Abstract
A fault injection model-oriented testing strategy was proposed for detecting component vulnerabilities. A fault injection model was defined, and the faults were injected into the tested component based on the fault injection model to trigger security exceptions. The testing process could be recorded by the monitoring mechanism of the strategy, and the monitoring information was written into the security log. The component vulnerabilities could be detected by the detecting algorithm through analyzing the security log. Lastly, some experiments were done in an integration testing platform to verify the applicability of the strategy. The experimental results show that the strategy is effective and operable. The detecting rate is more than 90% for vulnerability components.
Similar content being viewed by others
References
MAO Cheng-ying, LU Yan-sheng. Research progress in testing techniques of component-based software [J]. Journal of Computer Research and Development, 2006, 43(8): 1375–1382. (in Chinese)
MCGRAW G. Software security [J]. IEEE Security and Privacy, 2004, 2(2): 80–83.
MCGRAW G, ALLEN B. Software security testing [J]. IEEE Security and Privacy, 2004, 2(5): 81–85.
JU A, WANG A. Security testing in software engineering courses [C]// Proeedings of the 34th ASEE/IEEE Frontiers in Education Conference. Los Alamitos, CA: IEEE, 2004: 13–18.
HAN J, ZHENG Y. Security characterisation and integrity assurance for component-based software [C]// Proceedings of 2000 International Conference on Softwave Methods and Tools (SMT 2000). Los Alanmitos, CA: IEEE CS, 2000: 61–66.
GUO F, YU Y, CHIUEH T. Automated and safe vulnerability assessment [C]// Proceedings of Annual Computer Security Applications Conference (ACSAC). Minato-ku, Tokyo: IEEE, 2005: 10–17.
NISSANKE N. Component security-issues and an approach [C]// Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC). Minato-ku, Tokyo: IEEE, 2005: 152–155.
BRYANT E, VINOD G, SANJIT A, SOMESH J, THOMAS W. Automatic discovery of api-level exploits [C]// Proceedings of International Conference of Software Engineer (ICSE). Washington, D C: ACM, 2005: 312–321.
ZHONG Q, EDWARDS N. Security control for COTS components [J]. IEEE Computer, 1998, 31(6): 67–73.
BERTOLINO A, POLINI A. A framework for component deployment testing [C]// Proceedings of the 25th International Conference on Software Engineering (ICSE). Washington, D C: IEEE Computer Society, 2003: 221–231.
HADDOX M J, KAPFHAMMER M G, MICHAEL C C. An approach for understanding and testing third party software components [C]// Proceedings of Annual Reliability and Maintainability Symposium. Los Alamitos, CA: IEEE, 2002: 293–299.
CHEN Jin-fu, LU Yan-sheng, XIE Xiao-dong, ZHANG Wei. Testing approach of component security based on dynamic monitoring [C]// Proceedings of the 2nd International Multi-Symposiums on Computer and Computational Sciences IMSCCS 2007. Los Alamitos, CA: IEEE Computer Society, 2007: 381–386.
LU Yan-sheng, CHEN Jin-fu, XIE Xiao-dong. Testing model of component security based on dynamic monitoring [C]// Proceedings of China National Computer Conference. Beijing: Tsinghua University Press, 2007: 85–92. (in Chinese)
THOMPSON H, WHITTAKER J, MOTTAY F. Software security vulnerability testing in hostile environments [C]// Proceedings of the 2002 ACM Symposium on Applied Computing. Washington, DC: ACM, 2002: 260–264.
DU W X, MATHUR P A. Testing for software vulnerability using environment perturbation [J]. Quality and Reliability Engineering International, 2002, 18(3): 261–272.
HSUEH M, TSAI TK, LYER K R. Fault injection techniques and tools [J]. IEEE Computer, 1997, 30(4): 75–82.
VOAS J. Fault injection for the masses [J]. IEEE Computer, 1997, 30(12): 129–130.
VOAS J, MCGRAW G. Software fault injection: Inoculating programs against errors [M]. New York: John Wiley and Sons, 1997.
LOOKER N, MUNRO M, XU J. A comparison of network level fault injection with code insertion [C]// Proceedings of the 29th IEEE International Computer Software and Applications Conference. Los Alamitos, CA: IEEE, 2005: 479–484.
WHITTAKER A J. Software’s invisible users [J]. IEEE Software, 2001, 18(3): 84–88.
CHEN Ji-feng, ZHU Li, SHEN Jun-yi, WHAN Zhi-hai. Scheme on automated test data generation and its evaluation [J]. Journal of Central South University of Technology, 2006, 13(1): 87–92.
LI Jun-yi, GONG Hong-fang, HU Ji-ping, ZOU Bei-ji, SUN Jia-guang. Class hierarchical test case generation algorithm based on expanded EMDPN model [J]. Journal of Central South University of Technology, 2006, 13(6): 717–721.
JABEEN F, JAFFAR-UR-REHMAN M. A framework for object oriented component testing [C]// Proceedings of the 2005 International Conference on Emerging Technologies. Minato-ku, Tokyo: IEEE, 2005: 451–460.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Project(513150601) supported by the National Pre-Research Project Foundation of China
Rights and permissions
About this article
Cite this article
Chen, Jf., Lu, Ys., Zhang, W. et al. A fault injection model-oriented testing strategy for component security. J. Cent. South Univ. Technol. 16, 258–264 (2009). https://doi.org/10.1007/s11771-009-0044-0
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11771-009-0044-0