TY - GEN
T1 - Vulnerability coverage for adequacy security testing
AU - Dass, Shuvalaxmi
AU - Namin, Akbar Siami
N1 - Publisher Copyright:
© 2020 Owner/Author.
PY - 2020/3/30
Y1 - 2020/3/30
N2 - Mainstream software applications and tools are the configurable platforms with an enormous number of parameters along with their values. Certain settings and possible interactions between these parameters may harden (or soften) the security and robustness of these applications against some known vulnerabilities. However, the large number of vulnerabilities reported and associated with these tools make the exhaustive testing of these tools infeasible against these vulnerabilities infeasible. As an instance of general software testing problem, the research question to address is whether the system under test is robust and secure against these vulnerabilities. This paper introduces the idea of "vulnerability coverage," a concept to adequately test a given application for a certain classes of vulnerabilities, as reported by the National Vulnerability Database (NVD). The deriving idea is to utilize the Common Vulnerability Scoring System (CVSS) as a means to measure the fitness of test inputs generated by evolutionary algorithms and then through pattern matching identify vulnerabilities that match the generated vulnerability vectors and then test the system under test for those identified vulnerabilities. We report the performance of two evolutionary algorithms (i.e., Genetic Algorithms and Particle Swarm Optimization) in generating the vulnerability pattern vectors.
AB - Mainstream software applications and tools are the configurable platforms with an enormous number of parameters along with their values. Certain settings and possible interactions between these parameters may harden (or soften) the security and robustness of these applications against some known vulnerabilities. However, the large number of vulnerabilities reported and associated with these tools make the exhaustive testing of these tools infeasible against these vulnerabilities infeasible. As an instance of general software testing problem, the research question to address is whether the system under test is robust and secure against these vulnerabilities. This paper introduces the idea of "vulnerability coverage," a concept to adequately test a given application for a certain classes of vulnerabilities, as reported by the National Vulnerability Database (NVD). The deriving idea is to utilize the Common Vulnerability Scoring System (CVSS) as a means to measure the fitness of test inputs generated by evolutionary algorithms and then through pattern matching identify vulnerabilities that match the generated vulnerability vectors and then test the system under test for those identified vulnerabilities. We report the performance of two evolutionary algorithms (i.e., Genetic Algorithms and Particle Swarm Optimization) in generating the vulnerability pattern vectors.
KW - Genetic algorithms (GA)
KW - Particle swarm optimization (PSO)
KW - Software vulnerability testing
KW - Vulnerability coverage
UR - http://www.scopus.com/inward/record.url?scp=85083039169&partnerID=8YFLogxK
U2 - 10.1145/3341105.3374099
DO - 10.1145/3341105.3374099
M3 - Conference contribution
AN - SCOPUS:85083039169
T3 - Proceedings of the ACM Symposium on Applied Computing
SP - 540
EP - 543
BT - 35th Annual ACM Symposium on Applied Computing, SAC 2020
PB - Association for Computing Machinery
T2 - 35th Annual ACM Symposium on Applied Computing, SAC 2020
Y2 - 30 March 2020 through 3 April 2020
ER -