A Model-Based Testing Framework for Validating an IoT Solution for Blockchain-Based Vehicles Communication

,


Introduction
The modern IoT technologies have profoundly transformed classical "vehicular ad-hoc networks" (VANETs) into the "Internet of Vehicles" (IoV) (F.Yang, S. Wang, J. Li, Z. Liu and Q. Sun, 2014).More precisely, the IoV is defined as the real-time data interaction between vehicles and between vehicles and infrastructures through information platforms, mobile communication technology, smart terminal devices and vehicle navigation systems.Vehicles are incorporated into the IoT by being connected to the Internet, to the other vehicles nearby as well as to traffic information systems.Yet, there are many challenges related to this concept due to high connectivity and exchange of sensitive data, compromising of security and privacy and leave the vehicles susceptible to malicious entities.
The proposed Decentralized IoT Solution for Vehicle communication (DISV) based on the concept of Blockchain aims at overcoming security and privacy challenges.By way of explanation, each member of the IoV networks receives messages and broadcasts them to the Blockchain server, whereas the server verifies the received block and decides if it should be added to the smart contract or not.
In order to validate the adopted solution, we propose, in addition, a "model-based testing" (MBT) (Krichen, 2018;Krichen, 2012;Krichen, 2007;Krichen and Tripakis, 2006) framework which allows to check the functional correctness, load and security aspects.This framework is mainly based on the model of Timed Automata (Bertrand et al., 2015;Bertrand et al., 2011).The latter corresponds to a rich modelling language which allows to describe the behaviors of a large class of distributed, dynamic and real-time systems.
Regarding security aspects testing, we model the behavior of the attacker using Attack Trees (AT) (Krichen and Alroobaea, 2019;Kordy et al., 2014).The root of the AT corresponds to the attacker's global goal.Internal nodes correspond to sub-goals and leaves correspond to "Basic Attack Steps" (BAS).Each AT is then transformed into a collection of Timed Automata from which test scenarios are extracted using test generation algorithms inspired by the works of (Krichen, 2012;Tretmans, 1999).
Besides, we propose an approach for the optimization of the testers placement procedure inspired by fog computing approaches (Taneja and Davy, 2017;Gu et al., 2017;Mahmud et al., 2018;Barcelo et al., 2016) and by some of our previous contributions (Maâlej et al., 2018;Lahami et al., 2016;Lahami et al., 2012b).This placement procedure consists in allocating the set of testers on the different computational nodes of the system under test in an optimal way under different kind of constraints.
The remainder of this article is structured as follows.In section 2, an overview about Blockchain, Model Based Testing (MBT) and Timed Automata is presented.Section 3 is dedicated for reviewing several Blockchain techniques to IoT and practically for IoV.The design of the proposed solution is presented in Section 4. In Section 5, we present several details about the adopted testing framework.Section 6 is dedicated for the testers placement optimization problem.Finally, Section 7 summarizes the main finding and gives new directions for future research.

Blockchain
Blockchain has emerged through Bitcoin, introduced in 2008 by Satoshi Nakamoto.Bitcoin can be defined as a decentralized global currency cryptosystem.Blockchain employed in Bitcoin allows the use of secure and decentralized digital money in a payment system.This peer-to-peer network does not possess a central authority, and as such is powered entirely by the users.Its computing architecture is distributed and all the transactions are publicly announced.Thus, the users have a consensus about a single history of the transactions, referred to as a ledger.The transactions are separated into blocks; subsequently, each user receives a timestamp and then it will be published.It is challenging to modify published blocks as the hash of the previous blocks is inserted in the next successors in each block of the chain.

Model Based Testing
Model-Based Testing (MBT) (Krichen, 2018;Krichen, 2010;Krichen, 2007;Krichen and Tripakis, 2006) is a methodology where the system of interest is described by a mathematical model which encodes the behavior of the considered system.This methodology consists in using this mathematical model to compute abstract test scenarios.These sequences of model are then transformed into concrete test sequences which are executed on the considered "System Under Test" (SUT).The verdict of this testing activity is provided by comparing the observed outputs from the system with the outputs generated by the model.

Timed Automata
"Timed Automata" (TA) (Bertrand et al., 2015;Bertrand et al., 2011) are an expressive and simple tool for describing the behavior of computer systems which combine continuous and discrete mechanisms.TA may be represented as finite graphs enriched with a finite set of clocks defined as real entities whose value progresses continuously over time.
3 Related Works (X.Huang and Liu, 2018) developed an ecosystem model on the basis of Blockchain electric vehicle and charging pile management.This model employs Elliptic Curve Cryptography (ECC) for the computation of hash functions of charging piles of electric vehicles.Furthermore, (J.Kang and Hossain, 2017) developed PETCON, a P2P electricity-trading system, for illustrating localized and comprehensive operations of P2P electricity trading.The PETCON system employs a consortium Blockchain method to analyze, verify, and share transaction records publicly, while it is not necessary to have a reliable authority.
Besides, CreditCoin, a privacy-preserving scheme, was created by (L.Li and Zhang, 2018) in order to ensure that adequate announcements are forwarded without revealing users' identities.This scheme employs the Blockchain for sending anonymous announcements through an aggregation protocol between vehicles.Moreover, (Z.Yang and Leung, 2017) proposed a Blockchain-based reputation system to assess data credibility in the IoV.(Y.Yuan and FY. Wang., 2016) developed a Blockchain solution aimed at solving security problems and performance limitations in Intelligent Transportation Systems (ITS).(Leiding and Hogrefe., 2016) merged the Blockchain technology with vehicular ad-hoc network VANET.
(A. Lei and Sun, 2017) introduced dynamic key management using Blockchain for establishing communication systems to be used in vehicles that do

Proposed solution
The adopted architecture is composed of three layers.Figure 1 depicts the architecture of the proposed solution.

The perception layer
In order to test possible scenarios involving various components, an Android application has been developed in the Internet of Vehicle system (AV) and for infrastructure (AP).On the first hand, AV is an Android application consisting of two sub-systems.The first subsystem is the Vehicle Data Collection System (VDCS) which collects data about the trip and the car.
The second one is the Driver Drowsiness Detection system that collects data about the driver's behavior to identify if he or she is drowsy or not.More information about this system can be found in (Jabbar et al., 2018a;Jabbar et al., 2018b;Jabbar et al., 2019;Jabbar et al., 2020).
Mainly, the Android application has four pages as shown in Figure 2: The first page serves for logging in by using a username and password.Following the authentication, the user can start a new trip, or access the information about the last five trips on the second page.If the user chooses a new trip, the application will start recording and displaying all information as described in the previous section.Then, it will send the collected data via the web service to the cloud server.In the fourth page, the front camera will capture and display the driver's face.

The network layer
The network layer establishes the connection between the servers and transmits, and processes the sensor data.The application can use either Wi-Fi or mobile internet (3G/3G+/4G) to send the data to the server.
This collection process uses the hybrid system to gather and save data locally before transmitting it to the server.This technique has been proven to be highly effective for data collection when the internet connection is poor or unstable.

The application layer
Regarding the application layer, it contains two principal compounds: Central cloud server and the com- munication system using a Blockchain Network.First, the central cloud server delivers applicationspecific services to the end-user.It sends the collected data to the web services for processing and analysis before showing them to the end-user.Second, the Blockchain network is responsible for managing communication between cars and traffic and transportation systems.Every time slot, the car sends the collected data to the central server via a web service, including the current location and the status of the connection to one of the existing Blockchain servers.

Test Generation Principle
Our generation procedure is inspired by the work of (Tretmans, 1999).A test case may be considered as a tree.The nodes of the test tree may be seen as collections of states S of the model of the SUT.The adopted test generation procedure is in charge of extending the test tree by defining successors to an every leaf node, as shown in Figure 3.For every nonacceptable output a i the test tree moves to f ail and for every acceptable output b i , the test tree moves to a new node which corresponds to the set of states that the system can reach after producing b i .The tester may also decide to emit a valid input c from the current node (dashed arrow).

Combining Functional and Load Aspects
At this level, our goal is to combine load and functional aspects in our modelling since our system is As illustrated in Figure 4, the used integer variable of the proposed timed automaton corresponds to the number running instances of the considered system.In this example, we demonstrate how the answer time to generate an action b may vary according to the number of running instances.

Testing Security Aspects Using Attack Trees
In the literature, "Attack Trees" (Krichen and Alroobaea, 2019;Kordy et al., 2014) are used to assess the security of critical systems.They allow to represent graphically the strategy of a given attacker.An example of an AT is proposed in Figure 5 (Krichen and Alroobaea, 2019).In this example, the considered attacker aims at cracking the password of some protected files.
In general, the root of an attack tree corresponds to the global goal of the attacker and the leaves of the tree correspond to basic attack steps the attacker needs to combine in order to achieve its global goal.Internal nodes correspond to intermediary sub-goals.The attack tree has two types of gates namely AND-Gates and OR-Gates.On the first hand, an AND-gate means that in order to fulfill the goal a parent-node all sub-goals of children-nodes of the considered node have to be achieved.On the other hand, an OR-Gate means that the goal of a parent-node can be achieved by fulfilling the sub-goal of only one of its childrennodes.
After defining the attack tree modelling the behavior of the attacker, the second step consists in transforming the obtained tree into a network of Timed Automata which will serve as an input for our test generation procedure.The proposed transformation is inspired by the transformation proposed in (Kumar et al., 2015).

Optimization of Testers Placement
This problem is inspired by fog computing approaches (Taneja and Davy, 2017;Gu et al., 2017) and by some of our previous contributions (Maâlej et al., 2018;Lahami et al., 2016;Lahami et al., 2012b).It consists in allocating the set of testers on the different computational nodes of the SUT in an optimal manner under several types of constraints as mentioned below.

Different Types of Constraints
Node Constraints For example in (Arkian et al., 2017), both CPU and storage were taken into account.In (Gu et al., 2017), the authors considered CPU, RAM and storage constraints.
Network Constraints In (Mahmud et al., 2018) only latency constraint was taken into account.In ad-dition in (Gupta et al., 2017;Ottenwälder et al., 2013), both bandwidth and latency were considered by the authors.
Energy Constraints For instance in (Barcelo et al., 2016), the fog nodes were characterised with their energy capacities.Moreover, The writers of (Souza et al., 2016) defined the notion of "energy cells" to estimate the energy needed by the fog nodes.

Objective Functions
Energy Energy optimization was taken into account from distinct levels.For example, the authors of (Barcelo et al., 2016) considered a linear objective measure of the energy consumption likewise in (Huang et al., 2014), the adopted goal consisted in diminishing the communication energy cost.
Execution Time and Network Delay For example this objective function was adopted by the authors of (Skarlat et al., 2016).In addition in (Xia et al., 2018), the response time was optimised in order to augment the requests number to be served before a chosen deadline.
Migrations In (Ottenwälder et al., 2013), the migrations number was optimised by reducing the network use without impacting its latency.Likewise in (Yang et al., 2016), the migrations number was optimised along with latency and resource consumption.

Algorithms
Search-based Algorithms In (Gupta et al., 2017) an algorithm was proposed to find a placement scenario for internet of things applications.In addition in (Guerrero et al., 2019), a distributed search method was proposed for similar goals.
Dynamic Programming In (Souza et al., 2016) the placement problem was modelled as a multidimensional knapsack problem (MKP).Likewise in (Rahbari and Nickray, 2017), the placement problem was modelled as a knapsack instance.
Mathematical Programming This technique (Gu et al., 2017) is always adopted for solving optimization problems by investigating the space of the considered objective functions.Game Theory In (Zhang et al., 2017), the placement problem was encoded as a pair of games.The first one was introduced to calculate the cardinality of the set of necessary execution blocks and the second one was proposed to set prices in order to maximise the corresponding financial profits.

Conclusion
This study proposed an innovative Decentralized IoT solution for Vehicle communication (DISV) established with three primary layers based on Blockchain.Moreover, the article proposed an MBT approach in order to validate the proposed solution.The proposed testing approach is mainly based on the use of Attack Trees and Timed Automata in order to check functional, load and security aspects.An optimization phase for testers placement inspired by fog computing was also proposed.
Finally, DISV is an essential component of the Advanced Driver Assistance Systems (ADAS) that can potentially improve the transportation safety and mobility.In the future, we aim to establish a network for vehicles based on Blockchain to enable users to pay for tolls, parking spaces, and electrical charging by machine-to-machine transactions.Regarding test cases execution, standard-based platforms may be adopted like Testing and Test Control Notation version 3 (TTCN3) (Lahami et al., 2012a;Lahami et al., 2016).Moreover, it is necessary to use convenient test isolation techniques for avoiding interference between system functionalities and test scenarios as proposed and explained in (Lahami and Krichen, 2013).

Figure 1 :
Figure 1: The architecture of the proposed Internet of Things solution

Figure 2 :
Figure 2: Screenshot of the four main pages of the Android application for Vehicles (AV)

Figure 4 :
Figure 4: An example showing how the response time of the system under test varies regarding the current load level.

Figure 5 :
Figure 5: Example of an AT