International Conferences: Software Testing, Verification and Validation Workshops (ICSTW), Graz, Austria
SoS Newsletter- Advanced Book Block
 |
International Conferences: Software Testing, Verification and Validation Workshops (ICSTW), Graz, Austria |
The 2015 IEEE Eighth International Conference on Software Testing, Verification and Validation Workshops (ICSTW) was held April 13-17, 2015 in Graz, Austria. The conference focused on model-based testing, software quality, test architecture, combinatorial testing, mutation analysis, security testing and research techniques. Conference details are available at: http://icst2015.ist.tu-graz.ac.at These bibliographies focus on articles deemed by the editors to be of most relevance to the Science of Security.
Kieseberg, Peter; Fruhwirt, Peter; Schrittwieser, Sebastian; Weippl, Edgar, "Security Tests For Mobile Applications — Why Using TLS/SSL Is Not Enough," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1, 2, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107416
Abstract: Security testing is a fundamental aspect in many common practices in the field of software testing. Still, the used standard security protocols are typically not questioned and not further analyzed in the testing scenarios. In this work we show that due to this practice, essential potential threats are not detected throughout the testing phase and the quality assurance process. We put our focus mainly on two fundamental problems in the area of security: The definition of the correct attacker model, as well as trusting the client when applying cryptographic algorithms.
Keywords: Security; TLS/SSL; Testing (ID#: 15-5403)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107416&isnumber=7107396
Bozic, Josip; Garn, Bernhard; Simos, Dimitris E.; Wotawa, Franz, "Evaluation Of The IPO-Family Algorithms For Test Case Generation In Web Security Testing," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1,10, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107436
Abstract: Security testing of web applications remains a major problem of software engineering. In order to reveal vulnerabilities, testing approaches use different strategies for detection of certain kinds of inputs that might lead to a security breach. Such approaches depend on the corresponding test case generation technique that are executed against the system under test. In this work we examine how two of the most popular algorithms for combinatorial test case generation, namely the IPOG and IPOG-F algorithms, perform in web security testing. For generating comprehensive and sophisticated testing inputs we have used input parameter modelling which includes also constraints between the different parameter values. To handle the test execution, we make use of a recently introduced methodology which is based on model-based testing. Our evaluation indicates that both algorithms generate test inputs that succeed in revealing security leaks in web applications with IPOG-F giving overall slightly better results w.r.t. the test quality of the generated inputs. In addition, using constraints during the modelling of the attack grammars results in an increase on the number of test inputs that cause security breaches. Last but not least, a detailed analysis of our evaluation results confirms that combinatorial testing is an efficient test case generation method for web security testing as the security leaks are mainly due to the interaction of a few parameters. This statement is further supported by some combinatorial coverage measurement experiments on the successful test inputs.
Keywords: Combinatorial testing; IPO-Family algorithms; attack patterns; constraints; injection attacks; model-based testing; web security testing (ID#: 15-5404)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107436&isnumber=7107396
Henard, Christopher; Papadakis, Mike; Le Traon, Yves, "Flattening Or Not Of The Combinatorial Interaction Testing Models?," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1,4, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107443
Abstract: Combinatorial Interaction Testing (CIT) requires the use of models that represent the interactions between the features of the system under test. In most cases, CIT models involve Boolean or integer options and constraints among them. Thus, applying CIT requires solving the involved constraints, which can be directly performed using Satisfiability Modulo Theory (SMT) solvers. An alternative practice is to flatten the CIT model into a Boolean model and use Satisfiability (SAT) solvers. However, the flattening process artificially increases the size of the employed models, raising the question of whether it is profitable or not in the CIT context. This paper investigates this question and demonstrates that flattened models, despite being much larger, are processed faster with SAT solvers than the smaller original ones with SMT solvers. These results suggest that flattening is worthwhile in the CIT context.
Keywords: (not provided) (ID#: 15-5405)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107443&isnumber=7107396
Lindstrom, Birgitta; Andler, Sten F.; Offutt, Jeff; Pettersson, Paul; Sundmark, Daniel, "Mutating Aspect-Oriented Models To Test Cross-Cutting Concerns," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1, 10, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107456
Abstract: Aspect-oriented (AO) modeling is used to separate normal behaviors of software from specific behaviors that affect many parts of the software. These are called “cross-cutting concerns,” and include things such as interrupt events, exception handling, and security protocols. AO modeling allow developers to model the behaviors of cross-cutting concerns independently of the normal behavior. Aspect-oriented models (AOM) are then transformed into code by “weaving” the aspects (modeling the cross-cutting concerns) into all locations in the code where they are needed. Testing at this level is unnecessarily complicated because the concerns are often repeated in many locations and because the concerns are muddled with the normal code. This paper presents a method to design robustness tests at the abstract, or model, level. The models are mutated with novel operators that specifically target the features of AOM, and tests are designed to kill those mutants. The tests are then run on the implementation level to evaluate the behavior of the woven cross-cutting concerns.
Keywords: Mutation analysis; aspect-oriented modeling robustness testing (ID#: 15-5406)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107456&isnumber=7107396
Knorr, Konstantin; Aspinall, David, "Security Testing For Android Mhealth Apps," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1, 8, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107459
Abstract: Mobile health (mHealth) apps are an ideal tool for monitoring and tracking long-term health conditions; they are becoming incredibly popular despite posing risks to personal data privacy and security. In this paper, we propose a testing method for Android mHealth apps which is designed using a threat analysis, considering possible attack scenarios and vulnerabilities specific to the domain. To demonstrate the method, we have applied it to apps for managing hypertension and diabetes, discovering a number of serious vulnerabilities in the most popular applications. Here we summarise the results of that case study, and discuss the experience of using a testing method dedicated to the domain, rather than out-of-the-box Android security testing methods. We hope that details presented here will help design further, more automated, mHealth security testing tools and methods.
Keywords: (not provided) (ID#: 15-5407)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107459&isnumber=7107396
Riviere, Lionel; Bringer, Julien; Le, Thanh-Ha; Chabanne, Herve, "A Novel Simulation Approach For Fault Injection Resistance Evaluation On Smart Cards," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1, 8, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107460
Abstract: Physical perturbations are performed against embedded systems that can contain valuable data. Such devices and in particular smart cards are targeted because potential attackers hold them. The embedded system security must hold against intentional hardware failures that can result in software errors. In a malicious purpose, an attacker could exploit such errors to find out secret data or disrupt a transaction. Simulation techniques help to point out fault injection vulnerabilities and come at an early stage in the development process. This paper proposes a generic fault injection simulation tool that has the particularity to embed the injection mechanism into the smart card source code. By its embedded nature, the Embedded Fault Simulator (EFS) allows us to perform fault injection simulations and side-channel analyses simultaneously. It makes it possible to achieve combined attacks, multiple fault attacks and to perform backward analyses. We appraise our approach on real, modern and complex smart card systems under data and control flow fault models. We illustrate the EFS capacities by performing a practical combined attack on an Advanced Encryption Standard (AES) implementation.
Keywords: Fault injection; Physical attack; combined attack; data modification; embedded systems; fault simulation; instruction skip; side-channel attack; smart card (ID#: 15-5408)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107460&isnumber=7107396
Afzal, Zeeshan; Lindskog, Stefan, "Automated Testing of IDS Rules," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1, 2, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107461
Abstract: As technology becomes ubiquitous, new vulnerabilities are being discovered at a rapid rate. Security experts continuously find ways to detect attempts to exploit those vulnerabilities. The outcome is an extremely large and complex rule set used by Intrusion Detection Systems (IDSs) to detect and prevent the vulnerabilities. The rule sets have become so large that it seems infeasible to verify their precision or identify overlapping rules. This work proposes a methodology consisting of a set of tools that will make rule management easier.
Keywords: (not provided) (ID#: 15-5409)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107461&isnumber=7107396
Henard, Christopher; Papadakis, Mike; Le Traon, Yves, "Flattening Or Not Of The Combinatorial Interaction Testing Models?," Software Testing, Verification and Validation Workshops (ICSTW), 2015 IEEE Eighth International Conference on, pp. 1, 4, 13-17 April 2015. doi: 10.1109/ICSTW.2015.7107443
Abstract: Combinatorial Interaction Testing (CIT) requires the use of models that represent the interactions between the features of the system under test. In most cases, CIT models involve Boolean or integer options and constraints among them. Thus, applying CIT requires solving the involved constraints, which can be directly performed using Satisfiability Modulo Theory (SMT) solvers. An alternative practice is to flatten the CIT model into a Boolean model and use Satisfiability (SAT) solvers. However, the flattening process artificially increases the size of the employed models, raising the question of whether it is profitable or not in the CIT context. This paper investigates this question and demonstrates that flattened models, despite being much larger, are processed faster with SAT solvers than the smaller original ones with SMT solvers. These results suggest that flattening is worthwhile in the CIT context.
Keywords: (not provided) (ID#: 15-5410)
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7107443&isnumber=7107396
Note:
Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to news@scienceofsecurity.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.