Oulun yliopisto - Etusivulle University of Oulu in English

ee.oulu.fi

Electrical and Information Engineering

University of Oulu > Faculty of Technology > Electrical and Information Engineering


OUSPG

[This page is CSS2 enabled. Your browser might not fully support it]

A Functional Method for Assessing ...

$RCSfile: index.html,v $ $Revision: 1.6 $ $Date: 2002/01/11 10:42:54 $

A Functional Method for Assessing Protocol Implementation Security

Serious information security vulnerabilities are discovered daily and reported from already deployed software products. Customers have no feasible means for estimating the security level of the products they purchase. The few generally applicable methods require the source code, which is often not delivered with a product. Many of the reported vulnerabilities are robustness problems. Robustness can be functionally assessed without the source code by injecting anomalies, unexpected input elements, to the tested component. The component passes the tests if it can securely handle the injected anomalies. The methods generally applied for software testing and modelling were found to be too complex and rigid for functional robustness assessment. A new mini-simulation method using attribute grammar to model both input syntax and software behaviour was proposed. Means for the systematic creation of a large number of test cases was presented. The method was used to test the robustness of 49 software products. A total of 40 tested products were found to be vulnerable to denial-of-service problems, and 14 of them were proven to contain vulnerabilities making it possible to execute remotely supplied code on the host system. Applications of the method include quantitative comparisons and the benchmarking of software components, but it has some limitations. The proportion of the flaws found using the method compared to the actual number of flaws is difficult to assess and the tests may favour some components over others. However, if the method can help to eliminate the most obvious vulnerabilities, it would be much more difficult to find serious flaws using unsystematic methods. This could cut down on the number of publicly disclosed vulnerabilities.

Publication details and availability
Title: A Functional Method for Assessing Protocol Implementation Security
Publication details: Kaksonen, Rauli. A Functional Method for Assessing Protocol Implementation Security (Licentiate thesis). Espoo. Technical Research Centre of Finland, VTT Publications 447. 128 p. + app. 15 p. ISBN 951-38-5873-1 (soft back ed.) ISBN 951-38-5874-X (on-line ed.).
Keywords: information security, automated testing, software quality, implementation vulnerabilities, programming mistakes, mini-simulation method
Availability: [PDF_] Technical Research Centre of Finland (also soft back ed. from Information Services)
[link] Granum virtual book-shop (soft back ed.)

[This page is CSS2 enabled. Your browser might not fully support it]