A fault injection model-oriented testing strategy for component security

  • Jin-fu Chen (陈锦富)
  • Yan-sheng Lu (卢炎生)
  • Wei Zhang (张卫)
  • Xiao-dong Xie (谢晓东)
Article

Abstract

A fault injection model-oriented testing strategy was proposed for detecting component vulnerabilities. A fault injection model was defined, and the faults were injected into the tested component based on the fault injection model to trigger security exceptions. The testing process could be recorded by the monitoring mechanism of the strategy, and the monitoring information was written into the security log. The component vulnerabilities could be detected by the detecting algorithm through analyzing the security log. Lastly, some experiments were done in an integration testing platform to verify the applicability of the strategy. The experimental results show that the strategy is effective and operable. The detecting rate is more than 90% for vulnerability components.

Key words

component testing component security fault injection model testing strategy detecting algorithm 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [1]
    MAO Cheng-ying, LU Yan-sheng. Research progress in testing techniques of component-based software [J]. Journal of Computer Research and Development, 2006, 43(8): 1375–1382. (in Chinese)CrossRefGoogle Scholar
  2. [2]
    MCGRAW G. Software security [J]. IEEE Security and Privacy, 2004, 2(2): 80–83.CrossRefGoogle Scholar
  3. [3]
    MCGRAW G, ALLEN B. Software security testing [J]. IEEE Security and Privacy, 2004, 2(5): 81–85.CrossRefGoogle Scholar
  4. [4]
    JU A, WANG A. Security testing in software engineering courses [C]// Proeedings of the 34th ASEE/IEEE Frontiers in Education Conference. Los Alamitos, CA: IEEE, 2004: 13–18.Google Scholar
  5. [5]
    HAN J, ZHENG Y. Security characterisation and integrity assurance for component-based software [C]// Proceedings of 2000 International Conference on Softwave Methods and Tools (SMT 2000). Los Alanmitos, CA: IEEE CS, 2000: 61–66.CrossRefGoogle Scholar
  6. [6]
    GUO F, YU Y, CHIUEH T. Automated and safe vulnerability assessment [C]// Proceedings of Annual Computer Security Applications Conference (ACSAC). Minato-ku, Tokyo: IEEE, 2005: 10–17.Google Scholar
  7. [7]
    NISSANKE N. Component security-issues and an approach [C]// Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC). Minato-ku, Tokyo: IEEE, 2005: 152–155.CrossRefGoogle Scholar
  8. [8]
    BRYANT E, VINOD G, SANJIT A, SOMESH J, THOMAS W. Automatic discovery of api-level exploits [C]// Proceedings of International Conference of Software Engineer (ICSE). Washington, D C: ACM, 2005: 312–321.Google Scholar
  9. [9]
    ZHONG Q, EDWARDS N. Security control for COTS components [J]. IEEE Computer, 1998, 31(6): 67–73.Google Scholar
  10. [10]
    BERTOLINO A, POLINI A. A framework for component deployment testing [C]// Proceedings of the 25th International Conference on Software Engineering (ICSE). Washington, D C: IEEE Computer Society, 2003: 221–231.CrossRefGoogle Scholar
  11. [11]
    HADDOX M J, KAPFHAMMER M G, MICHAEL C C. An approach for understanding and testing third party software components [C]// Proceedings of Annual Reliability and Maintainability Symposium. Los Alamitos, CA: IEEE, 2002: 293–299.Google Scholar
  12. [12]
    CHEN Jin-fu, LU Yan-sheng, XIE Xiao-dong, ZHANG Wei. Testing approach of component security based on dynamic monitoring [C]// Proceedings of the 2nd International Multi-Symposiums on Computer and Computational Sciences IMSCCS 2007. Los Alamitos, CA: IEEE Computer Society, 2007: 381–386.CrossRefGoogle Scholar
  13. [13]
    LU Yan-sheng, CHEN Jin-fu, XIE Xiao-dong. Testing model of component security based on dynamic monitoring [C]// Proceedings of China National Computer Conference. Beijing: Tsinghua University Press, 2007: 85–92. (in Chinese)Google Scholar
  14. [14]
    THOMPSON H, WHITTAKER J, MOTTAY F. Software security vulnerability testing in hostile environments [C]// Proceedings of the 2002 ACM Symposium on Applied Computing. Washington, DC: ACM, 2002: 260–264.CrossRefGoogle Scholar
  15. [15]
    DU W X, MATHUR P A. Testing for software vulnerability using environment perturbation [J]. Quality and Reliability Engineering International, 2002, 18(3): 261–272.CrossRefGoogle Scholar
  16. [16]
    HSUEH M, TSAI TK, LYER K R. Fault injection techniques and tools [J]. IEEE Computer, 1997, 30(4): 75–82.Google Scholar
  17. [17]
    VOAS J. Fault injection for the masses [J]. IEEE Computer, 1997, 30(12): 129–130.Google Scholar
  18. [18]
    VOAS J, MCGRAW G. Software fault injection: Inoculating programs against errors [M]. New York: John Wiley and Sons, 1997.Google Scholar
  19. [19]
    LOOKER N, MUNRO M, XU J. A comparison of network level fault injection with code insertion [C]// Proceedings of the 29th IEEE International Computer Software and Applications Conference. Los Alamitos, CA: IEEE, 2005: 479–484.Google Scholar
  20. [20]
    WHITTAKER A J. Software’s invisible users [J]. IEEE Software, 2001, 18(3): 84–88.CrossRefMathSciNetGoogle Scholar
  21. [21]
    CHEN Ji-feng, ZHU Li, SHEN Jun-yi, WHAN Zhi-hai. Scheme on automated test data generation and its evaluation [J]. Journal of Central South University of Technology, 2006, 13(1): 87–92.CrossRefGoogle Scholar
  22. [22]
    LI Jun-yi, GONG Hong-fang, HU Ji-ping, ZOU Bei-ji, SUN Jia-guang. Class hierarchical test case generation algorithm based on expanded EMDPN model [J]. Journal of Central South University of Technology, 2006, 13(6): 717–721.CrossRefGoogle Scholar
  23. [23]
    JABEEN F, JAFFAR-UR-REHMAN M. A framework for object oriented component testing [C]// Proceedings of the 2005 International Conference on Emerging Technologies. Minato-ku, Tokyo: IEEE, 2005: 451–460.Google Scholar

Copyright information

© Central South University Press and Springer-Verlag GmbH 2009

Authors and Affiliations

  • Jin-fu Chen (陈锦富)
    • 1
  • Yan-sheng Lu (卢炎生)
    • 1
  • Wei Zhang (张卫)
    • 2
  • Xiao-dong Xie (谢晓东)
    • 1
  1. 1.College of Computer Science and TechnologyHuazhong University of Science and TechnologyWuhanChina
  2. 2.Department of Computer ScienceIowa State UniversityAmesUSA

Personalised recommendations