09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay.

Slides:



Advertisements
Similar presentations
IT Technical Support South Nottingham College. Aims Knowledge of the Registry Discuss the tools available to support a technician Gain an understanding.
Advertisements

h Protection from cyber attacks is achieved by acting on several levels: first, at the physical and material, placing the server in a place as safe as.
Defect testing Objectives
Unit Testing in the OO Context(Chapter 19-Roger P)
Lecture 8: Testing, Verification and Validation
SOFTWARE TESTING. INTRODUCTION  Software Testing is the process of executing a program or system with the intent of finding errors.  It involves any.
Software Architecture Prof.Dr.ir. F. Gielen
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
Abirami Poonkundran 2/22/10.  Goal  Introduction  Testing Methods  Testing Scope  My Focus  Current Progress  Explanation of Tools  Things to.
Software testing.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Why Security Testing Is Hard Herbert H. Thompson Presenter: Alicia Young.
Why Security Testing Is Hard by Herbert H. Thompson presented by Carlos Hernandez.
University of Kansas Construction & Integration of Distributed Systems Jerry James Oct. 30, 2000.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
SIMULATING ERRORS IN WEB SERVICES International Journal of Simulation: Systems, Sciences and Technology 2004 Nik Looker, Malcolm Munro and Jie Xu.
Software Testing Name: Madam Currie Course: Swen5431 Semester: Summer 2K.
Design, Implementation and Maintenance
Scenario testing Tor Stålhane. Scenario testing – 1 There are two types of scenario testing. Type 1 – scenarios used as to define input/output sequences.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Testing for Software Security ECEN5053 Software Engineering of Distributed Systems University of Colorado, Boulder Testing for Software Security, Hebert.
Testing Tools. Categories of testing tools Black box testing, or functional testing Testing performed via GUI. The tool helps in emulating end-user actions.
Testing. What is Testing? Definition: exercising a program under controlled conditions and verifying the results Purpose is to detect program defects.
CSCE 548 Secure Software Development Risk-Based Security Testing.
Software Quality Assurance Lecture #8 By: Faraz Ahmed.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 23 Slide 1 Software testing Slightly adapted by Anders Børjesson.
Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 1 Introduction Forkröfur/prerequisite: FOR0283 Programming II Website:
March 13, 2001CSci Clark University1 CSci 250 Software Design & Development Lecture #15 Tuesday, March 13, 2001.
TESTING.
Information Systems Security Computer System Life Cycle Security.
Approaches to Application Security – DSM
© 2012 IBM Corporation Rational Insight | Back to Basis Series Chao Zhang Unit Testing.
Security Architecture
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
1 Software testing. 2 Testing Objectives Testing is a process of executing a program with the intent of finding an error. A good test case is in that.
Software Testing. What is Software Testing? Definition: 1.is an investigation conducted to provide stakeholders with information about the quality of.
Testing Basics of Testing Presented by: Vijay.C.G – Glister Tech.
Introduction to Software Testing. Types of Software Testing Unit Testing Strategies – Equivalence Class Testing – Boundary Value Testing – Output Testing.
Software Testing Yonsei University 2 nd Semester, 2014 Woo-Cheol Kim.
Software Construction Lecture 18 Software Testing.
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
WHY IS SOFTWARE TESTING NEEDED? Presented by - Santosh Bethi 22 nd October, 2003.
Software Engineering 2004 Jyrki Nummenmaa 1 BACKGROUND There is no way to generally test programs exhaustively (that is, going through all execution.
Black Box Testing : The technique of testing without having any knowledge of the interior workings of the application is Black Box testing. The tester.
CPSC 873 John D. McGregor Session 9 Testing Vocabulary.
Testing in Android. Methods Unit Testing Integration Testing System Testing Regression Testing Compatibility Testing Black Box (Functional) White Box.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
CS451 Lecture 10: Software Testing Yugi Lee STB #555 (816)
1 Phase Testing. Janice Regan, For each group of units Overview of Implementation phase Create Class Skeletons Define Implementation Plan (+ determine.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 23 Slide 1 Software testing.
Introduction to Performance Testing Performance testing is the process of determining the speed or effectiveness of a computer, network, software program.
CS223: Software Engineering Lecture 25: Software Testing.
Introduction To DBMS.
CSCE 548 Secure Software Development Risk-Based Security Testing
Integration Testing.
Security Testing Methods
John D. McGregor Session 9 Testing Vocabulary
Testing and Debugging PPT By :Dr. R. Mall.
Software Security Testing
John D. McGregor Session 9 Testing Vocabulary
John D. McGregor Session 9 Testing Vocabulary
INFORMATION SYSTEMS SECURITY and CONTROL
Software testing.
Black Box Software Testing Fall 2004
CS240: Advanced Programming Concepts
System Testing.
Engineering Secure Software
TYPES OF TESTING.
Presentation transcript:

09/18/06 1 Software Security Vulnerability Testing in Hostile Environment Herbert H. Thompson James A. Whittaker Florence E. Mottay

09/18/06 2 Introduction  Functionality and Security Are Often in Contention as Development Goals  Increased Functionality Leads to Decreased Security  Increase Security requires less Software Interaction with It Environment  Security Issues are left under-exercised or not traversed at all due to the difficulty in simulating a hostile environment  Network Failures during aremote transaction  Disk Write errors, Memory Failures  Such Failures Need to be Integrated into the Test Cases

09/18/06 3 Placing a System under Stress  A Security defect, in a general sense, is any attribute of the software that violates policies regarding access to resources  Sensitive information is written out to an unencrypted file  Allows attackers to Deny access to a web server by authorized users  Some Security vulnerabilities can be discovered using conventional testing techniques  Many others security defects only surface when the application is placed under stressed environments  Sources of Stress: load, memory or resource deprivation, etc  When stress is present error handling routines are executed

09/18/06 4 Continuation  Three Basic Approaches to Introduce Environmental failure  Code-Based Fault Injection  External Stress Simulation  Runtime Fault Injection

09/18/06 5 Symptoms of Security Defects  Security failures derived from the interaction with the environment  Reading/Writing Files  Writing to the Registry  Sending information across the network

09/18/06 6 Monitoring for Symptoms  An application interaction with its environment is its most critical behaviour  External Activities can be observed by monitoring the System Calls the Application makes  Application can be monitored by getting in between the application and the environment when a system call is performed  To determine if there exist a security risk a special tool can be used to provide system-level design detail  Holodeck an application tool intercepts systems calls and allows to view the interaction between the application and its environment  Holodeck allows the tester to carefully examine the interaction to find potential points of security break

09/18/06 7 Different types of approaches for security testing  Code-Based Fault Injection  Forces error conditions  Error handling is white box in nature  Involves modifying the source code and hard coding return values  Forces the application to traverse a particular path  Although efficient it has some problems Tester do not always have access to all the parts of source code Even with source code testers might lack expertise of knowledge of the code’s design and structure to effectible implement the branch testing It is time consuming implementing those situations at code level; one instance per situation

09/18/06 8 Continuation Example of Code-based Fault Injection hModule= LoadLibraryEx(TEXT(“msrating.dll”),NULL, LOAD_LIBRARY-AS-DATAFILE); hModule= NULL; // Hard-Coded failure of //LoadLibraryEx

09/18/06 9 Different types of approaches for security testing (cont)  External Stress Simulation  Involves simulating a high volume of activity on the system  Accomplished by using an external application that does not interact directly with the application under test  Or by limiting disk or memory resources Large files Background processes, etc

09/18/06 10 Different types of approaches for security testing (cont)  Runtime Fault Injection  Black box fault injection  System calls are monitored and values returned by these calls are controlled  Faults are simulated without changing the code of the application  The application is placed in a realistically hostile environment by inserting a runtime fault  A single system call can be isolated to manipulate its response during stress situation

09/18/06 11 Conclusion  Error handling routines are subjected to much less testing than functional code  Leaving any portion of the code untested is dangerous for security vulnerabilities  Error handlers are there usually to patched a failure and are thus not constructed with security in mind  Executing test cases in faulty environment should be an essential part of any sound security testing

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.