Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automated Security Testing with Formal Threat Models Frank Xu Ph.D.

Similar presentations

Presentation on theme: "Automated Security Testing with Formal Threat Models Frank Xu Ph.D."— Presentation transcript:

1 Automated Security Testing with Formal Threat Models Frank Xu Ph.D.

2 Overview  Introduction  Objectives  Approach  Experiments  Contribution & Conclusions



5 Introduction  Application security  Bypass authentication attack, SQL injection attack  Application vulnerabilities exceed Networking and OS vulnerabilities  Weak authentication mechanism, unsanitized inputs  Preventing malicious security attacks by detecting vulnerabilities SANS' 2009 Top Cyber Security Risks (http://www.,

6 Introduction  How to detect software vulnerabilities?  Similar to detect software bugs  Security testing  Tradition testing vs. security testing  Traditional testing : test if a program does what it is supposed to do  Testing for security: test a program against possible vulnerabilities for checking if it contains unintended behaviors  Sql injection to log into the system  Problem?  Security testing is very labor-intensive  Sql injection string: ' or '1'='1  databases, inputs, paths

7 Objectives Presents an approach to automatically test software security

8 Approach  Create formal threat models  represented as Predicate/Transition nets  Automatically generates all attack paths,  i.e., security tests  Converts attach path into executable test code  according to the given MIM (Model-Implementation Mapping) specification

9 PrT net

10 Prt Net for dictionary attack

11 Notations  Variable Binding: ø = ?x/V  ?x is bound to value V.  Variable Substituting: l/ø :  the tuple (or token) obtained by substituting each variable in l for its bound value in ø.  If l= and ø={?u/ID1,?p/PSWD1}, then l/ø=. l= (?u,?p) Enabled by ø={?u/ID1,?p/PSWD1}, P(ID1,PSWD1)

12 Transition Enabled


14 Threat Model

15 SQL injection attacks t11:do shopping, t12: login t13: check out” t21: go to login page t22: retrieve password t23: forgot your password t31: login, t32: do shopping, t33: check out using coupon code sqlstr: or 1=1--, ‘) or ‘1’=’1--, and 1’ or ‘1=’1.

16 Generating Attack Paths

17 Generating Test Code

18 Model-Implementation Mapping

19 CASE STUDIES  Case Study I: Magento  Case Study II: FileZilla Server  Mutation (S.T.R.I.D.E. )  Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege SpoofingTamperingRepudiationDenial of ServiceElevation of privilege  Kill the mutations  Both studies show that security testing with formal threat models is very effective.  They have killed 93.2% (41/44) and 96.7% (29/30) of the mutants, respectively

20 Contributions & Conclusion  First, automated generation of executable security tests from formal threat models is a novel contribution to software security testing.  Injection of security vulnerabilities for evaluating the effectiveness of security tests is a novel contribution to mutation testing.

Download ppt "Automated Security Testing with Formal Threat Models Frank Xu Ph.D."

Similar presentations

Ads by Google