[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/1068009.1068185acmconferencesArticle/Chapter ViewAbstractPublication PagesgeccoConference Proceedingsconference-collections
Article

Improving network applications security: a new heuristic to generate stress testing data

Published: 25 June 2005 Publication History

Abstract

Buffer overflows cause serious problems in different categories of software systems. For example, if present in network or security applications, they can be exploited to gain unauthorized grant or access to the system. In embedded systems, such as avionics or automotive systems, they can be the cause of serious accidents.This paper proposes to combine static analysis and program slicing with evolutionary testing, to detect buffer overflow threats. Static analysis identifies vulnerable statements, while slicing and data dependency analysis identify the relationship between these statements and program or function inputs, thus reducing the search space.To guide the search towards discovering buffer overflow in this work we define three multi-objective fitness functions and compare them on two open-source systems. These functions account for terms such as the statement coverage, the coverage of vulnerable statements, the distance form buffer boundaries and the coverage of unconstrained nodes of the control flow graph.

References

[1]
Beetlesoft RatScan. http://www.beetlesoft.com.
[2]
Secure software solutions, rats, the rough auditing tool for security. http://www.securesw.com/rats/.
[3]
G. Antoniol and E. Merlo. A static measure of a subset of intra-procedural data flow testing coverage based on node coverage. In CASCON, October 1999.
[4]
D. Binkley and M. Harman. Analysis and visualization of predicate dependence on formal parameters and global variables. IEEE Transactions on Software Engineering, 30(11):715--735, Nov 2004.
[5]
D. DaCosta, C. Dahn, S. Mancoridis, and V. Prevelakis. Characterizing the 'security vulnerability likelihood' of software functions. In Proceedings of IEEE International Conference on Software Maintenance, pages 266--276, Amsterdam, The Netherlands, Oct 2003.
[6]
C. Del Grosso, G. Antoniol, and M. Di Penta. An evolutionary testing approach to detect buffer overflow. In Student Paper Proceedings of the International Symposium of Software Reliability Engineering (ISSRE), St. Malo, France, Nov 2004.
[7]
C. Del Grosso, M. Di Penta, and G. Antoniol. An evolutionary testing approach to detect buffer overflows. In International Symposium on Software Reliability Engineering (student paper), pages 77--78, St Malo, Bretagne, France, November, 2-5 2004.
[8]
D. E. Goldberg. Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Pub Co, Jan 1989.
[9]
R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In In Proceedings of the Winter USENIX Conference, Washington, DC, USA, Aug 1992.
[10]
E. Haugh and M. Bishop. Testing c programs for buffer overflow vulnerabilities.
[11]
B. Korel and A. Al-Yami. Assertion-oriented automated test data generation. In Proceedings of the International Conference on Software Engineering, Berlin, Germany, 1996.
[12]
D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In In Proceedings of the USENIX Security Symposium, Washington, DC, USA, Aug 2001.
[13]
P. McMinn. Search-based software test data generation: a survey. Software Testing, Verification and Reliability, 14:105--156, June 2004.
[14]
E. Merlo and G. Antoniol. A static measure of a subset of intra-procedural data flow testing coverage based on node coverage. In Proceedings of CASCON-99 - ponsored by IBM Canada and the National Reasearch Council of Canada, pages 173--186, Mississauga (Ontario), November 8-11 1999.
[15]
B. Miller, L. Fredricksen, and B. So. Empirical study of the reliability of unix utilities. Communications of the Association for Computing Machinery, 33(12):32--44, Dec 1990.
[16]
O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security (NDSS) Symposium, pages 159--169, Feb 2004.
[17]
N. Tracey. A search-based automated test-data generation framework for safety critical software. PhD thesis, University of York, 2000.
[18]
N. Tracey, J. Clark, K. Mander, and J. McDermid. Automated test data generation for exception conditions. Software - Practice and Experience, 30(1), 2000.
[19]
J. Viega, J. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for c and c++ code. In Proceedings of the 16th Annual Computer Security Applications Conference, pages 3--17, Dec 2000.
[20]
S. G. W. and C. W. G. Statistical Methods. Iowa State University Press, 1989.
[21]
D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS '00), pages 3--17, San Diego, CA, USA, Feb 2000.
[22]
M. Wall. GAlib - a C++ library of genetic algorithm components. http://lancet.mit.edu/ga/.
[23]
M. Weiser. Program slicing. IEEE Transactions on Software Engineering, 10(4):352--357, July 1984.

Cited By

View all
  • (2024)A systematic literature review on software security testing using metaheuristicsAutomated Software Engineering10.1007/s10515-024-00433-031:2Online publication date: 23-May-2024
  • (2023)Simulation-Driven Automated End-to-End Test and Oracle InferenceProceedings of the 45th International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP58684.2023.00016(122-133)Online publication date: 17-May-2023
  • (2018)A model-based approach to combine conformance and load testsInternational Journal of Critical Computer-Based Systems10.5555/3302642.33026458:3-4(282-310)Online publication date: 1-Jan-2018
  • Show More Cited By

Index Terms

  1. Improving network applications security: a new heuristic to generate stress testing data

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    GECCO '05: Proceedings of the 7th annual conference on Genetic and evolutionary computation
    June 2005
    2272 pages
    ISBN:1595930108
    DOI:10.1145/1068009
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 25 June 2005

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. evolutionary testing
    2. security
    3. stress testing
    4. test data generation

    Qualifiers

    • Article

    Conference

    GECCO05
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 1,669 of 4,410 submissions, 38%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)6
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 14 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)A systematic literature review on software security testing using metaheuristicsAutomated Software Engineering10.1007/s10515-024-00433-031:2Online publication date: 23-May-2024
    • (2023)Simulation-Driven Automated End-to-End Test and Oracle InferenceProceedings of the 45th International Conference on Software Engineering: Software Engineering in Practice10.1109/ICSE-SEIP58684.2023.00016(122-133)Online publication date: 17-May-2023
    • (2018)A model-based approach to combine conformance and load testsInternational Journal of Critical Computer-Based Systems10.5555/3302642.33026458:3-4(282-310)Online publication date: 1-Jan-2018
    • (2018)Mapping the Effectiveness of Automated Test Suite Generation TechniquesIEEE Transactions on Reliability10.1109/TR.2018.283207267:3(771-785)Online publication date: Sep-2018
    • (2018)Search-Based Secure Software Testing: A SurveySoftware Engineering10.1007/978-981-10-8848-3_35(375-381)Online publication date: 13-Jun-2018
    • (2018)Comparison of Search-Based Algorithms for Stress-Testing Integrated CircuitsSearch-Based Software Engineering10.1007/978-3-319-99241-9_10(198-212)Online publication date: 22-Aug-2018
    • (2017)WSCLim: A Tool for Model-Based Testing of WS-BPEL Compositions Under Load ConditionsTests and Proofs10.1007/978-3-319-61467-0_9(139-151)Online publication date: 18-Jun-2017
    • (2016)A Search Based Approach for Stress-Testing Integrated CircuitsSearch Based Software Engineering10.1007/978-3-319-47106-8_6(80-95)Online publication date: 24-Sep-2016
    • (2015)Combining Genetic Algorithms and Constraint Programming to Support Stress Testing of Task DeadlinesACM Transactions on Software Engineering and Methodology10.1145/281864025:1(1-37)Online publication date: 2-Dec-2015
    • (2015)A Survey on Load Testing of Large-Scale Software SystemsIEEE Transactions on Software Engineering10.1109/TSE.2015.244534041:11(1091-1118)Online publication date: 1-Nov-2015
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media