Title :
Recycling Test Cases to Detect Security Vulnerabilities
Author :
Antunes, Jose ; Neves, Nuno
Author_Institution :
Dept. de Inf., Univ. de Lisboa, Lisbon, Portugal
Abstract :
The design of new protocols and features, e.g., in the context of organizations such as the IETF, produces a flow of novel standards and amendments that lead to ever changing implementations. These implementations can be difficult to test for security vulnerabilities because existing tools often lag behind. In the paper, we propose a new methodology that addresses this issue by recycling test cases from several sources, even if aimed at distinct protocols. It resorts to protocol reverse engineering techniques to build parsers that are capable of extracting the relevant payloads from the test cases, and then applies them to new test cases tailored to the particular features that need to be checked. An evaluation with 10 commercial and open-source testing tools and a large set of FTP vulnerabilities shows that our approach is able to get better or equal vulnerability coverage than the original tools. In a more detailed experiment with two fuzzers, our solution showed an improvement of 19% on vulnerability coverage when compared with the two combined fuzzers, being capable of finding 25 additional vulnerabilities.
Keywords :
program testing; protocols; public domain software; reverse engineering; security of data; FTP vulnerabilities; IETF; fuzzers; open-source testing tools; organizations; protocol reverse engineering techniques; security vulnerabilities detection; test case recycling; vulnerability coverage; Automata; Generators; Payloads; Protocols; Reverse engineering; Servers; Testing; protocol reverse engineering; test case generation; vulnerability assessment;
Conference_Titel :
Software Reliability Engineering (ISSRE), 2012 IEEE 23rd International Symposium on
Conference_Location :
Dallas, TX
Print_ISBN :
978-1-4673-4638-2
DOI :
10.1109/ISSRE.2012.3
