Finding application errors and security flaws using PQL: a program query language
OOPSLA '05 Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Distributed algorithms for secure multipath routing in attack-resistant networks
IEEE/ACM Transactions on Networking (TON)
Towards Model-Based Automatic Testing of Attack Scenarios
SAFECOMP '09 Proceedings of the 28th International Conference on Computer Safety, Reliability, and Security
A review of classification methods for network vulnerability
SMC'09 Proceedings of the 2009 IEEE international conference on Systems, Man and Cybernetics
Enabling the selection of COTS components
ICCBSS'05 Proceedings of the 4th international conference on COTS-Based Software Systems
Mitigating program security vulnerabilities: Approaches and challenges
ACM Computing Surveys (CSUR)
CONFU: Configuration Fuzzing Testing Framework for Software Vulnerability Detection
International Journal of Secure Software Engineering
Hi-index | 0.00 |
We describe a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by the program's inappropriate interactions with the environment, and triggered by user's malicious perturbation on the environment (which we call an environment fault), we view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. We consider each environment perturbation as a fault and the resulting security compromise a failure in the toleration of such faults. Our approach is based on the well-known technique of fault-injection. Environment faults are injected into the system under test and system behavior observed. The failure to tolerate faults is an indicator of a potential security flaw in the system. An Environment-Application Interaction (EAI) fault model is proposed which guides us to decide what faults to inject. Based on EAI, we have developed a security testing methodology, and apply it to several applications. We successfully identified a number of vulnerabilities include vulnerabilities in Windows NT operating system.