A model-based attack injection approach for security validation

Authors:
Anderson Morais;Ana Cavalli;Eliane Martins
Affiliations:
Télécom SudParis, Evry, France;Télécom SudParis, Evry, France;University of Campinas, Campinas, Brazil
Venue:
Proceedings of the 4th international conference on Security of information and networks
Year:
2011

Citing 8
Cited 1

Design patterns: elements of reusable object-oriented software

Design patterns: elements of reusable object-oriented software
Software security vulnerability testing in hostile environments

Proceedings of the 2002 ACM symposium on Applied computing
Testing network-based intrusion detection signatures using mutant exploits

Proceedings of the 11th ACM conference on Computer and communications security
UMLintr: A UML Profile for Specifying Intrusions

ECBS '06 Proceedings of the 13th Annual IEEE International Symposium and Workshop on Engineering of Computer Based Systems
Using Attack Injection to Discover New Vulnerabilities

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
Analysis of the SSL 3.0 protocol

WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
Use of invariant properties to evaluate the results of fault-injection-based robustness testing of protocol implementations

ICSTW '08 Proceedings of the 2008 IEEE International Conference on Software Testing Verification and Validation Workshop
Security Protocol Testing Using Attack Trees

CSE '09 Proceedings of the 2009 International Conference on Computational Science and Engineering - Volume 02

Modeling test cases for security protocols with SecureMDD

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Communication systems are inherently buggy. These flaws can lead to security breaches in applications, which a malicious user could exploit to cause security failures in the system and, under certain circumstances, to take complete control of the vulnerable system. In this paper, we introduce a novel attack injection approach based on attack modeling to perform security testing and detect potential security vulnerabilities. We use attack trees to describe the system flaws and derive corresponding attack scenarios. The attack scenarios are refined to executable scripts for testing tools that are in charge of injecting the attacks against the system. The approach is applied to the Wireless Application Protocol (WAP) currently used in low-tier mobile devices. We carried out experiments using real attacks such as Denial of Service (DoS) and Cipher Suite Rollback attacks. The experimental results show that the approach can achieve high efficiency in the role of uncovering vulnerabilities.