NIST Offers Improved Software Testing

Combinatorial testing is a method for more effective software testing that the National Institute of Science and Technology (NIST) likes a lot.

They ran studies from 1999 to 2004 showing that most software bugs and failures are caused by one or two parameters of input, with progressively fewer by three or more.

They call this the interaction rule, and it is a roadmap for more efficient testing than those given with conventional methods. NIST says that it has multiple studies showing fault detection results equal to exhaustive testing with a 20X to 700X reduction in test set size.

The software industry often spends seven to 20 times as much money rendering safety-critical software reliable as it does on more conventional code, so improvements in testing have been called for by designers.

This is not fuzzing, as the term is commonly used in software development. Fuzzing (or fuzz testing) is an software testing technique using invalid, unexpected, or random data as inputs to a program. The program is then monitored for faults such as crashes, failing built-in code assertions, or potential memory leaks. The NIST approach uses normal and valid ranges of inputs for its testing and observation.

Fuzzing checks for what happens when input goes out of bounds and is "unsanitary," while NIST techniques check for what happens when a program's inputs are within norms but changing relative to other inputs.

Anyway, NIST announced the first revision since 2015 of its Automated Combinatorial Testing for Software, or ACTS.

Researchers from the University of Texas at Arlington, Adobe Systems Inc. and Austria's SBA Research announced at last week's IEEE International Conference on Software Testing, Verification and Validation in China that they had updated a version of Combinatorial Coverage Measurement (CCM) to include extensions to it by SBA Research.

NIST's internal tools were able to handle software that had a few hundred input variables, but SBA Research developed another new tool that can examine software that has up to 2,000. This increase can generate a test suite for up to five-way combinations of input variables.

The two tools can be used in a complementary fashion: While the NIST software can measure the coverage of input combinations, the SBA algorithm can extend coverage to thousands of variables. While the SBA Research algorithm is not an official part of the ACTS test suite, the team says that it has plans to bundle it with ACTS in the future.

NIST will make the algorithm available to any developer who requests it.

"Before we revised CCM, it was difficult to test software that handled thousands of variables thoroughly," NIST mathematician Raghu Kacker said in a statement. "That limitation is a problem for complex modern software of the sort that is used in passenger airliners and nuclear power plants, because it's not just highly configurable, it's also life critical. People's lives and health are depending on it."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.