Enabling Security Testing from Specification to Code - PowerPoint PPT Presentation

1 / 12
About This Presentation
Title:

Enabling Security Testing from Specification to Code

Description:

School of Information Technology. Centre for Software Assurance ... Intruder acting as Customer Authentic Merchant. Test sequences produced as counter examples. ... – PowerPoint PPT presentation

Number of Views:35
Avg rating:3.0/5.0
Slides: 13
Provided by: win71
Category:

less

Transcript and Presenter's Notes

Title: Enabling Security Testing from Specification to Code


1
Enabling Security Testing from Specification to
Code
  • Shane Bracher and Padmanabhan Krishnan
  • Fifth International Conference on Integrated
    Formal Methods (IFM 2005)
  • 29 November 2 December 2005Eindhoven, The
    Netherlands

2
Problem Statement
  • Formal models
  • Usually created for verifying key properties.
  • The more abstract, the easier to verify.
  • But for testing, they are too far removed from
    the implementation.
  • Possible testing approaches
  • Exhaustive testing all possible behaviour.
  • Bounded exhaustive testing all possible
    behaviour to a certain depth.
  • Fault injection testing reaction under faulty
    environments.
  • Model based testing aims to reduce the testing
    effort.

3
Objective
  • We have a formal model of a protocol.
  • We want to use this model to derive test
    sequences.
  • In particular, we are interested in testing the
    security properties.
  • How can we use model based techniques to
    automatically generate test sequences for testing
    the security properties of protocols?
  • Test sequences generated from
  • the formal model are too abstract. (too far from
    the implementation)
  • the implementation are too concrete. (not
    reusable)

4
Methodology
  • Translate the high-level formal specification
    into an intermediary model
  • less abstract
  • closer to an implementation
  • Now we can generate test sequences from the
    intermediary model (which was derived from the
    formal model).
  • For testing the security properties
  • The security goals are already stated in the
    high-level model.
  • We can specify these goals within the
    intermediary model as annotations.

5
Bridging the gap
6
Case Study
  • Internet Open Trading Protocol (IOTP)
  • Objectives of case study
  • Verify the ability to translate a high-level
    model into an intermediary model.
  • Using annotations, determine the possibility of
    deriving test sequences from the intermediary
    model.

7
Internet Open Trading Protocol
Offer
BrandList, Offer
Select, Offer
Merchant (M)
Pay, Offer, Sig_M(Pay)
Offer, Pay, Merchant, Sig_C(Pay)
Receipt, Sig_P(Pay, Receipt, Offer)
Payment Processor (P)
Customer (C)
Sig_P(Pay, Receipt, Offer), Pay, Receipt, Offer
Data, Sig_D(Data)
Delivery Agent (D)
8
Intermediary Model
  • record (Customer) extends (Role)
  • (Agent) /Customer.C\ / All agents /
  • (PublicKey) /Customer.Kc\ / All keys /
  • (Channel) /Customer.SND_CM\ / All
    channels /
  • / snipped /
  • loc loc1 live brandlist, offer,
    select
  • when this./Customer.RCV_CM\.read do
    invisible
  • brandlist ((BrandList))
    this./Customer.RCV_CM\./Channel.payload\0
  • offer ((Offer)) this./Customer
    .RCV_CM\./Channel.payload\1
  • this./Customer.RCV_CM\.read
    false
  • select new (Select)
  • this./Customer.SND_CM\./Channel.paylo
    ad\0 select
  • this./Customer.SND_CM\./Channel.paylo
    ad\1 offer
  • this./Customer.SND_CM\.read true
  • goto loc2

9
Deriving Test Sequences
  • Security properties tested
  • Authentication Customer authenticates Merchant
    on Pay.
  • Secrecy Pay is to remain secret from the
    Delivery Agent (hypothetical).
  • Sessions
  • Authentic Customer Authentic Merchant
  • Authentic Customer Intruder acting as Merchant
  • Intruder acting as Customer Authentic Merchant
  • Test sequences produced as counter examples.
  • But to get a counter example, we need a violation
    to occur.
  • Solution negate the security goals.

10
Results
  • Concurrent sessions
  • 480 test sequences returned.
  • Reason violation found in large number of
    interleavings.
  • Too many for the Bogor Counter Example
    Environment to display.
  • Therefore, it was necessary to identify a
    sufficiently simple interleaving in order for a
    test sequence trace to be returned.

11
Conclusion
  • Demonstrated the practicability of using an
    intermediary model for automatically deriving
    test sequences for testing the security
    properties of protocols.
  • The derived test sequences are both suitable and
    reusable for testers to apply to a working
    protocol implementation.

12
Thank you for your attention.
  • Shane Brachersbracher_at_student.bond.edu.au
  • Padmanabhan Krishnanpkrishna_at_staff.bond.edu.au
  • Centre for Software AssuranceSchool of
    Information Technology, Bond UniversityGold
    Coast, Queensland, 4229, AUSTRALIA
  • www.sand.bond.edu.au
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Enabling Security Testing from Specification to Code" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!