Automated Testing of Security Functions Using a Combined Model and Interface-Driven Approach

Quantified Score

Visualization

Abstract

Independent Security Functional Testing (Testing of security functions of a product or system for conformance to published behavior) is often given a low priority in traditional security evaluations, due to combination of cost and technical considerations, except in the case ofhigh assurance products. However we argue that the overall security of an Enterprise IT environment depends upon the weakest link and these weakest links are often commercial off the shelf software products involved in number crunching, data storage, transaction processing etc. In this paper we present an approach for improving the economics of security functional testing for many classes of commercial products by automating the process of test code generation through the use of formal models and interface information. The underlying framework is called TAF (Test Automation Framework) and the toolkit we have developed based on TAF is the TAF-SFT toolkit. The TAF approach uses the text-based specifications ofsecurity functions provided by the product vendor to develop a machine-readable specification of security functions using the SCR (Software Cost Reduction) formal language. The resultant behavioral specification model is then processed through the TAF-SFT Toolkit to generate test vectors. The behavioral model and the test vectors are then combined with product interface specifications to automatically generate test drivers (test execution code). The test code is executed against the product to be tested. The actual test results are compared with expected test results and a test report is generated. We illustrate the application of TAF-SFT toolkit for security functional testing of a commercial DBMS product.