Fuzz Test Case Generation for Penetration Testing in Mobile Cloud Computing Applications

Security testing for applications is a critical practice used to protect data and users. Penetration testing is particularly important, and test case generation is one of its critical phases. In test case generation, the testers need to ensure that as many execution paths as possible are covered by using a set of test cases. Multiple models and techniques have been proposed to generate test cases for software penetration testing. These techniques include fuzz test case generation, which has been implemented in multiple forms. This work critically reviews different models and techniques used for fuzz test case generation and identifies strengths and limitations associated with each implementation and proposal. Reviewing results showed that previous test case generation methods disregard offloading parameters when generating test case sets. This paper proposes a test case generation technique that uses offloading as a generation parameter to overcome the lack of such techniques in previous studies. The proposed technique improves the coverage path on applications that use offloading, thereby improving the effectiveness and efficiency of penetration testing.

[1]  Jianming Zhao,et al.  Penetration testing automation assessment method based on rule tree , 2015, 2015 IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems (CYBER).

[2]  Jürgen Großmann,et al.  Behavioral Fuzzing Operators for UML Sequence Diagrams , 2012, SAM.

[3]  Pearl Brereton,et al.  Lessons from applying the systematic literature review process within the software engineering domain , 2007, J. Syst. Softw..

[4]  Daniel Geer,et al.  Penetration testing: a duet , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[5]  Liam Peyton,et al.  A model-driven penetration test framework for Web applications , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[6]  Sam Malek,et al.  A whitebox approach for automated security testing of Android applications on the cloud , 2012, 2012 7th International Workshop on Automation of Software Test (AST).

[7]  Suresh Nageswaran,et al.  Test Effort Estimation Using Use Case Points , 2001 .

[8]  Yung-Hsiang Lu,et al.  Cloud Computing for Mobile Users: Can Offloading Computation Save Energy? , 2010, Computer.

[9]  Sukhpreet Kaur,et al.  Hybrid Application Partitioning and Process Offloading Method for the Mobile Cloud Computing , 2017 .

[10]  Greg Jones Penetrating the cloud , 2013, Netw. Secur..

[11]  Belal Abu Ata,et al.  Pen Testing for Web Applications , 2012, Int. J. Inf. Technol. Web Eng..

[12]  Arvinder Kaur,et al.  Systematic Literature Review on Regression Test Prioritization Techniques , 2012, Informatica.

[13]  Syed Ahmad Aljunid,et al.  Mobile Cloud Computing Testing Review , 2013, 2013 International Conference on Advanced Computer Science Applications and Technologies.

[14]  Angelos Stavrou,et al.  Behavioral Analysis of Android Applications Using Automated Instrumentation , 2013, 2013 IEEE Seventh International Conference on Software Security and Reliability Companion.

[15]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[16]  Mais Nijim,et al.  Survey on Three Components of Mobile Cloud Computing: Offloading, Distribution and Privacy , 2017 .

[17]  Dijiang Huang,et al.  MobiCloud: Building Secure Cloud Framework for Mobile Computing and Communication , 2010, 2010 Fifth IEEE International Symposium on Service Oriented System Engineering.

[18]  D. Kovachev,et al.  Beyond the client-server architectures: A survey of mobile cloud techniques , 2012, 2012 1st IEEE International Conference on Communications in China Workshops (ICCC).

[19]  Wenjuan Xu,et al.  Penetration testing on cloud---case study with owncloud , 2016 .

[20]  Thomas McGuire,et al.  Cloud Penetration Testing , 2012, CloudCom 2012.

[21]  Lei Liu,et al.  An Inferential Metamorphic Testing Approach to Reduce False Positives in SQLIV Penetration Test , 2017, 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC).

[22]  Jörg Schwenk,et al.  Penetration Testing Tool for Web Services Security , 2012, 2012 IEEE Eighth World Congress on Services.

[23]  Isak Färnlycke An approach to automating mobile application testing on Symbian Smartphones : Functional testing through log file analysis of test cases developed from use cases , 2013 .

[24]  Dejian Sun,et al.  A research on the indicator system of Cloud Computing Security Risk Assessment , 2012, 2012 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering.

[25]  Jian Yang,et al.  A Model-Based Fuzz Framework to the Security Testing of TCG Software Stack Implementations , 2009, 2009 International Conference on Multimedia Information Networking and Security.

[26]  Jing Zhang,et al.  Design and Implementation of an XML-Based Penetration Testing System , 2010, 2010 International Symposium on Intelligence Information Processing and Trusted Computing.

[27]  Hossain Shahriar,et al.  Testing of Memory Leak in Android Applications , 2014, 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering.

[28]  Alessandro Orso,et al.  Penetration Testing with Improved Input Vector Identification , 2009, 2009 International Conference on Software Testing Verification and Validation.

[29]  Hiroshi Inamura,et al.  Dynamic test input generation for web applications , 2008, ISSTA '08.

[30]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[31]  Gustavo Alonso,et al.  Calling the Cloud: Enabling Mobile Phones as Interfaces to Cloud Applications , 2009, Middleware.

[32]  Kendra Deptula Automation of cyber penetration testing using the detect, identify, predict, react intelligence automation model , 2013 .

[33]  Mohsen Hallaj Asghar,et al.  Ensemble based approach to increase vulnerability assessment and penetration testing accuracy , 2016, 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH).

[34]  Jürgen Großmann,et al.  Online Model-Based Behavioral Fuzzing , 2013, 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops.

[35]  Syed Adeel Ali Shah,et al.  A Study on the Critical Analysis of Computational Offloading Frameworks for Mobile Cloud Computing , 2015, J. Netw. Comput. Appl..

[36]  Peter Braun,et al.  Model-driven Testing of RESTful APIs , 2015, WWW.