• Title of article

    An advanced approach for modeling and detecting software vulnerabilities

  • Author/Authors

    Shahmehri، masoud نويسنده Department of Parasitology & Mycology , , Nahid and Mammar، نويسنده , , Amel and Montes de Oca، نويسنده , , Edgardo and Byers، نويسنده , , David and Cavalli، نويسنده , , Ana and Ardi، نويسنده , , Shanai and Jimenez، نويسنده , , Willy، نويسنده ,

  • Issue Information
    ماهنامه با شماره پیاپی سال 2012
  • Pages
    17
  • From page
    997
  • To page
    1013
  • Abstract
    Context e testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system. ive s paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection. thod uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs. s sent the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach. sion gh the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.
  • Keywords
    Automatic testing , Secure software engineering , Security modelling , dynamic analysis , Software security
  • Journal title
    Information and Software Technology
  • Serial Year
    2012
  • Journal title
    Information and Software Technology
  • Record number

    2374844