Article

Improving network applications security: a new heuristic to generate stress testing data

Authors:
Concettina Del Grosso

University of Sannio, Benevento, Italy

University of Sannio, Benevento, Italy
View Profile

,
Giuliano Antoniol

University of Sannio, Benevento, Italy

University of Sannio, Benevento, Italy
View Profile

,
Massimiliano Di Penta

University of Sannio, Benevento, Italy

University of Sannio, Benevento, Italy
View Profile

,
Philippe Galinier

École Polytechnique de Montréal, Montréal, Canada

École Polytechnique de Montréal, Montréal, Canada
View Profile

,
Ettore Merlo

École Polytechnique de Montréal, Montréal, Canada

École Polytechnique de Montréal, Montréal, Canada
View Profile

GECCO '05: Proceedings of the 7th annual conference on Genetic and evolutionary computationJune 2005Pages 1037–1043https://doi.org/10.1145/1068009.1068185

Published:25 June 2005Publication History

GECCO '05: Proceedings of the 7th annual conference on Genetic and evolutionary computation

Pages 1037–1043

ABSTRACT

Buffer overflows cause serious problems in different categories of software systems. For example, if present in network or security applications, they can be exploited to gain unauthorized grant or access to the system. In embedded systems, such as avionics or automotive systems, they can be the cause of serious accidents.This paper proposes to combine static analysis and program slicing with evolutionary testing, to detect buffer overflow threats. Static analysis identifies vulnerable statements, while slicing and data dependency analysis identify the relationship between these statements and program or function inputs, thus reducing the search space.To guide the search towards discovering buffer overflow in this work we define three multi-objective fitness functions and compare them on two open-source systems. These functions account for terms such as the statement coverage, the coverage of vulnerable statements, the distance form buffer boundaries and the coverage of unconstrained nodes of the control flow graph.

References

Beetlesoft RatScan. http://www.beetlesoft.com.Google Scholar
Secure software solutions, rats, the rough auditing tool for security. http://www.securesw.com/rats/.Google Scholar
G. Antoniol and E. Merlo. A static measure of a subset of intra-procedural data flow testing coverage based on node coverage. In CASCON, October 1999. Google ScholarDigital Library
D. Binkley and M. Harman. Analysis and visualization of predicate dependence on formal parameters and global variables. IEEE Transactions on Software Engineering, 30(11):715--735, Nov 2004. Google ScholarDigital Library
D. DaCosta, C. Dahn, S. Mancoridis, and V. Prevelakis. Characterizing the 'security vulnerability likelihood' of software functions. In Proceedings of IEEE International Conference on Software Maintenance, pages 266--276, Amsterdam, The Netherlands, Oct 2003. Google ScholarDigital Library
C. Del Grosso, G. Antoniol, and M. Di Penta. An evolutionary testing approach to detect buffer overflow. In Student Paper Proceedings of the International Symposium of Software Reliability Engineering (ISSRE), St. Malo, France, Nov 2004.Google Scholar
C. Del Grosso, M. Di Penta, and G. Antoniol. An evolutionary testing approach to detect buffer overflows. In International Symposium on Software Reliability Engineering (student paper), pages 77--78, St Malo, Bretagne, France, November, 2-5 2004.Google Scholar
D. E. Goldberg. Genetic Algorithms in Search, Optimization and Machine Learning. Addison-Wesley Pub Co, Jan 1989. Google ScholarDigital Library
R. Hastings and B. Joyce. Purify: Fast detection of memory leaks and access errors. In In Proceedings of the Winter USENIX Conference, Washington, DC, USA, Aug 1992.Google Scholar
E. Haugh and M. Bishop. Testing c programs for buffer overflow vulnerabilities.Google Scholar
B. Korel and A. Al-Yami. Assertion-oriented automated test data generation. In Proceedings of the International Conference on Software Engineering, Berlin, Germany, 1996. Google ScholarDigital Library
D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In In Proceedings of the USENIX Security Symposium, Washington, DC, USA, Aug 2001. Google ScholarDigital Library
P. McMinn. Search-based software test data generation: a survey. Software Testing, Verification and Reliability, 14:105--156, June 2004. Google ScholarDigital Library
E. Merlo and G. Antoniol. A static measure of a subset of intra-procedural data flow testing coverage based on node coverage. In Proceedings of CASCON-99 - ponsored by IBM Canada and the National Reasearch Council of Canada, pages 173--186, Mississauga (Ontario), November 8-11 1999. Google ScholarDigital Library
B. Miller, L. Fredricksen, and B. So. Empirical study of the reliability of unix utilities. Communications of the Association for Computing Machinery, 33(12):32--44, Dec 1990. Google ScholarDigital Library
O. Ruwase and M. Lam. A practical dynamic buffer overflow detector. In Proceedings of the Network and Distributed System Security (NDSS) Symposium, pages 159--169, Feb 2004.Google Scholar
N. Tracey. A search-based automated test-data generation framework for safety critical software. PhD thesis, University of York, 2000.Google Scholar
N. Tracey, J. Clark, K. Mander, and J. McDermid. Automated test data generation for exception conditions. Software - Practice and Experience, 30(1), 2000. Google ScholarDigital Library
J. Viega, J. Bloch, T. Kohno, and G. McGraw. ITS4: A static vulnerability scanner for c and c++ code. In Proceedings of the 16th Annual Computer Security Applications Conference, pages 3--17, Dec 2000. Google ScholarDigital Library
S. G. W. and C. W. G. Statistical Methods. Iowa State University Press, 1989.Google Scholar
D. Wagner, J. Foster, E. Brewer, and A. Aiken. A first step towards automated detection of buffer overrun vulnerabilities. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS '00), pages 3--17, San Diego, CA, USA, Feb 2000.Google Scholar
M. Wall. GAlib - a C++ library of genetic algorithm components. http://lancet.mit.edu/ga/.Google Scholar
M. Weiser. Program slicing. IEEE Transactions on Software Engineering, 10(4):352--357, July 1984.Google ScholarDigital Library

Index Terms

Improving network applications security: a new heuristic to generate stress testing data
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Software defect analysis
        Software testing and debugging

Recommendations

Detecting buffer overflow via automatic test input data generation

Buffer overflows cause serious problems in various categories of software systems. In critical systems, such as health-care, nuclear or aerospace software applications, a buffer overflow may cause severe threats to humans or severe economic losses. If ...
Read More
Fragility of the Robust Security Network: 802.11 Denial of Service
ACNS '09: Proceedings of the 7th International Conference on Applied Cryptography and Network Security

The upcoming 802.11w amendment to the 802.11 standard eliminates the 802.11 deauthentication and disassociation Denial of Service (DoS) vulnerabilities. This paper presents two other DoS vulnerabilities: one vulnerability in draft 802.11w ...
Read More
Measuring and Improving Latency to Avoid Test Suite Wear Out
ICSTW '09: Proceedings of the IEEE International Conference on Software Testing, Verification, and Validation Workshops

This paper introduces the concept of test suite latency. The more latent a test suite, the more it is possible to repeatedly select subsets that achieve a test goal (such as coverage) without re-applying test cases. Where a test case is re-applied it ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
GECCO '05: Proceedings of the 7th annual conference on Genetic and evolutionary computation
June 2005
2272 pages
ISBN:1595930108
DOI:10.1145/1068009
Editor:
Hans-Georg Beyer
Vorarlberg University of Applied Sciences, Austria
,
General Chair:
Una-May O'Reilly
CSAIL, MIT
Copyright © 2005 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 June 2005
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
evolutionary testing
security
stress testing
test data generation
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,669of4,410submissions,38%
Upcoming Conference
GECCO '24

Sponsor:

sigevo

Genetic and Evolutionary Computation Conference

July 14 - 18, 2024

Melbourne , VIC , Australia
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 25
  Total Citations
  View Citations
- 625
  Total Downloads
- Downloads (Last 12 months)9
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Improving network applications security: a new heuristic to generate stress testing data

GECCO '05: Proceedings of the 7th annual conference on Genetic and evolutionary computation

ABSTRACT

References

Cited By

Index Terms

Recommendations

Detecting buffer overflow via automatic test input data generation

Fragility of the Robust Security Network: 802.11 Denial of Service

Measuring and Improving Latency to Avoid Test Suite Wear Out