Gonzalez, "Fuse: a technique to anticipate failures due to degradation in ALUs," in Proceedings of the 13th IEEE International On-Line Testing Symposium (IOLTS '07), pp.
Gonzalez, "On-line failure detection and confinement in caches," in Proceedings of the 14th IEEE International On-Line Testing Symposium (IOLTS '08), pp.
But in this paper, we only consider the model of IOLTS. An IOLTS takes the system behavior as labels and serves as a semantic model for various formal specification languages .
We denote the class of all IOLTS over [L.sub.I] and [L.sub.U] by IOTS([L.sub.I], [L.sub.U]) or LTS([L.sub.I] [union] [L.sub.U]).
Such behaviour, like other behaviours, can be specified by an IOLTS .
Although the IOLTS based testing methods have been proved to be useful in verifying the protocol implementations, it cannot be used to verify the correctness of security protocol implementations, because of some important features of security protocol.
Those security properties are usually the contents of the exchanging or received messages and are not considerable in IOLTS system.
Those fundamental security functions are hard to model by IOLTS. Someone may say that the internal action [tau] of IOLTS can present those functions, but considering that the security properties cannot be distinguished, an input of IOLTS will trigger multiply checking functions and it is meaningless to the testing.
(iii) Multiple roles: security protocols naturally contain multiple roles (at least one initiator and one responder), while the IOLTS is designed for one system component.
Notice that this intruder is not presented in the security protocol specification, and it is impossible to propose a model with IOLTS.
In order to describe the required features, we propose extensions of IOLTS with several considerations.