Model-based Behavioural Fuzzing. Martin Schneider (Fraunhofer FOKUS)

Similar documents
Effizientere IT-Sicherheitstests mit Hilfe von Usage-based Testing

Development and Industrial Application of Multi-Domain Security Testing Technologies

Case Study Experiences from the DIAMONDS Project 8 th ETSI Security Conference January, Sophia Antipolis - France

Online Model-Based Behavioral Fuzzing

TESTING NON-FUNCTIONAL QUALITY CHARACTERISTICS OF CYBER-PHYSICAL SYSTEMS

Budapest, October 2016 FUZZ TESTING ITS. Presented by Jürgen Großmann and Dorian Knoblauch. All rights reserved

Security Testing. John Slankas

Model-based Testing - From Safety to Security

ETSI TC MTS, SECURITY SIG IN MTS (METHODS FOR TESTING AND SPECIFICATION) Jürgen Großmann, Fraunhofer FOKUS

IOT-TESTWARE AN ECLIPSE PROJECT

The learning objectives of this chapter are the followings. At the end of this chapter, you shall

International Journal of Computer Engineering and Applications, Volume XII, Special Issue, September 18, ISSN SOFTWARE TESTING

Automated Whitebox Fuzz Testing. by - Patrice Godefroid, - Michael Y. Levin and - David Molnar

International Journal of Computer Engineering and Applications, Volume XII, Special Issue, April- ICITDA 18,

Security Testing: Terminology, Concepts, Lifecycle

Integration of the softscheck Security Testing Process into the V-Modell

TESTING OF IOT APPLICATIONS AND INFRASTRUCTURES

Product Security. for Consumer Devices. Anton von Troyer Codenomicon. all rights reserved.

Software Specification 2IX20

KiF: A stateful SIP Fuzzer

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Development*Process*for*Secure* So2ware

CYSE 411/AIT 681 Secure Software Engineering. Topic #6. Seven Software Security Touchpoints (III) Instructor: Dr. Kun Sun

4. Risk-Based Security Testing. Reading. CYSE 411/AIT 681 Secure Software Engineering. Seven Touchpoints. Application of Touchpoints

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Software Vulnerability

Software Security. Final Exam Preparation. Be aware, there is no guarantee for the correctness of the answers!

INTEGRATING SECURITY TESTING, RISK ASSESSMENT AND COMPLIANCE ASSESSMENT

Types of Software Testing: Different Testing Types with Details

Object-Oriented Modeling. Sequence Diagram. Slides accompanying Version 1.0

Fending Off Cyber Attacks Hardening ECUs by Fuzz Testing

Sequence Diagrams. Massimo Felici. Massimo Felici Sequence Diagrams c

Trustwave Managed Security Testing

Taking White Hats to the Laundry: How to Strengthen Testing in Common Criteria

Penetration Testing. James Walden Northern Kentucky University

Fuzzing. Abstract. What is Fuzzing? Fuzzing. Daniel Basáez S. January 22, 2009

EV CHARGING: MAPPING OUT THE CYBER SECURITY THREATS AND SOLUTIONS FOR GRIDS AND CHARGING INFRASTRUCTURE

Technical Report Methods for Testing and Specification (MTS); Security Testing; Case Study Experiences

Security Testing Improvement Profile (STIP) An evaluation scheme for security testing

CSE 565 Computer Security Fall 2018

Automated Testing and Debugging of SAT and QBF Solvers

white.paper TOPIC Codenomicon robustness testing handling the infinite input space while breaking software

Sample Exam. Advanced Test Automation Engineer

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Certified Secure Web Application Security Test Checklist

Writing a fuzzer. for any language with american fuzzy lop. Ariel Twistlock Labs

Feasibility Evidence Description (FED)

Software security, secure programming

Object-Interaction Diagrams: Sequence Diagrams UML

Baseline Testing Services. Whitepaper Vx.x

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

Fuzzing: Breaking software in an automated fashion

ICSE MET 17 Keynote. Metamorphic Testing: Beyond Testing Numerical Computations

CS 424 Software Quality Assurance & Testing LECTURE 3 BASIC CONCEPTS OF SOFTWARE TESTING - I

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Structure-aware fuzzing

CAP6135: Programming Project 2 (Spring 2010)

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

SECURITY MODELING IN AUTOMOTIVE INDUSTRY SHAHANAS CHOLAYIL MAYANKUTTY

Test Automation. 20 December 2017

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Introduction To Software Testing. Brian Nielsen. Center of Embedded Software Systems Aalborg University, Denmark CSS

Software defects and security

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

A Practical Approach to Programming With Assertions

Software Engineering Testing and Debugging Testing

Static Analysis and Bugfinding

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

WEEK 4 REVIEW. Graphing Systems of Linear Inequalities (3.1)

Three Important Testing Questions

Computationally Efficient Serial Combination of Rotation-invariant and Rotation Compensating Iris Recognition Algorithms

Time-Awareness in the Internet of Things. ITSF 2014 Marc Weiss, NIST Consultant

IoT The gift that keeps on giving

Computer Security Course. Midterm Review

EECS 4313 Software Engineering Testing. Topic 01: Limits and objectives of software testing Zhen Ming (Jack) Jiang

Fuzzing. compass-security.com 1

Enterprise Architect Training Courses

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

KLEE Workshop Feeding the Fuzzers. with KLEE. Marek Zmysłowski MOBILE SECURITY TEAM R&D INSTITUTE POLAND

CrashOS: Hypervisor testing tool

C and C++ Secure Coding 4-day course. Syllabus

In-Memory Fuzzing in JAVA

MBFuzzer - MITM Fuzzing for Mobile Applications

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

CS 370 REVIEW: UML Diagrams D R. M I C H A E L J. R E A L E F A L L

Additional Guidelines and Suggestions for Project Milestone 1 CS161 Computer Security, Spring 2008

Advanced Security Tester Course Outline

Detection of Logic Flaws in Web Applications

A Case Study of Model-Based Testing

Cyber Moving Targets. Yashar Dehkan Asl

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Web Applications (Part 2) The Hackers New Target

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Solutions Business Manager Web Application Security Assessment

Threat Modeling. Bart De Win Secure Application Development Course, Credits to

Denial of Service, Traceback and Anonymity

Chapter 11, Testing, Part 2: Integration and System Testing

Business Logic Attacks BATs and BLBs

ASSURANCE PENETRATION TESTING

Transcription:

Model-based Behavioural Fuzzing Martin Schneider (Fraunhofer FOKUS)

Outline Introduction to fuzzing Behavioural fuzzing of UML sequence diagrams Test case selection by augmenting the model Conclusions and outlook

Introduction to Fuzzing Definition Fuzzing is about injecting invalid or random inputs to obtain unexpected behaviour to identify errors and potential vulnerabilities Interface robustness testing Fuzzing is able to find (zero-day-)vulnerabilities, e.g. crashes denial of service security exposures performance degradation No false positives

Introduction to Fuzzing Categorization dumb smart Random-based fuzzers generate randomly input data. They don t know nearly anything about the SUT s protocol. fuzzed input: HdmxH&k dd#**&% Template-based fuzzers uses existing traces (files, ) and fuzzes some data. template: GET /index.html fuzzed input: GE? /index.html, GET /inde?.html Block-based fuzzers break individual protocol messages down in static (grey) and variable (white) parts and fuzz only the variable part. only the (white) part gets fuzzed GET /index.html fuzzed input: GET /inde?.html, GET /index.&%ml Dynamic Generation/Evolution-based fuzzers learn the protocol of the SUT from feeding the SUT with data and interpreting its responses, for example using evolutionary algorithms.

Introduction to Fuzzing Model-based Fuzzers Model-based fuzzers uses models of the input domain (protocol models, e.g. context free grammars), for generating systematic non-random test cases The model is executed on- or offline to generate complex interaction with the SUT. Thus it is possible fuzz data after passing a particular point. Model-based fuzzers finds defects which human testers would fail to find. specified functionality negative input space (unlimited), target of random fuzzing target of model based fuzzing see also: Takanen, A., DeMott, J., Miller, C.: Fuzzing for Software Security Testing and Quality Assurance. Artech House, Boston (2008)

Introduction to Fuzzing Behavioural Fuzzing In current state of the art, behavioural fuzzing is done only in small portions using state machines: by fuzzing the message type, by reordering messages and by inserting, repeating and dropping messages. The motivation for behavioural fuzzing is that vulnerabilities can be revealed not only when invalid input data is accepted and processed by the SUT, but also by stimulating the SUT with invalid sequences of messages. A real-world example is given in [Tak10] where a vulnerability in Apache web server was found by repeating the host header message in an HTTP request. To start with, we fuzz existing functional test cases. [Tak10] Takahisa, K.; Miyuki, H.; Kenji, K.: "AspFuzz: A state-aware protocol fuzzer based on application-layer protocols," Computers and Communications (ISCC), 2010 IEEE Symposium on, vol., no., pp.202-208, 22-25 June 2010

Behavioural Fuzzing of UML Sequence Diagrams Approach of Behavioural Fuzzing Test cases are generated by fuzzing valid sequence diagrams, e.g. functional test cases. Behavioural fuzzing is realized by changing the order and appearance of messages in two ways: By rearranging messages. This enables straight-lined sequences to be fuzzed. Fuzzing operations are for example remove, move or repeat a message. By utilising control structures of UML 2 sequence diagrams, such as combined fragments, guards, constraints and invariants. This allows more sophisticated and specific behavioural fuzzing. By applying one ore more fuzzing operations to a valid sequence, invalid sequences (= behavioural fuzzing test cases) are generated. valid sequence Behavioural Fuzzing invalid sequence Client Apache Fuzzer Apache 1: GET /infotext.html HTTP/1.1 2: Host: www.example.net Repeat Message 2: Host 1: GET /infotext.html HTTP/1.1 2: Host: www.example.net 3: Host: www.example.net

Behavioural Fuzzing of UML Sequence Diagrams Operators for Messages remove, repeat, move, change type of message, insert message swap messages permute messages regarding a single SUT lifeline (weak sequencing) regarding several SUT lifelines (strict sequencing) rotate messages

Behavioural Fuzzing of UML Sequence Diagrams Combined Fragments combined fragment are control structures for UML sequence diagrams a combined fragment consists of: interaction operator Alternatives Option Break Weak Sequencing Strict Sequencing Negative Consider/Ignore Loop interaction operands guards

Behavioural Fuzzing of UML Sequence Diagrams Operators for Combined Fragments negate interaction constraint, interchange interaction constraints change bounds of loop disintegrate combined fragments insert, remove, repeat, move combined fragments change interaction operator

Test Case Selection by Augmenting the Model Complexity Three values have an impact on the number of test cases that can be generated from one valid sequence using behavioural fuzzing: number of fuzzing operators number of elements in the sequence diagram maximum number of fuzzing operators per test case A fuzzing operator can be applied to an element of a sequence in different ways. The number of possibilities to apply all fuzzing operators to all elements of a sequence is where is a constant representing the maximum number of possibilities to apply a fuzzing operator to one model element. The following formula is a first approximation of the complexity:!!

Test Case Selection by Augmenting the Model UMLsec Role-based Access Control UMLsec provides the following tags for role-based access control role: assigns users and roles by a set of tuples (user, role) right: assigns roles and rights by a set of tuples (role, protected resources) protected: identifies the protected resources users UMLsec s stereotype rbac is annotated to UML activity diagrams we use it to annotate UML sequence diagram new tag authentication to identify messages for authentication/login and logout

Test Case Selection by Augmenting the Model Test Case Generation Application of fuzzing operator MoveMessage

Conclusions & Outlook Conclusions Test evaluation and assessment Large number of generated test cases, incl. duplicates move message x + remove message x for generating one test case is equivalent to remove message x unintentionally valid sequence diagrams modifying one sequence diagram by applying fuzzing operators may result in a valid sequence diagram Outlook Studies are necessary to show the efficacy of the presented approach. At the moment, we are applying the presented approach to a DIAMONDS case study from the banking domain: See DIAMONDS booth at ITEA Co-summit next week! Optimized test generation (risk and security oriented test generation, finding more appropriate security stereotypes) Combination with data fuzzing methods.

Thank you for your attention! Any questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback