Input validation analysis and testing

Hayes, Jane Huffman; Offutt, Jeff

doi:10.1007/s10664-006-9025-1

Cited by 22 publications

(19 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…The application domain dictates the nature or criticality of its effect. This is also similar to the idea of Application Domain Modeling or Input validation analysis [23] and Data Mutation. For obtaining an insight into the nature of program faults, a distinction between the syntactic and the semantic nature of faults is drawn [4].…”

Section: Input Domain Faultmentioning

confidence: 84%

Unified System Level Fault Modeling and Fault Propagation

Pakala¹,

Raju²,

Khan³

2011

IJCA

View full text Add to dashboard Cite

Fault modeling is an important step towards both understanding and validating the implemented system. The focus of the paper is to present a unified system fault modelling framework, including input related faults model based on system theory. The complex embedded system (CES) is modelled using sequence of communicating FSM (SCFSM) and the system faults are represented by two components of system fault vector -system behaviour fault vector and system communication fault vector. These two system fault vector components are related and are components of the "change parameter vector Θ", a general system level fault model based on Dynamic system theory. Input related faults are defined and their contribution is discussed. Faults propagation in mixed hardware software communication architecture is discussed, with the help of protocol example. General TermsFault modeling and propagation, Embedded Systems development.

show abstract

Section: Input Domain Faultmentioning

confidence: 84%

Unified System Level Fault Modeling and Fault Propagation

Pakala¹,

Raju²,

Khan³

2011

IJCA

View full text Add to dashboard Cite

show abstract

“…Input validation checks the syntax and partly semantics of information provided by user via GUI [17]. Because input validation errors may lead to malfunctions of the entire system as well as to vulnerabilities for attacks [18], various specification-based and implementation-based test techniques exist to validate user interfaces [16].…”

Section: Related Workmentioning

confidence: 99%

Event-Based Input Validation Using Design-by-Contract Patterns

Tuğlular

Müftüoğlu

Belli

et al. 2009

2009 20th International Symposium on Software Reliability Engineering

View full text Add to dashboard Cite

This paper proposes an approach for validation of numerical inputs based on graphical user interfaces (GUI) that are modeled and specified by event sequence graphs (ESG). For considering complex structures of input data, ESGs are augmented by decision tables and patterns of design by contract (DbC IntroductionInput validation testing chooses test data that attempt to show the presence or absence of specific faults pertaining to input tolerance [16]. This paper focuses on numerical input validation testing of graphical user interfaces (GUI). Our approach for input validation suggests to specify user interface requirements and to convert this specification into a model from which valid and invalid test cases can be generated [3]. For specification of user-system interactions we choose an event-based formal model, where the inputs and events are merged and assigned to the vertices of an event transition diagram, called event sequence graph (ESG); arcs visualize the sequence relation of the events. An ESG is a simple albeit powerful formalism for capturing the behavior of interactive systems. However, modeling complex boundary restrictions on input data as well as dependencies among them inflates the ESG model of a system under consideration (SUC). To overcome this problem, we refine the nodes of the underlying ESG by decision tables, which visualize Boolean algebraic constraints on input data [4]. Decision table augmented ESG is supplemented with design by contract (DbC) patterns so that decision table rules for numerical input validation are refined to pre-condition rules. Based on these concepts, test data are generated. Equivalence class partitioning and boundary value approaches support the test case generation process [1,2]. This paper is an extension of our preliminary work [26], where we introduced algorithms for detection and correction of boundary overflow vulnerabilities through static analysis. The novelty of the present paper stems from following:(i) Theoretical background is extended by incorporating ESGs.(ii) Concept of DbC patterns have also been formalized. Especially pre-condition pattern of DbC plays an important role in refining decision tables for input validation. The formalism we introduce in Section 3.3 enables to considerably improve test case generation algorithm.(iii) The tool we introduced in our preliminary work is improved. Our tool now adds an exception handling mechanism, which we built on DbC concept, instead of a simple if statement wherever necessary.(iv) For validation of the approach we tested three open source port scanners, developed in C++, in a local 20th International Symposium on Software Reliability Engineering 978-0-7695-3878-5/09 $26.00

show abstract

“…Input validation checks the syntax and, partly, semantics of information provided by user via user interface (UI), mostly realized as a graphical UI (GUI) [6]. Because UI errors may lead to malfunctions of the entire system which, in turn, may lead to vulnerabilities for attacks [11], various specification-and implementationbased test techniques exist to validate UI [7].…”

Section: Related Workmentioning

confidence: 99%

“…In certain cases (2,3,6,8,9,11,12), the corresponding error is a Type II error (false negative). In these cases, there are faulty input pairs that are out of boundary values but the program behaves as they are not faulty.…”

Section: F F F F T T T T T T T T T T Min <= 65535 T T T T T F F F F Fmentioning

confidence: 99%

“…This is critical, because the program does not abandon processing the related task, hence the resulting situation forces the program to work erroneously. For this reason, in some cases (2,3,6,11), the client does not stop sending the TCP packets to the target computer, keeps on sending the packets from 1 to 65535 in an infinite loop and therefore generates a flood in LAN.…”

Section: F F F F T T T T T T T T T T Min <= 65535 T T T T T F F F F Fmentioning

confidence: 99%

See 1 more Smart Citation

GUI-Based Testing of Boundary Overflow Vulnerability

Tuğlular

Müftüoğlu

Kaya

et al. 2009

2009 33rd Annual IEEE International Computer Software and Applications Conference

View full text Add to dashboard Cite

Boundary overflows are caused by violation of constraints, mostly limiting the range of internal values of a program, and can be provoked by an intruder to gain control of or access to stored data. In order to countermeasure this well-known vulnerability issue, this paper focuses on input validation of graphical user interfaces (GUI). The approach proposed generates test cases for numerical inputs based on GUI specification through decision tables. If boundary overflow error (s) are detected, the source code will be analyzed to localize and correct the encountered error(s) automatically.

show abstract

Input validation analysis and testing

Cited by 22 publications

References 33 publications

Unified System Level Fault Modeling and Fault Propagation

Unified System Level Fault Modeling and Fault Propagation

Event-Based Input Validation Using Design-by-Contract Patterns

GUI-Based Testing of Boundary Overflow Vulnerability

Contact Info

Product

Resources

About