Property-based testing of privileged programs

Addresses the problem of testing security-relevant software, especially privileged (typically, setuid root) and daemon programs in UNIX. The problem is important, since it is these programs that are the source of most UNIX security flaws. For some programs, such as the UNIX sendmail program, new security flaws are still being discovered, despite being in use for many years. For special-purpose systems with fewer users, flaws are likely to remain undiscovered for even longer. Our testing process is driven by specifications we create for the privileged programs. These specifications simultaneously define the allowed behavior far these programs and identify problematic system calls, regions where the program is vulnerable, and generic security flaws. The specifications serve three roles in our testing methodology: as criteria against which a program is sliced, as oracles against which it is tested, and as a basis for generating useful tests. Slicing is employed to significantly reduce the size of the program to be tested. We show that a slice of a privileged program (rdist) with respect to its security specifications is quite small. We introduce the Tester's Assistant, a collection of tools to mechanize the process of testing security-related C programs.<<ETX>>

[1]  Raymond Waiman Lo Static analysis of programs with application to malicious core detection , 1992 .

[2]  Sriram Sankar,et al.  Automatic runtime consistency checking and debugging of formally specified programs , 1989 .

[3]  Sriram Sankar,et al.  ADL—an interface definition language for specifying and testing software , 1994 .

[4]  Mark Weiser,et al.  Program Slicing , 1981, IEEE Transactions on Software Engineering.

[5]  Thomas Ball,et al.  Slicing Programs with Arbitrary Control-flow , 1993, AADEBUG.

[6]  Debra J. Richardson,et al.  Approaches to Speci cation-Based Testing , 1989 .

[7]  Richard G. Hamlet Testing Programs to Detect Malicious Faults , 1992 .

[8]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[9]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[10]  Robyn R. Lutz Targeting safety-related errors during software requirements analysis , 1996, J. Syst. Softw..

[11]  Debra J. Richardson,et al.  Approaches to specification-based testing , 1989 .

[12]  A. Jefferson Offutt,et al.  Constraint-Based Automatic Test Data Generation , 1991, IEEE Trans. Software Eng..

[13]  Bogdan Korel,et al.  STAD-a system for testing and debugging: user perspective , 1988, [1988] Proceedings. Second Workshop on Software Testing, Verification, and Analysis.

[14]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[15]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[16]  Karl N. Levitt,et al.  Automated detection of vulnerabilities in privileged programs by execution monitoring , 1994, Tenth Annual Computer Security Applications Conference.