By Topic

Testing for software vulnerability using environment perturbation

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$31 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Du, W. ; CERIAS, Purdue Univ., West Lafayette, IN, USA ; Mathur, A.P.

Describes a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by a program's inappropriate interactions with the environment and are triggered by a user's malicious perturbation on the environment (which we call an “environment fault”), we view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. We consider each environment perturbation as a fault, and the resulting security compromise as a failure in the toleration of such faults. Our approach is based on the well-known technique of fault injection. Environment faults are injected into the system under test, and the system's behavior is observed. A failure to tolerate faults is an indicator of a potential security flaw in the system. An environment-application interaction (EAI) fault model is proposed which guides us to decide what faults to inject. Based on EAI, we have developed a security testing methodology, and we have applied it to several applications. We have successfully identified a number of vulnerabilities, including vulnerabilities in the Windows NT operating system

Published in:

Dependable Systems and Networks, 2000. DSN 2000. Proceedings International Conference on

Date of Conference:

2000