A model-based attack injection approach for security validation

Morais, Anderson; Cavalli, Ana; Martins, Eliane

doi:10.1145/2070425.2070443

Cited by 10 publications

(5 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Los documentos seleccionados para el estudio de las herramientas, metodologías y procesos para realizar pruebas, pueden dividirse de forma operativa en tres bandos. En el primer bando podemos agrupar las herramientas que desempeñan el rol de un atacante [17], [16], [19], [15], [13], [27], [12], [28] En el segundo bando, las herramientas juegan el rol de defensores, son dotadas con mecanismos capaces de identificar un ataque y tratar de defender el software, o mínimo reportar lo ocurrido [29], [30]. En la Tabla 5 se muestran las dos herramientas encontradas que clasifican en este bando.…”

Section: Resultados Y Discusiónunclassified

Pruebas de seguridad: Estudio de herramientas

Hadfeg

Vega

2017

Lámpsakos

View full text Add to dashboard Cite

Hoy día con el desarrollo y el avance de la tecnología los productos software son parte de nuestra vida cotidiana. Estos productos constituyen un soporte para casi todas nuestras tareas. Estas tareas pueden tener un desempeño fundamental o no, y van desde ejecutar la conducción de un avión a través de un piloto automático hasta posibilitar el funcionamiento de los dispensadores de billetes o cajeros automáticos. Por la criticidad de los procesos en los que ellos se encuentran relacionado, es necesario que se cumplan dos características fundamentales; la primera, que tengan un nivel de calidad aceptado y la segunda, que sean productos seguros.La seguridad en los softwares es un atributo no funcional que influye directamente en la calidad del producto. Realizar pruebas a los requisitos no funcionales para constatar su desempeño, tal y como se hace con los requisitos funcionales es una tarea tediosa. Como alternativa a este problema se han desarrollado herramientas que de forma automática o semiautomática realizan pruebas de diferente índole a los sistemas. El objetivo de este trabajo es identificar las herramientas software existentes para realizar pruebas relacionadas con la seguridad. Para cumplir este objetivo se realiza un estudio del estado del arte de las herramientas para realizar pruebas de seguridad desde el 2010 a la fecha.

show abstract

Section: Resultados Y Discusiónunclassified

Pruebas de seguridad: Estudio de herramientas

Hadfeg

Vega

2017

Lámpsakos

View full text Add to dashboard Cite

show abstract

“…These techniques focus on security testing and use models to capture the characteristics of typical malicious (and invalid) inputs that should be properly handled by the software under test. Models like attack trees [Morais et al 2011], UML state machines [Hussein and Zulkernine 2006], and transition nets [Xu et al 2012], are used to generate sequences of illegal actions, which are not relevant for testing data processing systems where the complexity of the testing process lies in the definition of the input data and mappings to complex, structured outputs. Mutation-based approaches instead alter valid field data or existing test inputs to generate invalid test inputs [Shan and Zhu 2009;Bertolino et al 2014;De Jonge and Visser 2012].…”

Section: Related Workmentioning

confidence: 99%

Augmenting Field Data for Testing Systems Subject to Incremental Requirements Changes

Nardo

Pastore

Briand

2017

ACM Trans. Softw. Eng. Methodol.

View full text Add to dashboard Cite

When testing data processing systems, software engineers often use real world data to perform system level testing. However, in the presence of new data requirements software engineers may no longer benefit from having real world data with which to perform testing. Typically, new test inputs complying with the new requirements have to be manually written.We propose an automated model-based approach that combines data modelling and constraint solving to modify existing field data to generate test inputs for testing new data requirements. The approach scales in the presence of complex and structured data, thanks to both the reuse of existing field data and the adoption of an innovative input generation algorithm based on slicing the model into parts.We validated the scalability and effectiveness of the proposed approach using an industrial case study. The empirical study shows that the approach scales in the presence of large amounts of structured and complex data. The approach can produce, within a reasonable time, test input data that is over ten times larger in size than the data generated with constraint solving only. We also demonstrate that the generated test inputs achieve more code coverage than the test cases implemented by experienced software engineers.

show abstract

“…These approaches, known as threat modelling techniques, rely on models used to capture the characteristics of typical malicious (and invalid) inputs that should be properly handled by the software under test. Models like attack trees [17], UML state machines [18], and transition nets [19], are used to generate sequences of illegal actions and thus are not suitable for generating the invalid input data needed in our context. Context free grammars can be used to generate invalid input data but the existing approaches do not model the complex relationships among data fields [4], [5].…”

Section: Related Workmentioning

confidence: 99%

Generating Complex and Faulty Test Data through Model-Based Mutation Analysis

Nardo

Pastore

Briand

2015

2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST)

View full text Add to dashboard Cite

Testing the correct behaviour of data processing systems in the presence of faulty data is extremely expensive. The data structures processed by these systems are often complex, with many data fields and multiple constraints among them. Software engineers, in charge of testing these systems, have to handcraft complex data files or databases, while ensuring compliance with the multiple constraints to prevent the generation of trivially invalid inputs. In addition, assessing test results often means analysing complex output and log data. Though many techniques have been proposed to automatically test systems based on models, little exists in the literature to support the testing of systems where the complexity is in the data consumed in input or produced in output, with complex constraints between them. In particular, such systems often need to be tested with the presence of faults in the input data, in order to assess the robustness and behaviour of the system in response to such faults. This paper presents an automated test technique that relies upon six generic mutation operators to automatically generate faulty data. The technique receives two inputs: field data and a data model, i.e. a UML class diagram annotated with stereotypes and OCL constraints. The annotated class diagram is used to tailor the behaviour of the generic mutation operators to the fault model that is assumed for the system under test and the environment in which it is deployed.Empirical results obtained with a large data acquisition system in the satellite domain show that our approach can successfully automate the generation of test suites that achieve slightly better instruction coverage than manual testing based on domain expertise.Further, the technique automates test oracles that, in our 978-1-4799-7125-1/15/$31.00 ©2015 IEEE

show abstract

A model-based attack injection approach for security validation

Cited by 10 publications

References 15 publications

Pruebas de seguridad: Estudio de herramientas

Pruebas de seguridad: Estudio de herramientas

Augmenting Field Data for Testing Systems Subject to Incremental Requirements Changes

Generating Complex and Faulty Test Data through Model-Based Mutation Analysis

Contact Info

Product

Resources

About