Title :
Security Testing with Fault-Models and Properties
Author_Institution :
Tech. Univ. Munchen, Munich, Germany
Abstract :
Web applications are complex and face a massive amount of sophisticated attacks. Since manually testing web applications for security issues is hard and time consuming, automated testing is preferable. In model-based testing, test cases are often generated using structural criteria. Since such test cases do not directly target security properties, this Ph.D thesis proposes to use a fault model for generating tests for web applications. Faults are represented as known source code vulnerabilities that, by using respective mutation operators at the model level, are injected into models of a System Under Validation to generate “interesting” test cases. To achieve this, advantages of penetration testing are combined with model-checkers dedicated to security analysis. To find attacks on real systems the gap between an abstract attack trace output by a model-checker and a penetration test needs to be addressed. This Ph.D thesis contributes with a semi-automatic methodology to turn abstract attack traces operational.
Keywords :
Internet; formal verification; program testing; security of data; Web applications; abstract attack; automated testing; fault model; model-based testing; model-checkers; penetration testing; respective mutation operators; security issues; security testing; semi-automatic methodology; source code vulnerabilities; structural criteria; test cases; Abstracts; Mechanical factors; Model checking; Security; Semantics; Syntactics; security testing; property based testing; mutation testing; model checking; semi-automatic test execution;
Conference_Titel :
Software Testing, Verification and Validation (ICST), 2013 IEEE Sixth International Conference on
Conference_Location :
Luembourg
Print_ISBN :
978-1-4673-5961-0
DOI :
10.1109/ICST.2013.74
