Automated Security Test Generation with Formal Threat Models


Security attacks typically result from unintended behaviors or invalid inputs. Security testing is labor intensive because a real-world program usually has too many invalid inputs. It is highly desirable to automate or partially automate security-testing process. This paper presents an approach to automated generation of security tests by using formal threat models represented as Predicate/Transition nets. It generates all attack paths, i.e., security tests, from a threat model and converts them into executable test code according to the given Model-Implementation Mapping (MIM) specification. We have applied this approach to two real-world systems, Magento (a web-based shopping system being used by many online stores) and FileZilla Server (a popular FTP server implementation in C++). Threat models are built systematically by examining all potential STRIDE (spoofing identity, tampering with data, repudiation, information disclosure, denial of service, and elevation of privilege) threats to system functions. The security tests generated from these models have found multiple security risks in each system. The test code for most of the security tests can be generated and executed automatically. To further evaluate the vulnerability detection capability of the testing approach, the security tests have been applied to a number of security mutants where vulnerabilities are injected deliberately. The mutants are created according to the common vulnerabilities in C++ and web applications. Our experiments show that the security tests have killed the majority of the mutants.

Did you like this research project?

To get this research project Guidelines, Training and Code... Click Here

PROJECT TITLE :Diggit: Automated Code Review via Software Repository Mining - 2018ABSTRACT:We present Diggit, a tool to automatically generate code review comments, providing style guidance on prospective changes, based on insights
PROJECT TITLE :Robust Automated VHF Modulation Recognition Based on Deep Convolutional Neural Networks - 2018ABSTRACT:This letter proposes a completely unique modulation recognition algorithm for terribly high frequency (VHF)
PROJECT TITLE :Contextual Atlas Regression Forests: Multiple-Atlas-Based Automated Dose Prediction in Radiation TherapyABSTRACT:Radiation therapy is an integral half of cancer treatment, but up to now it remains highly manual.
PROJECT TITLE :A High-Throughput Automated Microinjection System for Human Cells With Small SizeABSTRACT:This paper presents the event of an automated microinjection system with high productivity for tiny cells. Compared with
PROJECT TITLE :Development of Multisegment Steering Mechanism and 3-D Panorama for Automated Bladder Surveillance SystemABSTRACT:A cystoscope is an invaluable tool for bladder cancer surveillance and lower urinary tract pathology

Ready to Complete Your Academic MTech Project Work In Affordable Price ?

Project Enquiry