Testing for software vulnerability using environment perturbation

Du, Wenliang; Mathur, Aditya P.

doi:10.1002/qre.480

Cited by 18 publications

(8 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most implementations of this approach, such as [16] and [17], view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. They consider each environment perturbation as a fault and the resulting security compromise a failure in the toleration of such faults.…”

Section: Related Workmentioning

confidence: 99%

Configuration Fuzzing for Software Vulnerability Detection

Dai

Murphy

Kaiser

2010

2010 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Many software security vulnerabilities only reveal themselves under certain conditions, i.e., particular configurations of the software together with its particular runtime environment. One approach to detecting these vulnerabilities is fuzz testing, which feeds a range of randomly modified inputs to a software application while monitoring it for failures. However, typical fuzz testing makes no guarantees regarding the syntactic and semantic validity of the input, or of how much of the input space will be explored. To address these problems, in this paper we present a new testing methodology called configuration fuzzing. Configuration fuzzing is a technique whereby the configuration of the running application is randomly modified at certain execution points, in order to check for vulnerabilities that only arise in certain conditions. As the application runs in the deployment environment, this testing technique continuously fuzzes the configuration and checks "security invariants" that, if violated, indicate a vulnerability; however, the fuzzing is performed in a duplicated copy of the original process, so that it does not affect the state of the running application. In addition to discussing the approach and describing a prototype framework for implementation, we also present the results of a case study to demonstrate the approach's efficiency.

show abstract

Section: Related Workmentioning

confidence: 99%

Configuration Fuzzing for Software Vulnerability Detection

Dai

Murphy

Kaiser

2010

2010 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Modeling a realistic installation suggests that error-caused vulnerabilities is a non-negligible source for security concerns. Du and Mathur [2000] injected errors in the environment of an application and observed the applications for security violations. NFTAPE has been used to inject control flow bit-flips in the user authentication section of sshd and ftpd on Linux and it was found that such faults may open up the affected servers for vulnerabilities [Xu et al, 2001].…”

Section: Fault Injectionmentioning

confidence: 99%

Robustness Evaluation of Operating Systems

Johansson

2008

Information Assurance

View full text Add to dashboard Cite

SummaryThe premise behind this thesis is the observation that Operating Systems (OS), being the foundation behind operations of computing systems, are complex entities and also subject to failures. Consequently, when they do fail, the impact is the loss of system service and the applications running thereon. While a multitude of sources for OS failures exist, device drivers are often identified as a prominent cause behind failures.In order to characterize the impact of driver failures, at both the OS and application levels, this thesis develops a framework for error propagation-based robustness profiling for an OS. The framework is first developed conceptually and then experimentally validated on a real OS, namely Windows CE .Net. The choice of Windows CE is driven by its representativeness for a multitude of OS's, as well as the ability to customize the OS components for particular needs.For experimental validation, fault injection is a prominent technique that can be used to simulate faults (or errors) in the system by inserting synthetic ones and study their effect. Three key questions with such a technique are where, what and when to inject faults. This thesis shows how injecting errors at the interface between drivers and the OS can be very effective in evaluating the effects driver faults can have.To quantify the OS's robustness, this thesis defines a series of error propagation measures, specifically tailored for device drivers. These measures allow for quantifying and comparing both individual services and device drivers on their susceptibility and diffusing abilities.This thesis compares three contemporary error models on their suitability for robustness evaluation. The classical bit-flip model is found to identify a higher number of severe failures in the system. It also identifies failures for more services than both other models, data type and fuzzing. However, its main drawback is that it requires substantially more injections than the other two. Fuzzing, even though not giving rise to as many failures is able to find new additional services with severe failures.A careful study of the injections performed with the bit-flip model shows that only a few bits are generally useful for identifying new services with robustness weaknesses. Consequently, a new composite model is proposed, combining the most effective bits of the bit-flip model with the fuzzing model's ability to identify new services, giving rise to new model without loss of important information and at the same time incurring a moderate number of injections.To answer the question of when to inject an error this thesis proposes a novel model of a driver's usage profile, focusing on high-level operations being carried out. It guides the injection of errors to instances when the driver is carrying out specific operations. Results from extensive fault injection experiments show that more service vulnerabilities can be discovered. Furthermore, a priori profiling of the drivers can show how effective the proposed approach will be. vi

show abstract

“…To ensure that every link l has a consistent interpretation of c l , every node has to calibrate c l with respect to an agreed-upon definition of an attack. Also, to enable us to interpret c l as a probability or proportion, we require that 0 ≤ c l ≤ 1 for every link l ∈ L. With an agreed-upon attack model, every node u can then determine in advance c l for each of its own outgoing links l ∈ L(u), where L(u) is the set of all outgoing links of node u, using vulnerability modeling [10], statistical measurements of reliability indexes [15], or security monitoring systems [26]. We point out that if an accurate estimate of c l is not available, we can set c l = 1, meaning that link l has all its data lost when it is under attack, and our analysis still applies to this worst-case scenario.…”

Section: Problem Formulationmentioning

confidence: 99%

Distributed Algorithms for Secure Multipath Routing in Attack-Resistant Networks

Lee

Misra

Rubenstein

2007

IEEE/ACM Trans. Networking

View full text Add to dashboard Cite

Abstract-To proactively defend against intruders from readily jeopardizing single-path data sessions, we propose a distributed secure multipath solution to route data across multiple paths so that intruders require much more resources to mount successful attacks. Our work exhibits several important properties that include: (1) routing decisions are made locally by network nodes without the centralized information of the entire network topology, (2) routing decisions minimize throughput loss under a single-link attack with respect to different session models, and (3) routing decisions address multiple link attacks via lexicographic optimization. We devise two algorithms termed the Bound-Control algorithm and the Lex-Control algorithm, both of which provide provably optimal solutions. Experiments show that the Bound-Control algorithm is more effective to prevent the worst-case single-link attack when compared to the single-path approach, and that the Lex-Control algorithm further enhances the Bound-Control algorithm by countering severe single-link attacks and various types of multi-link attacks. Moreover, the Lex-Control algorithm offers prominent protection after only a few execution rounds, implying that we can sacrifice minimal routing protection for significantly improved algorithm performance. Finally, we examine the applicability of our proposed algorithms in a specialized defensive network architecture called the attack-resistant network and analyze how the algorithms address resiliency and security in different network settings.

show abstract

Testing for software vulnerability using environment perturbation

Cited by 18 publications

References 17 publications

Configuration Fuzzing for Software Vulnerability Detection

Configuration Fuzzing for Software Vulnerability Detection

Robustness Evaluation of Operating Systems

Distributed Algorithms for Secure Multipath Routing in Attack-Resistant Networks

Contact Info

Product

Resources

About