Abstract
Along with the increasing importance of software systems for our daily life, attacks on these systems may have a critical impact. Since the number of attacks and their effects increases the more systems are connected, the secure operation of IT systems becomes a fundamental property. In the future, this importance will increase, due to the rise of systems that are directly connected to our environment, e.g., cyber-physical systems and the Internet of Things. Therefore, it is inevitable to find and fix security-relevant weaknesses as fast as possible. However, established automated security testing techniques such as fuzzing require significant computational effort. In this paper, we propose an approach to combine security testing with usage-based testing in order to increase the efficiency of security testing. The main idea behind our approach is to utilize that little tested parts of a system have a higher probability of containing security-relevant weaknesses than well tested parts. Since the execution of a system by users can also be to some degree being seen as testing, our approach plans to focus the fuzzing efforts such that little used functionality and/or input data are generated. This way, fuzzing is targeted on weakness-prone areas which in turn should improve the efficiency of the security testing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
I. E. Commission, IEC 61025 fault tree analysis (1990)
IEC 60812 analysis techniques for system reliability-procedure for failure mode and effects analysis (FMEA) (2006)
Schneier, B.: Attack trees. Dr. Dobbs J. 24(12), 21–29 (1999)
Lund, M.S., Solhaug, B., Stølen, K.: The CORAS approach. Springer Science & Business Media, Heidelberg (2010)
Takanen, A., DeMott, J., Miller, C.: Fuzzing for Software Security Testing and Quality Assurance Ser Artech House Information Security and Privacy Series. Artech House, Boston (2008). http://books.google.de/books?id=tMuAc_y9dFYC
Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. In: Proceedings of the Workshop of Parallel and Distributed Debugging, Academic Medicine, pp. ix–xxi (1990)
Schneider, M., Großmann, J., Tcholtchev, N., Schieferdecker, I., Pietschker, A.: Behavioral fuzzing operators for UML sequence diagrams. In: Haugen, Ø., Reed, R., Gotzhein, R. (eds.) SAM 2012. LNCS, vol. 7744, pp. 88–104. Springer, Heidelberg (2013)
EC FP7 RASEN Project, FP7-316853, 2012–2015. www.rasenproject.eu
Herbold, S.: Usage-based Testing of Event-driven Software. Ph.D. dissertation, Dissertation, Universität Göttingen, June 2012. (electronically published on http://webdoc.sub.gwdg.de/diss/2012/herbold/)
Tonella, P., Ricca, F.: Statistical testing of web applications. J. Softw. Maintenance Evol. Res. Pract. 16(1–2), 103–127 (2004)
EC FP7 MIDAS Project, FP7-316853, 2012–2015. www.midas-project.eu
Herbold, F.G.S.: Patrick Harms. Autoquest (2014). Accessed on https://autoquest.informatik.uni-goettingen.de/
Schneider, M.: Fuzzino (2013). Accessed on https://github.com/fraunhoferfokus/Fuzzino
Acknowledgment
This work was partially funded by the EU FP 7 projects MIDAS (no. 318786) and RASEN (no. 316853).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Schneider, M.A., Herbold, S., Wendland, MF., Grabowski, J. (2015). Improving Security Testing with Usage-Based Fuzz Testing. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-26416-5_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)