Advertisement

Fuzz Test Case Generation for Penetration Testing in Mobile Cloud Computing Applications

  • Ahmad Salah Al-Ahmad
  • Hasan KahtanEmail author
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 866)

Abstract

Security testing for applications is a critical practice used to protect data and users. Penetration testing is particularly important, and test case generation is one of its critical phases. In test case generation, the testers need to ensure that as many execution paths as possible are covered by using a set of test cases. Multiple models and techniques have been proposed to generate test cases for software penetration testing. These techniques include fuzz test case generation, which has been implemented in multiple forms. This work critically reviews different models and techniques used for fuzz test case generation and identifies strengths and limitations associated with each implementation and proposal. Reviewing results showed that previous test case generation methods disregard offloading parameters when generating test case sets. This paper proposes a test case generation technique that uses offloading as a generation parameter to overcome the lack of such techniques in previous studies. The proposed technique improves the coverage path on applications that use offloading, thereby improving the effectiveness and efficiency of penetration testing.

Keywords

Penetration testing Software testing Security testing Test case generation 

Notes

Acknowledgments

This research is supported by the Department of Research and Innovation of University Malaysia Pahang under Fundamental Research Grant Scheme (FRGS) RDU170102.

References

  1. 1.
    Geer, D., Harthorne, J.: Penetration testing: a duet. In: 18th Annual Computer Security Applications Conference. IEEE, Las Vegas (2002)Google Scholar
  2. 2.
    Xiong, P., Peyton, L.: A model-driven penetration test framework for Web applications. In: Eighth Annual International Conference on Privacy, Security and Trust (PST). IEEE, Ottawa (2010)Google Scholar
  3. 3.
    Xu, W., Groves, B., Kwok, W.: Penetration testing on cloud—case study with owncloud. Glob. J. Inf. Technol. 5(2), 87–94 (2016)Google Scholar
  4. 4.
    Goel, J.N., et al.: Ensemble based approach to increase vulnerability assessment and penetration testing accuracy. In: 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH). IEEE (2016)Google Scholar
  5. 5.
    Zhao, J., et al.: Penetration testing automation assessment method based on rule tree. In: IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), Shenyang, China (2015)Google Scholar
  6. 6.
    Deptula, K.: Automation of cyber penetration testing using the detect, identify, predict, react intelligence automation model. In: Postgraduate School. Naval Postgraduate School, Monterey, p. 139 (2013)Google Scholar
  7. 7.
    Xing, B., et al.: Design and implementation of an XML-based penetration testing system. In: International Symposium on Intelligence Information Processing and Trusted Computing (IPTC). IEEE, Huanggang (2010)Google Scholar
  8. 8.
    Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web services security. In: 8th IEEE World Congress on Servicess. IEEE, Honolulu (2012)Google Scholar
  9. 9.
    Halfond, W.G., Choudhary, S.R., Orso, A.: Penetration testing with improved input vector identification. In: International Conference on Software Testing Verification and Validation. IEEE, Lillehammer (2009)Google Scholar
  10. 10.
    Jones, G.: Penetrating the cloud. Netw. Secur. 2013(2), 5–7 (2013)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Kang, B.-H.: About effective penetration testing methodology. J. Secur. Eng. 5(5), 10 (2008)Google Scholar
  12. 12.
    LaBarge, R., McGuire, T.: Cloud penetration testing. Int. J. Cloud Comput. Serv. Arch. (IJCCSA) 2(6), 43–62 (2013)Google Scholar
  13. 13.
    Al-Ahmad, A., Abu Ata, B., Wahbeh, A.: Pen testing for web applications. Int. J. Inf. Technol. Web Eng. (IJITWE), 7(3), 1–13 (2012)CrossRefGoogle Scholar
  14. 14.
    Schneider, M., et al.: Online Model-based behavioral fuzzing. In: IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops (ICSTW). IEEE, Luxembourg (2013)Google Scholar
  15. 15.
    Schneider, M., et al.: Behavioral fuzzing operators for UML sequence diagrams. Springer (2013)Google Scholar
  16. 16.
    de Graaf, M.: Intelligent fuzzing of web applications. In: Software Engineering. Universiteit van Amsterdam: Digital Academic Repository – UBA, University of Amsterdam (2009)Google Scholar
  17. 17.
    Färnlycke, I.: An approach to automating mobile application testing on Symbian smartphones: functional testing through log file analysis of test cases developed from use cases. In: School of Information and Communication Technology (ICT), KTH Royal Institute Of Technology (2013). Open Access in DiVAGoogle Scholar
  18. 18.
    Karami, M., et al.: Behavioral analysis of android applications using automated instrumentation. In: IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), Gaithersburg, Maryland, USA (2013)Google Scholar
  19. 19.
    Mahmood, R., et al.: A whitebox approach for automated security testing of Android applications on the cloud. In: Proceedings of the 7th International Workshop on Automation of Software Test (AST). IEEE, Zurich (2012)Google Scholar
  20. 20.
    Yang, Y., et al.: A model-based fuzz framework to the security testing of TCG software stack implementations. In: International Conference on Multimedia Information Networking and Security (MINES). IEEE, Hubei (2009)Google Scholar
  21. 21.
    Kaur, S. Sohal, H.S.: Hybrid application partitioning and process offloading method for the mobile cloud computing. In: Proceedings of the First International Conference on Intelligent Computing and Communication. Springer, Singapore (2017)Google Scholar
  22. 22.
    Shiraz, M., et al.: A study on the critical analysis of computational offloading frameworks for mobile cloud computing. J. Netw. Comput. Appl. 47(1), 47–60 (2015)MathSciNetCrossRefGoogle Scholar
  23. 23.
    Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy. ACM, New Orleans (2013)Google Scholar
  24. 24.
    Wassermann, G., et al.: Dynamic test input generation for web applications. In: Proceedings of the International Symposium on Software Testing and Analysis. ACM, Seattle (2008)Google Scholar
  25. 25.
    Nageswaran, S.: Test effort estimation using use case points. In: Quality Week, San Francisco, California, USA (2001)Google Scholar
  26. 26.
    Mendez, X.: SQL injection fuzz strings (from wfuzz tool) (2014). https://wfuzz.googlecode.com/svn/trunk/wordlist/Injections/SQL.txt. Accessed 11 Sept 2015
  27. 27.
    Huang, D., et al.: MobiCloud: building secure cloud framework for mobile computing and communication. In: Fifth IEEE International Symposium on Service Oriented System Engineering (SOSE). IEEE, Nanjing (2010)Google Scholar
  28. 28.
    Kumar, K., Lu, Y.-H.: Cloud computing for mobile users: can offloading computation save energy? IEEE Comput. Soc. 43(4), 51–56 (2010)CrossRefGoogle Scholar
  29. 29.
    Zhang, J., Sun, D., Zhai, D.: A research on the indicator system of cloud computing security risk assessment. In: International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE). IEEE, Chengdu (2012)Google Scholar
  30. 30.
    Giurgiu, I., et al.: Calling the cloud: enabling mobile phones as interfaces to cloud applications. In: Middleware, pp. 83–102. Springer, New York (2009)Google Scholar
  31. 31.
    Kovachev, D. Klamma, R.: Beyond the client-server architectures: a survey of mobile cloud techniques. In: 1st IEEE International Conference on Communications in China Workshops (ICCC). IEEE, Beijing (2012)Google Scholar
  32. 32.
    Singh, Y., et al.: Systematic literature review on regression test prioritization techniques. Inform. (Slov.) 36(4), 379–408 (2012)Google Scholar
  33. 33.
    Budgen, D., Brereton, P.: Performing systematic literature reviews in software engineering. In: Proceedings of the 28th International Conference on Software Engineering. ACM, Shanghai (2006)Google Scholar
  34. 34.
    Brereton, P., et al.: Lessons from applying the systematic literature review process within the software engineering domain. J. Syst. Softw. 80(4), 571–583 (2007)CrossRefGoogle Scholar
  35. 35.
    Zeisberger, S., Irwin, B.: A fuzz testing framework for evaluating and securing network applications. In: the Annual Southern Africa Telecommunication Networks and Applications Conference (SATNAC), London, UK (2011)Google Scholar
  36. 36.
    Shahriar, H., North, S., Mawangi, E.: Testing of memory leak in android applications. In: IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE). IEEE, Miami (2014)Google Scholar
  37. 37.
    Kaushik, M., Ojha, G.: Attack penetration system for SQL injection. Int. J. Adv. Comput. Res. 4(2), 724 (2014)Google Scholar
  38. 38.
    Fertig, T., Braun, P.: Model-driven testing of restful apis. In: Proceedings of the 24th International Conference on World Wide Web. ACM (2015)Google Scholar
  39. 39.
    Zhu, Z.: Automated penetration testing for PHP web applications, Georgia Institute of Technology, pp. 48, November 2016Google Scholar
  40. 40.
    Liu, L., et al.: An inferential metamorphic testing approach to reduce false positives in SQLIV penetration test. In: IEEE 41st Annual Computer Software and Applications Conference (COMPSAC) (2017)Google Scholar
  41. 41.
    Al-Ahmad, A.S., Aljunid, S.A., Sani, A.S.A.: Mobile cloud computing testing review. In: International Conference on Advanced Computer Science Applications and Technologies (ACSAT). IEEE, Kuala Lumpur (2013)Google Scholar
  42. 42.
    Paranjothi, A., Khan, M.S., Nijim, M.: Survey on three components of mobile cloud computing: offloading, distribution and privacy. J. Comput. Commun. 5(06), 1 (2017)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversiti TeknologiMaraMalaysia
  2. 2.Department of Software Engineering, Faculty of Computer Systems and Software EngineeringUniversiti Malaysia Pahang (UMP)KuantanMalaysia

Personalised recommendations