Procedures for handling security patches

Mell, Peter; Tracy, Miles C.

doi:10.6028/nist.sp.800-40

Cited by 10 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…They occur when a programmer implements incorrect bound checks on buffer size or even fails to do bounds checking where data is written into a fixed length buffer [12]. By definition buffer overflow is similar to boundary overflow, which is an input error and occurs when values are entered that violate the range of values.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Event-Based Input Validation Using Design-by-Contract Patterns

Tuğlular

Müftüoğlu

Belli

et al. 2009

2009 20th International Symposium on Software Reliability Engineering

View full text Add to dashboard Cite

This paper proposes an approach for validation of numerical inputs based on graphical user interfaces (GUI) that are modeled and specified by event sequence graphs (ESG). For considering complex structures of input data, ESGs are augmented by decision tables and patterns of design by contract (DbC IntroductionInput validation testing chooses test data that attempt to show the presence or absence of specific faults pertaining to input tolerance [16]. This paper focuses on numerical input validation testing of graphical user interfaces (GUI). Our approach for input validation suggests to specify user interface requirements and to convert this specification into a model from which valid and invalid test cases can be generated [3]. For specification of user-system interactions we choose an event-based formal model, where the inputs and events are merged and assigned to the vertices of an event transition diagram, called event sequence graph (ESG); arcs visualize the sequence relation of the events. An ESG is a simple albeit powerful formalism for capturing the behavior of interactive systems. However, modeling complex boundary restrictions on input data as well as dependencies among them inflates the ESG model of a system under consideration (SUC). To overcome this problem, we refine the nodes of the underlying ESG by decision tables, which visualize Boolean algebraic constraints on input data [4]. Decision table augmented ESG is supplemented with design by contract (DbC) patterns so that decision table rules for numerical input validation are refined to pre-condition rules. Based on these concepts, test data are generated. Equivalence class partitioning and boundary value approaches support the test case generation process [1,2]. This paper is an extension of our preliminary work [26], where we introduced algorithms for detection and correction of boundary overflow vulnerabilities through static analysis. The novelty of the present paper stems from following:(i) Theoretical background is extended by incorporating ESGs.(ii) Concept of DbC patterns have also been formalized. Especially pre-condition pattern of DbC plays an important role in refining decision tables for input validation. The formalism we introduce in Section 3.3 enables to considerably improve test case generation algorithm.(iii) The tool we introduced in our preliminary work is improved. Our tool now adds an exception handling mechanism, which we built on DbC concept, instead of a simple if statement wherever necessary.(iv) For validation of the approach we tested three open source port scanners, developed in C++, in a local 20th International Symposium on Software Reliability Engineering 978-0-7695-3878-5/09 $26.00

show abstract

Section: Related Workmentioning

confidence: 99%

“…The outputs considerably differ from the ones in Table 4. In erroneous cases (1)(2)(3)(4)(5)(6)(7)(8)(9)(10)(11)(12)(13)(14)(15)(16)(17)(18)(19), the software outputs the right error message and aborts sending the packets.…”

Section: F F F F F F T T T T T T T T T T T T T T T T T T 2 Min <= 655mentioning

confidence: 99%

Event-Based Input Validation Using Design-by-Contract Patterns

Tuğlular

Müftüoğlu

Belli

et al. 2009

2009 20th International Symposium on Software Reliability Engineering

View full text Add to dashboard Cite

show abstract

“…A vulnerability is characterized as a "Boundary overflow" when the input being received by a system causes the system to exceed an assumed boundary resulting in a vulnerability [9]. Instead of inserting dynamic checks into the generated code as in [15], our approach uses static control condition insertion into the source code to avoid boundary overflow in advance.…”

Section: Boundary Overflow Vulnerability Detectionmentioning

confidence: 99%

“…In certain cases (2,3,6,8,9,11,12), the corresponding error is a Type II error (false negative). In these cases, there are faulty input pairs that are out of boundary values but the program behaves as they are not faulty.…”

Section: F F F F T T T T T T T T T T Min <= 65535 T T T T T F F F F Fmentioning

confidence: 99%

“…Unfortunately, GUIs may allow intruders to gain control over a system or access to its stored data by intentionally caused boundary overflows. A boundary overflow is an input error and occurs when values are entered that violate the range of values [9]. Such entries exceed the implicitly or explicitly specified but not implemented boundary values; thus this is a consequence of deficient control mechanism in the software concerning system constraints.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

GUI-Based Testing of Boundary Overflow Vulnerability

Tuğlular

Müftüoğlu

Kaya

et al. 2009

2009 33rd Annual IEEE International Computer Software and Applications Conference

View full text Add to dashboard Cite

Boundary overflows are caused by violation of constraints, mostly limiting the range of internal values of a program, and can be provoked by an intruder to gain control of or access to stored data. In order to countermeasure this well-known vulnerability issue, this paper focuses on input validation of graphical user interfaces (GUI). The approach proposed generates test cases for numerical inputs based on GUI specification through decision tables. If boundary overflow error (s) are detected, the source code will be analyzed to localize and correct the encountered error(s) automatically.

show abstract