TESLA builds on our experiences developing the TrustedBSD MAC Framework
and Capsicum: our most critical security properties are frequently
safety (temporal) properties rather than static invariants.  Current
tools for testing temporal properties are largely static, and unable to
work effectively on extremely large C-language software bases, such as
multi-million lines-of-code operating system kernels and web browsers.
TESLA borrows ideas from model checking, applying them in a dynamic
context using compiler-assisted instrumentation to continuously validate
temporal security assertions during software execution.  We have
implemented a prototype of TESLA based on clang/LLVM AST transforms,
which is able to test both explicit automata against C implementations
(such as protocol state machines in the kernel and OpenSSL) and inline
assertions checking for missing access control checks in OS logic.

WWW: https://www.cl.cam.ac.uk/research/security/ctsrd/tesla/