Towards Model-Based Automatic Testing of Attack Scenarios

Model-based testing techniques play a vital role in producing quality software. However, compared to the testing of functional requirements, these techniques are not prevalent that much in testing software security. This paper presents a model-based approach to automatic testing of attack scenarios. An attack testing framework is proposed to model attack scenarios and test the system with respect to the modeled attack scenarios. The techniques adopted in the framework are applicable in general to the systems, where the potential attack scenarios can be modeled in a formalism based on extended abstract state machines. The attack events, i.e., attack test vectors chosen from the attacks happening in real-world are converted to the test driver specific events ready to be tested against the attack signatures. The proposed framework is implemented and evaluated using the most common attack scenarios. The framework is useful to test software with respect to potential attacks which can significantly reduce the risk of security vulnerabilities.

[1]  Ramaswamy Chandramouli,et al.  Model-based Approach to Security Test Automation , 2001 .

[2]  Gary McGraw,et al.  Software Penetration Testing , 2005, IEEE Secur. Priv..

[3]  Kenji Kono,et al.  Sania: Syntactic and Semantic Analysis for Automated Testing against SQL Injection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[4]  Wenliang Du,et al.  Testing for software vulnerability using environment perturbation , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[5]  Gary McGraw,et al.  Software Security Testing , 2004, IEEE Secur. Priv..

[6]  C. Kosack,et al.  LABORATORY , 1949, American journal of public health and the nation's health.

[7]  Ajitha Rajan,et al.  Requirements Coverage as an Adequacy Measure for Conformance Testing , 2008, ICFEM.

[8]  Wolfram Schulte,et al.  The ABCs of specification: asml, behavior, and components , 2001, Informatica.

[9]  Mohammad Zulkernine,et al.  AsmLSec: An Extension of Abstract State Machine Language for Attack Scenario Specification , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[10]  Harry Robinson,et al.  Applying models in your testing process , 2000, Inf. Softw. Technol..

[11]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE.

[12]  Gary McGraw,et al.  An automated approach for identifying potential vulnerabilities in software , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[13]  Jan Jürjens,et al.  Specification-Based Test Generation for Security-Critical Systems Using Mutations , 2002, ICFEM.

[14]  Margus Veanes,et al.  Towards a Tool Environment for Model-Based Testing with AsmL , 2003, FATES.

[15]  Jan Jürjens,et al.  Tools for model-based security engineering , 2006, ICSE.

[16]  Scott Knight,et al.  Syntax-based Vulnerability Testing of Frame-based Network Protocols , 2004, PST.

[17]  Ramaswamy Chandramouli,et al.  Automated testing of security functions using a combined model and interface-driven approach , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[18]  Ramaswamy Chandramouli,et al.  Security Functional Testing Using an Interface-Driven Model-Based Test Automation Approach , 2002 .

[19]  Siddhartha R. Dalal,et al.  Model-based testing in practice , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[20]  William H. Allen,et al.  A Model-based Approach to the Security Testing of Network Protocol Implementations , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[21]  Sheila B. Banks,et al.  Dynamic software security testing , 2006, IEEE Security & Privacy.

[22]  K. R. Jayaram Identifying andTesting for Insecure Paths in Cryptographic Protocol Implementations , 2006, 30th Annual International Computer Software and Applications Conference (COMPSAC'06).

[23]  Kelvin J. Ross,et al.  Model-Based Security Vulnerability Testing , 2007, 2007 Australian Software Engineering Conference (ASWEC'07).