Testing for software vulnerability using environment perturbation

We describe a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by the program's inappropriate interactions with the environment, and are triggered by a user's malicious perturbation on the environment (which we call an environment fault), we view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. We consider each environment perturbation as a fault and the resulting security compromise a failure in the toleration of such faults. Our approach is based on the well-known technique of fault injection. Environment faults are injected into the system under test and system behavior observed. The failure to tolerate faults is an indicator of a potential security flaw in the system. An Environment-Application Interaction (EAI) fault model is proposed which guides us to decide what faults to inject. Based on EAI, we have developed a security testing methodology, and applied it to several applications. We have successfully identified a number of vulnerabilities including vulnerabilities in the Windows NT operating system. Copyright © 2002 John Wiley & Sons, Ltd.

[1]  Richard R. Linde,et al.  Operating system penetration , 1975, AFIPS '75.

[2]  Hong Zhu,et al.  Software unit test coverage and adequacy , 1997, ACM Comput. Surv..

[3]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[4]  Kang G. Shin,et al.  Fault Injection Techniques and Tools , 1997, Computer.

[5]  Boris Beizer,et al.  Software Testing Techniques , 1983 .

[6]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[7]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[8]  Shari Lawrence Pfleeger,et al.  A methodology for penetration testing , 1989, Comput. Secur..

[9]  Gary McGraw,et al.  An automated approach for identifying potential vulnerabilities in software , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[10]  Matt Bishop,et al.  A Taxonomy of UNIX System and Network Vulnerabilities , 1997 .

[11]  Karl N. Levitt,et al.  Property-based testing of privileged programs , 1994, Tenth Annual Computer Security Applications Conference.

[12]  Daniel P. Siewiorek,et al.  Automated robustness testing of off-the-shelf software components , 1998, Digest of Papers. Twenty-Eighth Annual International Symposium on Fault-Tolerant Computing (Cat. No.98CB36224).

[13]  Jacob A. Abraham,et al.  FERRARI: a tool for the validation of system dependability properties , 1992, [1992] Digest of Papers. FTCS-22: The Twenty-Second International Symposium on Fault-Tolerant Computing.

[14]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[15]  Kang G. Shin,et al.  DOCTOR: an integrated software fault injection environment for distributed real-time systems , 1995, Proceedings of 1995 IEEE International Computer Performance and Dependability Symposium.

[16]  Jeffrey M. Voas,et al.  Predicting How Badly "Good" Software Can Behave , 1997, IEEE Softw..

[17]  Dhiraj K. Pradhan,et al.  Fault Injection: A Method for Validating Computer-System Dependability , 1995, Computer.

[18]  Virgil D. Gligor,et al.  A New Security Testing Method and Its Application to the Secure Xenix Kernel , 1987, IEEE Trans. Software Eng..

[19]  Ravishankar K. Iyer,et al.  FINE: A Fault Injection and Monitoring Environment for Tracing the UNIX System Behavior under Faults , 1993, IEEE Trans. Software Eng..