Testing for software vulnerability using environment perturbation

Wenliang Du, Aditya P. Mathur

Research output: Chapter in Book/Entry/PoemConference contribution

38 Scopus citations

Abstract

We describe an methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by the program's inappropriate interactions with the environment, and triggered by user's malicious perturbation on the environment (which we call an environment fault), we view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. We consider each environment perturbation as a fault and the resulting security compromise a failure in the toleration of such faults. Our approach is based on the well known technique of fault-injection. Environment faults are injected into the system under test and system behavior observed. The failure to tolerate faults is an indicator of a potential security flaw in the system. An Environment-Application Interaction (EAI) fault model is proposed which guides us to decide what faults to inject. Based on EAI, we have developed a security testing methodology, and apply it to several applications. We successfully identified a number of vulnerabilities include vulnerabilities in Windows NT operating system.

Original languageEnglish (US)
Title of host publicationProceedings of the 2002 International Conference on Dependable Systems and Networks
Pages603-612
Number of pages10
StatePublished - 2000
Externally publishedYes
EventProceedings of the International Conference on Dependable Systems and Networks - New York, NY, United States
Duration: Jul 1 2001Jul 4 2001

Publication series

NameProceedings of the 2002 International Conference on Dependable Systems and Networks

Other

OtherProceedings of the International Conference on Dependable Systems and Networks
Country/TerritoryUnited States
CityNew York, NY
Period7/1/017/4/01

Keywords

  • Environment perturbation
  • Fault injection
  • Security flaws
  • Security testing

ASJC Scopus subject areas

  • General Engineering

Fingerprint

Dive into the research topics of 'Testing for software vulnerability using environment perturbation'. Together they form a unique fingerprint.

Cite this