R JOHNSON, RICHARD T KOUZES, MATTHEW C MACDUFF, ANDRES MARQUEZ, 266 Contents of Volumes in this Series MATTHEW E MONROE, CHRISTOPHER S OEHMEN, WILLIAM A PIKE, CHAD SCHERRER, ORESTE VILLA, BOBBIE-JO WEBB-ROBERTSON, PAUL D WHITNEY, AND NINO ZULJEVIC Pitfalls and Issues of Manycore Programming AMI MAROWKA Illusion of Wireless Security ALFRED W LOO Brain–Computer Interfaces for the Operation of Robotic and Prosthetic Devices DENNIS J MCFARLAND AND JONATHAN R WOLPAW The Tools Perspective on Software Reverse Engineering: Requirements, Construction, and Evaluation HOLGER M KIENLE AND HAUSI A MUăLLER Volume 80 Agile Software Development Methodologies and Practices LAURIE WILLIAMS A Picture from the Model-Based Testing Area: Concepts, Techniques, and Challenges ARILO C DIAS-NETO AND GUILHERME H TRAVASSOS Advances in Automated Model-Based System Testing of Software Applications with a GUI Front-End ATIF M MEMON AND BAO N NGUYEN Empirical Knowledge Discovery by Triangulation in Computer Science RAVI I SINGH AND JAMES MILLER StarLight: Next-Generation Communication Services, Exchanges, and Global Facilities JOE MAMBRETTI, TOM DEFANTI, AND MAXINE D BROWN Parameters Effecting 2D Barcode Scanning Reliability AMIT GROVER, PAUL BRAECKEL, KEVIN LINDGREN, HAL BERGHEL, AND DENNIS COBB Advances in Video-Based Human Activity Analysis: Challenges and Approaches PAVAN TURAGA, RAMA CHELLAPPA, AND ASHOK VEERARAGHAVAN Volume 81 VoIP Security: Vulnerabilities, Exploits, and Defenses XINYUAN WANG AND RUISHAN ZHANG Phone-to-Phone Configuration for Internet Telephony YIU-WING LEUNG SLAM for Pedestrians and Ultrasonic Landmarks in Emergency Response Scenarios CARL FISCHER, KAVITHA MUTHUKRISHNAN, AND MIKE HAZAS Feeling Bluetooth: From a Security Perspective PAUL BRAECKEL Digital Feudalism: Enclosures and Erasures from Digital Rights Management to the Digital Divide SASCHA D MEINRATH, JAMES W LOSEY, AND VICTOR W PICKARD Online Advertising AVI GOLDFARB AND CATHERINE TUCKER Contents of Volumes in this Series 267 Volume 82 The Hows and Whys of Information Markets AREEJ YASSIN AND ALAN R HEVNER Measuring and Monitoring Technical Debt CAROLYN SEAMAN AND YUEPU GUO A Taxonomy and Survey of Energy-Efficient Data Centers and Cloud Computing Systems ANTON BELOGLAZOV, RAJKUMAR BUYYA, YOUNG CHOON LEE, AND ALBERT ZOMAYA Applications of Mobile Agents in Wireless Networks and Mobile Computing SERGIO GONZA´LEZ-VALENZUELA, MIN CHEN, AND VICTOR C.M LEUNG Virtual Graphics for Broadcast Production GRAHAM THOMAS Advanced Applications of Virtual Reality JUăRGEN P SCHULZE, HAN SUK KIM, PHILIP WEBER, ANDREW PRUDHOMME, ROGER E BOHN, MAURIZIO SERACINI, AND THOMAS A DEFANTI Volume 83 The State of the Art in Identity Theft AMIT GROVER, HAL BERGHEL, AND DENNIS COBB An Overview of Steganography GARY C KESSLER AND CHET HOSMER CAPTCHAs: An Artificial Intelligence Application to Web Security JOSE MARIA GOăMEZ HIDALGO AND GONZALO ALVAREZ Advances in Video-Based Biometrics RAMA CHELLAPPA AND PAVAN TURAGA Action Research Can Swing the Balance in Experimental Software Engineering PAULO SE´RGIO MEDEIROS DOS SANTOS AND GUILHERME HORTA TRAVASSOS Functional and Nonfunctional Design Verification for Embedded Software Systems ARNAB RAY, CHRISTOPHER ACKERMANN, RANCE CLEAVELAND, CHARLES SHELTON, AND CHRIS MARTIN Volume 84 Combining Performance and Availability Analysis in Practice KISHOR TRIVEDI, ERMESON ANDRADE, AND FUMIO MACHIDA Modeling, Analysis, and Testing of System Vulnerabilities FEVZI BELLI, MUTLU BEYAZIT, ADITYA P MATHUR, AND NIMAL NISSANKE Software Design and Verification for Safety-Relevant Computer-Based Systems FRANCESCA SAGLIETTI System Dependability: Characterization and Benchmarking YVES CROUZET AND KARAMA KANOUN Pragmatic Directions in Engineering Secure Dependable Systems M FARRUKH KHAN AND RAYMOND A PAUL 268 Contents of Volumes in this Series Volume 85 Software Organizations and Test Process Development JUSSI KASURINEN Model-Based GUI Testing: Case Smartphone Camera and Messaging Development RUPESH DEV, ANTTI JAăAăSKELAăINEN, AND MIKA KATARA Model Transformation Specification and Design K LANO AND S KOLAHDOUZ-RAHIMI Advances on Improving Automation in Developer Testing XUSHENG XIAO, SURESH THUMMALAPENTA, AND TAO XIE Automated Interoperability Testing of Healthcare Information Systems DIANA ELENA VEGA Event-Oriented, Model-Based GUI Testing and Reliability Assessment—Approach and Case Study FEVZI BELLI, MUTLU BEYAZIT, AND NEVIN GUăLER Deployable Capture/Replay Supported by Internal Messages STEFFEN HERBOLD, UWE BUăNTING, JENS GRABOWSKI, AND STEPHAN WAACK Volume 86 Model-Based Testing: Achievements and Future Challenges MICHAEL MLYNARSKI, BARIS GUăLDALI, GREGOR ENGELS, AND STEPHAN WEIßLEDER Cloud Computing Uncovered: A Research Landscape MOHAMMAD HAMDAQA AND LADAN TAHVILDARI Advances in User-Session-Based Testing of Web Applications SREEDEVI SAMPATH Machine Learning and Event-Based Software Testing: Classifiers for Identifying Infeasible GUI Event Sequences ROBERT GOVE AND JORGE FAYTONG A Framework for Detecting and Diagnosing Configuration Faults in Web Applications CYNTRICA EATON Trends in Model-based GUI Testing STEPHAN ARLT, SIMON PAHL, CRISTIANO BERTOLINI, AND MARTIN SCHAăF Regression Testing in Software Product Line Engineering PER RUNESON AND EMELIE ENGSTROăM Volume 87 Introduction and Preface SAHRA SEDIGH AND ALI HURSON Techniques to Measure, Model, and Manage Power BHAVISHYA GOEL, SALLY A MCKEE, AND MAGNUS SJAăLANDER Quantifying IT Energy Efficiency FLORIAN NIEDERMEIER, GERGO´´ LOVA´SZ, AND HERMANN DE MEER State of the Art on Technology and Practices for Improving the Energy Efficiency of Data Storage MARCOS DIAS DE ASSUNC¸A˜O AND LAURENT LEFE`VRE Contents of Volumes in this Series 269 Optical Interconnects for Green Computers and Data Centers SHINJI TSUJI AND TAKASHI TAKEMOTO Energy Harvesting for Sustainable Smart Spaces NGA DANG, ELAHEH BOZORGZADEH, AND NALINI VENKATASUBRAMANIAN Volume 88 Energy-Aware High Performance Computing—A Survey MICHAEL KNOBLOCH Micro-Fluidic Cooling for Stacked 3D-ICs: Fundamentals, Modeling and Design BING SHI AND ANKUR SRIVASTAVA Sustainable DVFS-Enabled Multi-Core Architectures with On-Chip Wireless Links JACOB MURRAY, TENG LU, PARTHA PANDE, AND BEHROOZ SHIRAZI Smart Grid Considerations: Energy Efficiency vs Security ANDREAS BERL, MICHAEL NIEDERMEIER, AND HERMANN DE MEER Energy Efficiency Optimization of Application Software KAY GROSSKOP AND JOOST VISSER Volume 89 Testing Android Mobile Applications: Challenges, Strategies, and Approaches DOMENICO AMALFITANO, ANNA RITA FASOLINO, PORFIRIO TRAMONTANA, AND BRYAN ROBBINS Regression Testing of Evolving Programs MARCEL BOăHME, ABHIK ROYCHOUDHURY, AND BRUNO C.D.S OLIVEIRA Model Inference and Testing MUHAMMAD NAEEM IRFAN, CATHERINE ORIAT, AND ROLAND GROZ Testing of Configurable Systems XIAO QU Test Cost-Effectiveness and Defect Density: A Case Study on the Android Platform VAHID GAROUSI, RILEY KOTCHOREK, AND MICHAEL SMITH Volume 90 Advances in Real-World Sensor Network System DEBRAJ DE, WEN-ZHAN SONG, MINGSEN XU, LEI SHI, AND SONG TAN Novel System Architectures for Semantic-Based Integration of Sensor Networks ZORAN BABOVIC AND VELJKO MILUTINOVIC Mobility in Wireless Sensor Networks SRIRAM CHELLAPPAN AND NEELANJANA DUTTA A Classification of Data Mining Algorithms for Wireless Sensor Networks, and Classification Extension to Concept Modeling in System of Wireless Sensor Networks Based on Natural Language Processing STASˇA VUJICˇIC´ STANKOVIC´, NEMANJA KOJIC´, GORAN RAKOCˇEVIC´, DUSˇKO VITAS, ´ AND VELJKO MILUTINOVIC 270 Contents of Volumes in this Series Multihoming: A Comprehensive Review BRUNO SOUSA, KOSTAS PENTIKOUSIS, AND MARILIA CURADO Efficient Data Analytics Over Cloud RAJEEV GUPTA, HIMANSHU GUPTA, AND MUKESH MOHANIA Volume 91 Reverse-Engineering Software Behavior NEIL WALKINSHAW Understanding Application Contentiousness and Sensitivity on Modern Multicores JASON MARS AND LINGJIA TANG An Outlook of High Performance Computing Infrastructures for Scientific Computing AMJAD ALI AND KHALID SAIFULLAH SYED Model-Driven Engineering of Reliable Fault-Tolerant Systems—A State-of-the-Art Survey VIDAR SLA˚TTEN, PETER HERRMANN, AND FRANK ALEXANDER KRAEMER Volume 92 Register-Level Communication in Speculative Chip Multiprocessors MILAN B RADULOVIC´, MILO V TOMASˇEVIC´, AND VELJKO M MILUTINOVIC´ Survey on System I/O Hardware Transactions and Impact on Latency, Throughput, and Other Factors STEEN LARSEN AND BEN LEE Hardware and Application Profiling Tools TOMISLAV JANJUSIC AND KRISHNA KAVI Model Transformation Using Multiobjective Optimization MOHAMED WIEM MKAOUER AND MAROUANE KESSENTINI Manual Parallelization Versus State-of-the-Art Parallelization Techniques: The SPEC CPU2006 as a Case Study ALEKSANDAR VITOROVIC´, MILO V TOMASˇEVIC´, AND VELJKO M MILUTINOVIC´ Volume 93 Recent Advances in Web Testing PAOLO TONELLA, FILIPPO RICCA, AND ALESSANDRO MARCHETTO Exploiting Hardware Monitoring in Software Engineering KRISTEN R WALCOTT-JUSTICE Advances in Model-Driven Security LEVI LU´CIO, QIN ZHANG, PHU H NGUYEN, MOUSSA AMRANI, JACQUES KLEIN, HANS VANGHELUWE, AND YVES LE TRAON Adapting Multi-Criteria Decision Analysis for Assessing the Quality of Software Products Current Approaches and Future Perspectives ADAM TRENDOWICZ AND SYLWIA KOPCZYN´SKA Change-Effects Analysis for Evolving Software RAUL SANTELICES, YIJI ZHANG, HAIPENG CAI, AND SIYUAN JIANG Contents of Volumes in this Series 271 Volume 94 Comparison of Security Models: Attack Graphs Versus Petri Nets STEVEN C WHITE AND SAHRA SEDIGH SARVESTANI A Survey on Zero-Knowledge Proofs LI FENG AND BRUCE MCMILLIN Similarity of Private Keyword Search over Encrypted Document Collection YOUSEF ELMEHDWI, WEI JIANG, AND ALIREZA HURSON Multiobjective Optimization for Software Refactoring and Evolution ALI OUNI, MAROUANE KESSENTINI, AND HOUARI SAHRAOUI Volume 95 Automated Test Oracles: A Survey MAURO PEZZE` AND CHENG ZHANG Automated Extraction of GUI Models for Testing PEKKA AHO, TEEMU KANSTREN, TOMI RAăTY, AND JUHA ROăNING Automated Test Oracles: State of the Art, Taxonomies, and Trends RAFAEL A.P OLIVEIRA, UPULEE KANEWALA, AND PAULO A NARDI Anti-Pattern Detection: Methods, Challenges, and Open Issues FABIO PALOMBA, ANDREA DE LUCIA, GABRIELE BAVOTA, AND ROCCO OLIVETO Classifying Problems into Complexity Classes WILLIAM GASARCH Volume 96 An Overview of Selected Heterogeneous and Reconfigurable Architectures SASˇA STOJANOVIC´, DRAGAN BOJIC´, AND MIROSLAV BOJOVIC´ Concurrency, Synchronization, and Speculation—The Dataflow Way KRISHNA KAVI, CHARLES SHELOR, AND DOMENICO PACE Dataflow Computing in Extreme Performance Conditions DIEGO ORIATO, STEPHEN GIRDLESTONE, AND OSKAR MENCER Sorting Networks on Maxeler Dataflow Supercomputing Systems ANTON KOS, VUKASˇIN RANKOVIC´, AND SASˇO TOMAZˇICˇ Dual Data Cache Systems: Architecture and Analysis ZIVOJIN SUSTRAN, GORAN RAKOCEVIC, AND VELJKO MILUTINOVIC Volume 97 Comparing Reuse Strategies in Different Development Environments JULIA VARNELL-SARJEANT AND ANNELIESE AMSCHLER ANDREWS Advances in Behavior Modeling ELLA ROUBTSOVA Overview of Computational Approaches for Inference of MicroRNA-Mediated and Gene Regulatory Networks BLAGOJ RISTEVSKI 272 Contents of Volumes in this Series Proving Programs Terminate Using Well-Founded Orderings, Ramsey’s Theorem, and Matrices WILLIAM GASARCH Advances in Testing JavaScript-Based Web Applications ALI MESBAH Volume 98 An Overview of Architecture-Level Power- and Energy-Efficient Design Techniques ă NSAL, ADRIAN CRISTAL, AND IVAN RATKOVIC, NIKOLA BEZˇANIC´, OSMAN S U VELJKO MILUTINOVIC´ A Survey of Research on Data Corruption in Cyber–Physical Critical Infrastructure Systems MARK WOODARD, SAHRA SEDIGH SARVESTANI, AND ALI R HURSON A Research Overview of Tool-Supported Model-based Testing of Requirements-based Designs RALUCA MARINESCU, CRISTINA SECELEANU, HE`LE´NE LE GUEN, AND PAUL PETTERSSON Preference Incorporation in Evolutionary Multiobjective Optimization: A Survey of the State-of-the-Art SLIM BECHIKH, MAROUANE KESSENTINI, LAMJED BEN SAID, AND KHALED GHE´DIRA Volume 99 Combinatorial Testing: Theory and Practice D RICHARD KUHN, RENEE BRYCE, FENG DUAN, LALEH SH GHANDEHARI, YU LEI, AND RAGHU N KACKER Constraint-Based Testing: An Emerging Trend in Software Testing ARNAUD GOTLIEB Automated Fault Localization: Advances and Challenges WES MASRI Recent Advances in Automatic Black-Box Testing LEONARDO MARIANI, MAURO PEZZE`, AND DANIELE ZUDDAS Inroads in Testing Access Control TEJEDDINE MOUELHI, DONIA EL KATEB, AND YVES LE TRAON Volume 100 Power Management in Data Centers: Cost, Sustainability, and Demand Response THANT ZIN OO, NGUYEN H TRAN, CHOONG SEON HONG, SHAOLEI REN, AND GANG QUAN Energy-Efficient Big Data Analytics in Datacenters FARHAD MEHDIPOUR, HAMID NOORI, AND BAHMAN JAVADI Energy-Efficient and SLA-Based Resource Management in Cloud Data Centers ALTINO M SAMPAIO AND JORGE G BARBOSA Achieving Energy Efficiency in Datacenters by Virtual Machine Sizing, Replication, and Placement HADI GOUDARZI AND MASSOUD PEDRAM Communication-Awareness for Energy-Efficiency in Datacenters SEYED MORTEZA NABAVINEJAD AND MAZIAR GOUDARZI ... volume in the miniseries (Volume 99), we focused on combinatorial testing, constraint-based testing, automated fault localization, automatic black-box testing, and testing access control Volume 101. .. developments in software, hardware, or uses of computers This 101st volume is the second in a miniseries of volumes based on the theme Advances in Software Testing.” The need for such a thematic miniseries...PREFACE This volume of Advances in Computers is the 101st in this series This series, which has been continuously published since 1960, presents in each volume four to seven chapters describing new