Depth of Testing Analysis
for SUSE LINUX Enterprise Server
and certification-sles-EAL4

Owner: Daniel H. Jones 

danjones@us.ibm.com

512.838.1794
 

IBM Linux Technology Center – Security

11400 Burnet Road

Austin, TX 78758
  

version 0.1

 

Objective

This analysis shall show that SUSE LINUX Enterprise Server operates in accordance with the high level design. The method used is to show with some selected examples that the system calls the internal interfaces as expected from the description in the high level design. In addition all the test cases are mapped to the subsystems of the high level design where the security function tested is implemented.

Approach

The analysis is based on three parts:

  • the mapping of the test cases to the subsystems and subsystem interfaces of the high level design in the test coverage spreadsheet
  • the analysis of the subsystem interfaces called from a selective set of tests (by analysis of the gcov output)
  • the analysis of the code based on the gcov output for selected functions

In the EAL4 functional specification spreadsheet, each test is mapped to the subsystem of the high level design that implements the function. The mapping shows that all subsystems of the high level are involved in the testing.

 

The output produced by gcov during execution of a selective set of tests demonstrates coverage of the subsystems identified in the high level design.

Test Methodology

A select set of tests from the Linux Test Project (LTP) suite were utilized for coverage analysis. These tests are: bind01, execve01, ioctl01, kill01, msgctl01, open01, read01, semctl01, and shmctl01. The tests are located in the misc_test/gcov/tests directory of the EAL4 test suite. These basic tests are wrapped in scripts that perform all the necessary pre and post test processing. The wrapper scripts are named using the convention gcov_<testname>, where <testname> represents the system call(s) invoked by the test. The LTP gcov extension (lcov) was used to capture coverage information about each specific test and to format the output into html files for simplified viewing and navigation.

 

Prior to each test, coverage counters are cleared using the lcov “-z” option so that, as much as possible, the output reflects the coverage provided by the test in execution. Any background activity on the system will also contribute to the information captured by gcov. After execution of each test, the counter information was captured to a file. The lcov genhtml utility was then invoked to process the output information into html documents.

Gcov Analysis

For some security critical functions we show in the source code how the internal functions mentioned in the high level design are invoked. This is done using the html output produced by the gcov tool and augmenting this with some comments highlighting the kernel internal flow.
 
The tool used to provide this analysis is gcov, a profiling tool showing for each line of a selected part of the source how often they have been executed. The following text taken from the gcov(1) man page provides a short description of the functionalty of gcov:

gcov is a test coverage program. Use it in concert with GCC to analyze your programs to help create more efficient, faster running code. You can use gcov as a profiling tool to help discover where your optimization efforts will best affect your code. You can also use gcov along with the other profiling tool, gprof, to assess which parts of your code use the greatest amount of computing time.

Profiling tools help you analyze your code's performance. Using a profiler such as gcov or gprof, you can find out some basic performance statistics, such as:

*        how often each line of code executes

 

*        what lines of code are actually executed

 

*        how much computing time each section of code uses

 

Once you know these things about how your code works when compiled, you can look at each module to see which modules should be optimized. gcov helps you determine where to work on optimization.

The purpose of this analysis is to show with those examples that the security functions of SUSE LINUX Enterprise Server 9 used in those examples works in accordance with the description in the high level design. The scope of the analysis has been restricted to the kernel, since this is the most complex part of the system and most of the security functions are implemented in the kernel.

Test Results

The resulting output from each test may be analyzed by extracting files from the documents/EAL4/xSeries.gcov.tar.gz archive to a suitable location. From this location, extract the files contained in the Gcov/gcov.tar.gz. Using a browser, open the Gcov/<testname>/index.html. The kernel source tree may be navigated using the directory and filename links created by lcov. When a file is selected, the source code for the file is displayed and each line of source that has been executed is highlighted. The source line is prefaced with a count that represents the number of times a line was executed during the session.