Attack pattern-based combinatorial testing

The number of potential security threats rises with the increasing number of web applications, which cause tremendous financial and existential implications for developers and users as well. The biggest challenge for security testing is to specify and implement ways in order to detect potential vulnerabilities of the developed system in a never ending quest against new security threats but also to cover already known ones so that a program is suited against typical attack vectors. For these purposes many approaches have been developed in the area of model-based security testing in order to come up with solutions for real-world application problems. These approaches provide theoretical background as well as practical solutions for certain security issues. In this paper, we partially rely on previous work but focus on the representation of attack patterns using UML state diagrams. We extend previous work in combining the attack pattern models with combinatorial testing in order to provide concrete test input, which is submitted to the system under test. With combinatorial testing we capture different combinations of inputs and thus increasing the likelihood to find weaknesses in the implementation under test that can be exploited. Besides the foundations of our approach we further report on first experiments that indicate its practical use.

[1]  Hareton K. N. Leung,et al.  A survey of combinatorial testing , 2011, CSUR.

[2]  Myra B. Cohen,et al.  Covering Arrays for Efficient Fault Characterization in Complex Configuration Spaces , 2006, IEEE Trans. Software Eng..

[3]  Jeremiah Grossman,et al.  XSS Attacks: Cross Site Scripting Exploits and Defense , 2007 .

[4]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[5]  Damir Kalpic,et al.  Combinatorial testing in software projects , 2012, 2012 Proceedings of the 35th International Convention MIPRO.

[6]  Omer Tripp,et al.  Finding your way in the testing jungle: a learning approach to web security testing , 2013, ISSTA.

[7]  Franz Wotawa,et al.  XSS pattern for attack modeling in testing , 2013, 2013 8th International Workshop on Automation of Software Test (AST).

[8]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[9]  Donald L. Kreher,et al.  Covering arrays , 2000 .

[10]  Michael L. Fredman,et al.  The AETG System: An Approach to Testing Based on Combinatiorial Design , 1997, IEEE Trans. Software Eng..

[11]  Andrew P. Moore,et al.  Attack Modeling for Information Security and Survivability , 2001 .

[12]  Sanjay Rawat,et al.  Offset-Aware Mutation Based Fuzzing for Buffer Overflow Vulnerabilities: Few Preliminary Results , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[13]  Yu Lei,et al.  Introduction to Combinatorial Testing , 2013 .

[14]  Jeff Yu Lei,et al.  Practical Combinatorial Testing: Beyond Pairwise , 2008, IT Professional.

[15]  Sanjay Rawat,et al.  XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing , 2012, 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation.

[16]  Jeff Yu Lei,et al.  ACTS: A Combinatorial Test Generation Tool , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation.

[17]  Myra B. Cohen,et al.  Covering arrays for efficient fault characterization in complex configuration spaces , 2004, IEEE Transactions on Software Engineering.

[18]  Jürgen Großmann,et al.  Model-Based Security Testing , 2012, MBT.

[19]  Myra B. Cohen,et al.  Efficiency and early fault detection with lower and higher strength combinatorial interaction testing , 2013, ESEC/FSE 2013.