1 / 20

Automated Security Testing with Formal Threat Models

Automated Security Testing with Formal Threat Models. Frank Xu Ph.D. Overview. Introduction Objectives Approach Experiments Contribution & Conclusions. Introduction. Application security Bypass authentication attack, SQL injection attack

veronica-fowler
Download Presentation

Automated Security Testing with Formal Threat Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automated Security Testing with Formal Threat Models Frank Xu Ph.D.

  2. Overview • Introduction • Objectives • Approach • Experiments • Contribution & Conclusions

  3. Introduction • Application security • Bypass authentication attack, SQL injection attack • Application vulnerabilities exceed Networking and OS vulnerabilities • Weak authentication mechanism, unsanitized inputs • Preventing malicious security attacks by detecting vulnerabilities • SANS' 2009 Top Cyber Security Risks (http://www. sans.org/top-cyber-security-risks/),

  4. Introduction • How to detect software vulnerabilities? • Similar to detect software bugs • Security testing • Tradition testing vs. security testing • Traditional testing : test if a program does what it is supposed to do • Testing for security: test a program against possible vulnerabilities for checking if it contains unintended behaviors • Sql injection to log into the system • Problem? • Security testing is very labor-intensive • Sql injection string: ' or '1'='1 • databases, inputs, paths

  5. Objectives Presents an approach to automatically test software security

  6. Approach • Create formal threat models • represented as Predicate/Transition nets • Automatically generates all attack paths, • i.e., security tests • Converts attach path into executable test code • according to the given MIM (Model-Implementation Mapping) specification

  7. PrT net http://www.informatik.uni-hamburg.de/TGI/PetriNets/introductions/aalst/elevator1.swf

  8. Prt Net for dictionary attack

  9. Notations • Variable Binding: ø = ?x/V • ?x is bound to value V. • Variable Substituting: l/ø : • the tuple (or token) obtained by substituting each variable in l for its bound value in ø. • If l= <?u,?p> and ø={?u/ID1,?p/PSWD1}, then l/ø=<ID1, PSWD1>. l= (?u,?p) P(ID1,PSWD1) Enabled by ø={?u/ID1,?p/PSWD1},

  10. Transition Enabled

  11. Threat Model

  12. SQL injection attacks t11:do shopping, t12: login t13: check out” t21: go to login page t22: retrieve password t23: forgot your password t31: login, t32: do shopping, t33: check out using coupon code sqlstr: or 1=1--, ‘) or ‘1’=’1--, and 1’ or ‘1=’1.

  13. Generating Attack Paths

  14. Generating Test Code http://seleniumhq.org/movies/intro.mov

  15. Model-Implementation Mapping

  16. CASE STUDIES • Case Study I: Magento • Case Study II: FileZilla Server • Mutation (S.T.R.I.D.E. ) • Spoofing, Tampering, Repudiation, Information disclosure, Denial of Service, Elevation of privilege • Kill the mutations • Both studies show that security testing with formal threat models is very effective. • They have killed 93.2% (41/44) and 96.7% (29/30) of the mutants, respectively

  17. Contributions & Conclusion • First, automated generation of executable security tests from formal threat models is a novel contribution to software security testing. • Injection of security vulnerabilities for evaluating the effectiveness of security tests is a novel contribution to mutation testing.

More Related