Testing for software vulnerability using environment perturbation

Wenliang Du, Aditya P. Mathur

Research output: Contribution to journalArticlepeer-review

13 Scopus citations


We describe a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by the program's inappropriate interactions with the environment, and are triggered by a user's malicious perturbation on the environment (which we call an environment fault), we view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. We consider each environment perturbation as a fault and the resulting security compromise a failure in the toleration of such faults. Our approach is based on the well-known technique of fault injection. Environment faults are injected into the system under test and system behavior observed. The failure to tolerate faults is an indicator of a potential security flaw in the system. An Environment-Application Interaction (EAI) fault model is proposed which guides us to decide what faults to inject. Based on EAI, we have developed a security testing methodology, and applied it to several applications. We have successfully identified a number of vulnerabilities including vulnerabilities in the Windows NT operating system.

Original languageEnglish (US)
Pages (from-to)261-272
Number of pages12
JournalQuality and Reliability Engineering International
Issue number3
StatePublished - May 2002


  • Environment perturbation
  • Fault injection
  • Security flaws
  • Security testing

ASJC Scopus subject areas

  • Safety, Risk, Reliability and Quality
  • Management Science and Operations Research


Dive into the research topics of 'Testing for software vulnerability using environment perturbation'. Together they form a unique fingerprint.

Cite this