Metamorphic Testing for Web System Security

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient em EECS, U. of Ottawa and SnT Centre, U. of Luxembourg
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 1 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Journal First – IEEE Transaction on Software Engineering Presented by: Nazanin Bayati 13 September 2023 University of Ottawa University of Luxembourg Nazanin Bayati University of Ottawa Fabrizio Pastore University of Luxembourg Lionel Briand University of Ottawa University of Luxembourg Arda Goknil SINTEF Digital, Norway Metamorphic Testing for Web System Security
2 Security vulnerabilities are subtle Discovered when testing with many inputs Specifying expected results is infeasible
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 3 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing alleviates the Oracle Problem • Metamorphic Testing (MT) is based on the idea that • it may be simpler to reason about relations between outputs of multiple test executions, called Metamorphic Relations (MRs), than to specify the output of the system for a given input • In MT, system properties are captured as MRs that • specify how to automatically transform an initial set of test inputs (source inputs) into follow-up test inputs • specify the relation between the outputs obtained from source and follow-up inputs • A failure is observed when such relations are violated.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 4 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Security Testing • Source input: a sequence of valid interactions with the system {login(Admin), RequestURL(settings_page)} • Follow-up input: generated by altering valid interactions as an attacker would do {login(User1), RequestURL(settings_page)} • Relations: capture properties that hold when the system is not vulnerable if the user in the follow-up input cannot access the URL from her GUI then the output of the source and follow-up inputs should be different
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 5 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework Catalog of 76 Metamorphic Relations Select or Specify the Metamorphic Relations Execute the Metamorphic Testing Framework Test results Translate Metamorphic Relations to Java List of Metamorphic Relations Executable Metamorphic Relations in Java Source Inputs 1 2 3 4 Submit form logout Log in logout Log in
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 6 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 7 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 8 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 9 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 10 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 11 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 12 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema Our metamorphic testing algorithm executes each MR multiple times, to ensure that every possible combination of source and follow-up inputs is exercised
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 13 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Research Questions • RQ1. What testing activities can be automated thanks to oracle automation provided by MST-wi? • RQ2. What vulnerability types can MST-wi detect? • RQ3. What testability guidelines can we define to enable effective test automation with MST-wi? • RQ4. How does MST-wi compare to state-of-the-art SAST and DAST tools? • RQ5. Can we identify patterns for writing MST-wi relations? • RQ6. Is MST-wi effective? • RQ7. Is MST-wi efficient?
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 14 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? • We investigated the feasibility of implementing MRs that discover the vulnerability types described in the MITRE Common Weakness Enumeration (CWE) database • Considered three subsets: • CWE view for common security architectural tactics • CWE Top 25 most dangerous software errors • OWASP Top 10 Web security risks • To implement an MR, for each weakness, we first inspect its description, its demonstrative examples, the description of concrete vulnerabilities (CVE) and common attack patterns (CAPEC) associated with the weakness. • This process led to a catalog of 76 MRs.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 15 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? Security Design Principle Vulnerability types Addressed by MST-wi Rank Audit 6 1(16%) 10th Authenticate Actors 28 12 (43%) 4th Authorize Actors 60 34 (57%) 3rd Cross Cutting 9 3 (33%) 6th Encrypt Data 38 8 (21%) 8th Identify Actors 12 3 (25%) 7th Limit Access 8 3 (38%) 5th Limit Exposure 6 0 (0%) 11th Lock Computer 1 0 (0%) 11th Manage User Session 6 4 (67%) 2nd Validate Inputs 39 31 (79%) 1st Verify Message Integrity 19 2 (20%) 9th Total 223 101 (45%) Summary of the CWE architectural security design principles and weaknesses addressed by MST-wi.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 16 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? • We compared the vulnerability types detected by MST-wi, with the vulnerability types detected by state- of-the-art SAST and DAST tool reported in a recent empirical study
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 17 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 84 The set of weaknesses targeted by MST-wi is larger than what can be targeted by applying all four competing approaches together.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 18 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? Applied MST-wi to test well-known Web systems: • Jenkins v 2.121 • Joomla v. 3.8.7. Assessed MST-wi capability to detect known vulnerabilities: • 11 for Jenkins, 3 for Joomla. • One of them discovered by MST-wi (CVE-2018-17857) Considered two setups: • Derive source inputs with crawler only • Consider additional manually implemented functional test cases Metrics: • Sensitivity: proportion of vulnerabilities identified • Specificity: proportion of inputs not leading to false alarms
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 19 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 20 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 https://github.com/MetamorphicSecurityTesting/MST
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 21 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing for Web System Security Presented by: Nazanin Bayati 13 September 2023 N. Bayati Chaleshtari, F. Pastore, A. Goknil, and L. Briand, "Metamorphic Testing for Web System Security", IEEE Transactions on Software Engineering, 2023, https://ieeexplore.ieee.org/document/10089522 n.bayati@uottawa.ca University of Ottawa University of Luxembourg
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 23 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 56 MST can detect 56 weaknesses that any other approach cannot address.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 24 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 25 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address. • The weaknesses that MST-wi cannot address are mostly those (i) that can only be discovered using program analysis, (ii) that are not related to user-system interactions, or (iii) that concern non-Web-based systems.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 26 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 Combining MST-wi with SA2 seems to be a particularly effective combination as it enables detecting 129 weaknesses (i.e., 101 + 28), which is 92% of the 140 weaknesses that can be detected by any approach.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 29 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework List of Predefined Metamorphic Relations Select and Specify the MRs Execute the Metamorphic Testing Framework Test results Transform MRs to Java List of MRs Executable MRs S(x,y) Source Inputs
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 30 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
1 de 27

Metamorphic Testing for Web System Security

Baixar para ler offline
Software

ASE 2023 presentation

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient em EECS, U. of Ottawa and SnT Centre, U. of Luxembourg

Recomendados

IRJET- Machine Learning based Network Security por
IRJET- Machine Learning based Network SecurityIRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network SecurityIRJET Journal
15 visualizações3 slides
spamzombieppt por
spamzombiepptspamzombieppt
spamzombiepptkajol agarwal
713 visualizações27 slides
A Study on Vulnerability Management por
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
6 visualizações5 slides
Vulnerability Penetration Test por
Vulnerability Penetration TestVulnerability Penetration Test
Vulnerability Penetration TestTanya Williams
2 visualizações83 slides
An anomalous behavior detection model in cloud computing por
An anomalous behavior detection model in cloud computingAn anomalous behavior detection model in cloud computing
An anomalous behavior detection model in cloud computingredpel dot com
325 visualizações11 slides
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized... por
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET Journal
43 visualizações7 slides

Mais conteúdo relacionado

Similar a Metamorphic Testing for Web System Security

IEEE Projects 2012-2013 Network Security por
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecuritySBGC
540 visualizações7 slides
BLOCKHUNTER.pptx por
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptxBhanuCharan9
95 visualizações12 slides
VULNERABILITY ( CYBER SECURITY ) por
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
6.4K visualizações26 slides
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf por
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfElevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfSecurityGen1
2 visualizações6 slides
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers por
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET Journal
15 visualizações6 slides
Vulnerability assessment & Penetration testing Basics por
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
2K visualizações17 slides

Similar a Metamorphic Testing for Web System Security(20)

IEEE Projects 2012-2013 Network Security por SBGC
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network Security
SBGC540 visualizações
BLOCKHUNTER.pptx por BhanuCharan9
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
BhanuCharan995 visualizações
VULNERABILITY ( CYBER SECURITY ) por Kashyap Mandaliya
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya6.4K visualizações
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf por SecurityGen1
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfElevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
SecurityGen12 visualizações
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers por IRJET Journal
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET Journal15 visualizações
Vulnerability assessment & Penetration testing Basics por Mohammed Adam
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam2K visualizações
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks por IRJET Journal
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networksIRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET Journal11 visualizações
Analyze and Detect Packet Loss for Data Transmission in WSN por IJERA Editor
Analyze and Detect Packet Loss for Data Transmission in WSNAnalyze and Detect Packet Loss for Data Transmission in WSN
Analyze and Detect Packet Loss for Data Transmission in WSN
IJERA Editor55 visualizações
Deploying Network Taps for Improved Security por Datacomsystemsinc
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
Datacomsystemsinc42 visualizações
Network testing and debugging por SADEED AMEEN
Network testing and debuggingNetwork testing and debugging
Network testing and debugging
SADEED AMEEN2.5K visualizações
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor... por IRJET Journal
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
IRJET Journal24 visualizações
Vulnerability Management System por IRJET Journal
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
IRJET Journal5 visualizações
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm por IRJET Journal
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN AlgorithmIRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
IRJET Journal10 visualizações
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING por Nishanth Gandhidoss
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTINGNETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
Nishanth Gandhidoss465 visualizações
Security Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdf por SecurityGen1
Security Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdfSecurity Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdf
Security Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdf
SecurityGen14 visualizações
Secure Horizons: Navigating the Future with Network Security Solutions por SecurityGen1
Secure Horizons: Navigating the Future with Network Security SolutionsSecure Horizons: Navigating the Future with Network Security Solutions
Secure Horizons: Navigating the Future with Network Security Solutions
SecurityGen13 visualizações
Telecom Network Incident Investigation Services - SecurityGen por SecurityGen1
Telecom Network Incident Investigation Services - SecurityGenTelecom Network Incident Investigation Services - SecurityGen
Telecom Network Incident Investigation Services - SecurityGen
SecurityGen14 visualizações
SecurityGen Telecom network security assessment - legacy versus BAS (1).pdf por Security Gen
SecurityGen Telecom network security assessment - legacy versus BAS (1).pdfSecurityGen Telecom network security assessment - legacy versus BAS (1).pdf
SecurityGen Telecom network security assessment - legacy versus BAS (1).pdf
Security Gen16 visualizações
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu... por IRJET Journal
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal16 visualizações
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin... por IRJET Journal
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET Journal8 visualizações

Mais de Lionel Briand

Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... por
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Lionel Briand
7 visualizações24 slides
Fuzzing for CPS Mutation Testing por
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingLionel Briand
9 visualizações24 slides
Data-driven Mutation Analysis for Cyber-Physical Systems por
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsLionel Briand
19 visualizações28 slides
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems por
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsLionel Briand
18 visualizações21 slides
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... por
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...Lionel Briand
43 visualizações17 slides
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... por
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Lionel Briand
23 visualizações19 slides

Mais de Lionel Briand(20)

Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... por Lionel Briand
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand7 visualizações
Fuzzing for CPS Mutation Testing por Lionel Briand
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
Lionel Briand9 visualizações
Data-driven Mutation Analysis for Cyber-Physical Systems por Lionel Briand
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand19 visualizações
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems por Lionel Briand
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand18 visualizações
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... por Lionel Briand
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand43 visualizações
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... por Lionel Briand
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand23 visualizações
PRINS: Scalable Model Inference for Component-based System Logs por Lionel Briand
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand24 visualizações
Revisiting the Notion of Diversity in Software Testing por Lionel Briand
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
Lionel Briand226 visualizações
Applications of Search-based Software Testing to Trustworthy Artificial Intel... por Lionel Briand
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand309 visualizações
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety por Lionel Briand
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand343 visualizações
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ... por Lionel Briand
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand1.5K visualizações
Reinforcement Learning for Test Case Prioritization por Lionel Briand
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
Lionel Briand472 visualizações
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ... por Lionel Briand
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Lionel Briand196 visualizações
On Systematically Building a Controlled Natural Language for Functional Requi... por Lionel Briand
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
Lionel Briand216 visualizações
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and... por Lionel Briand
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Lionel Briand370 visualizações
Guidelines for Assessing the Accuracy of Log Message Template Identification ... por Lionel Briand
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Lionel Briand151 visualizações
A Theoretical Framework for Understanding the Relationship between Log Parsin... por Lionel Briand
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
Lionel Briand400 visualizações
Requirements in Cyber-Physical Systems: Specifications and Applications por Lionel Briand
Requirements in Cyber-Physical Systems: Specifications and ApplicationsRequirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and Applications
Lionel Briand875 visualizações
Practical Constraint Solving for Generating System Test Data por Lionel Briand
Practical Constraint Solving for Generating System Test DataPractical Constraint Solving for Generating System Test Data
Practical Constraint Solving for Generating System Test Data
Lionel Briand450 visualizações
Automating System Test Case Classification and Prioritization for Use Case-Dr... por Lionel Briand
Automating System Test Case Classification and Prioritization for Use Case-Dr...Automating System Test Case Classification and Prioritization for Use Case-Dr...
Automating System Test Case Classification and Prioritization for Use Case-Dr...
Lionel Briand373 visualizações

Último

MariaDB stored procedures and why they should be improved por
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improvedFederico Razzoli
8 visualizações32 slides
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ... por
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...Deltares
9 visualizações32 slides
DevsRank por
DevsRankDevsRank
DevsRankdevsrank786
11 visualizações1 slide
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM... por
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...Deltares
7 visualizações40 slides
Winter '24 Release Chat.pdf por
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdfmelbourneauuser
9 visualizações20 slides
Fleet Management Software in India por
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India Fleetable
11 visualizações1 slide

Último(20)

MariaDB stored procedures and why they should be improved por Federico Razzoli
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improved
Federico Razzoli8 visualizações
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ... por Deltares
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
Deltares9 visualizações
DevsRank por devsrank786
DevsRankDevsRank
DevsRank
devsrank78611 visualizações
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM... por Deltares
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
DSD-INT 2023 Next-Generation Flood Inundation Mapping for Taiwan - Delft3D FM...
Deltares7 visualizações
Winter '24 Release Chat.pdf por melbourneauuser
Winter '24 Release Chat.pdfWinter '24 Release Chat.pdf
Winter '24 Release Chat.pdf
melbourneauuser9 visualizações
Fleet Management Software in India por Fleetable
Fleet Management Software in India Fleet Management Software in India
Fleet Management Software in India
Fleetable11 visualizações
DSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - Afternoon por Deltares
DSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - AfternoonDSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - Afternoon
DSD-INT 2023 - Delft3D User Days - Welcome - Day 3 - Afternoon
Deltares13 visualizações
Cycleops - Automate deployments on top of bare metal.pptx por Thanassis Parathyras
Cycleops - Automate deployments on top of bare metal.pptxCycleops - Automate deployments on top of bare metal.pptx
Cycleops - Automate deployments on top of bare metal.pptx
Thanassis Parathyras30 visualizações
ict act 1.pptx por sanjaniarun08
ict act 1.pptxict act 1.pptx
ict act 1.pptx
sanjaniarun0813 visualizações
What Can Employee Monitoring Software Do?​ por wAnywhere
What Can Employee Monitoring Software Do?​What Can Employee Monitoring Software Do?​
What Can Employee Monitoring Software Do?​
wAnywhere21 visualizações
Citi TechTalk Session 2: Kafka Deep Dive por confluent
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
confluent17 visualizações
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan... por Deltares
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
Deltares11 visualizações
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t... por Deltares
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
DSD-INT 2023 Thermobaricity in 3D DCSM-FM - taking pressure into account in t...
Deltares9 visualizações
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx por animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm13 visualizações
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea... por Safe Software
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Safe Software412 visualizações
Consulting for Data Monetization Maximizing the Profit Potential of Your Data... por Flexsin
Consulting for Data Monetization Maximizing the Profit Potential of Your Data...Consulting for Data Monetization Maximizing the Profit Potential of Your Data...
Consulting for Data Monetization Maximizing the Profit Potential of Your Data...
Flexsin 15 visualizações
El Arte de lo Possible por Neo4j
El Arte de lo PossibleEl Arte de lo Possible
El Arte de lo Possible
Neo4j38 visualizações
Keep por Geniusee
KeepKeep
Keep
Geniusee73 visualizações
A first look at MariaDB 11.x features and ideas on how to use them por Federico Razzoli
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
Federico Razzoli45 visualizações
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023 por Icinga
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Upgrading Incident Management with Icinga - Icinga Camp Milan 2023
Icinga38 visualizações

Metamorphic Testing for Web System Security

  • 1. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 1 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Journal First – IEEE Transaction on Software Engineering Presented by: Nazanin Bayati 13 September 2023 University of Ottawa University of Luxembourg Nazanin Bayati University of Ottawa Fabrizio Pastore University of Luxembourg Lionel Briand University of Ottawa University of Luxembourg Arda Goknil SINTEF Digital, Norway Metamorphic Testing for Web System Security
  • 2. 2 Security vulnerabilities are subtle Discovered when testing with many inputs Specifying expected results is infeasible
  • 3. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 3 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing alleviates the Oracle Problem • Metamorphic Testing (MT) is based on the idea that • it may be simpler to reason about relations between outputs of multiple test executions, called Metamorphic Relations (MRs), than to specify the output of the system for a given input • In MT, system properties are captured as MRs that • specify how to automatically transform an initial set of test inputs (source inputs) into follow-up test inputs • specify the relation between the outputs obtained from source and follow-up inputs • A failure is observed when such relations are violated.
  • 4. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 4 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Security Testing • Source input: a sequence of valid interactions with the system {login(Admin), RequestURL(settings_page)} • Follow-up input: generated by altering valid interactions as an attacker would do {login(User1), RequestURL(settings_page)} • Relations: capture properties that hold when the system is not vulnerable if the user in the follow-up input cannot access the URL from her GUI then the output of the source and follow-up inputs should be different
  • 5. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 5 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework Catalog of 76 Metamorphic Relations Select or Specify the Metamorphic Relations Execute the Metamorphic Testing Framework Test results Translate Metamorphic Relations to Java List of Metamorphic Relations Executable Metamorphic Relations in Java Source Inputs 1 2 3 4 Submit form logout Log in logout Log in
  • 6. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 6 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 7. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 7 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 8. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 8 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 9. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 9 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 10. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 10 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 11. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 11 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 12. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 12 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema Our metamorphic testing algorithm executes each MR multiple times, to ensure that every possible combination of source and follow-up inputs is exercised
  • 13. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 13 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Research Questions • RQ1. What testing activities can be automated thanks to oracle automation provided by MST-wi? • RQ2. What vulnerability types can MST-wi detect? • RQ3. What testability guidelines can we define to enable effective test automation with MST-wi? • RQ4. How does MST-wi compare to state-of-the-art SAST and DAST tools? • RQ5. Can we identify patterns for writing MST-wi relations? • RQ6. Is MST-wi effective? • RQ7. Is MST-wi efficient?
  • 14. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 14 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? • We investigated the feasibility of implementing MRs that discover the vulnerability types described in the MITRE Common Weakness Enumeration (CWE) database • Considered three subsets: • CWE view for common security architectural tactics • CWE Top 25 most dangerous software errors • OWASP Top 10 Web security risks • To implement an MR, for each weakness, we first inspect its description, its demonstrative examples, the description of concrete vulnerabilities (CVE) and common attack patterns (CAPEC) associated with the weakness. • This process led to a catalog of 76 MRs.
  • 15. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 15 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? Security Design Principle Vulnerability types Addressed by MST-wi Rank Audit 6 1(16%) 10th Authenticate Actors 28 12 (43%) 4th Authorize Actors 60 34 (57%) 3rd Cross Cutting 9 3 (33%) 6th Encrypt Data 38 8 (21%) 8th Identify Actors 12 3 (25%) 7th Limit Access 8 3 (38%) 5th Limit Exposure 6 0 (0%) 11th Lock Computer 1 0 (0%) 11th Manage User Session 6 4 (67%) 2nd Validate Inputs 39 31 (79%) 1st Verify Message Integrity 19 2 (20%) 9th Total 223 101 (45%) Summary of the CWE architectural security design principles and weaknesses addressed by MST-wi.
  • 16. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 16 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? • We compared the vulnerability types detected by MST-wi, with the vulnerability types detected by state- of-the-art SAST and DAST tool reported in a recent empirical study
  • 17. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 17 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 84 The set of weaknesses targeted by MST-wi is larger than what can be targeted by applying all four competing approaches together.
  • 18. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 18 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? Applied MST-wi to test well-known Web systems: • Jenkins v 2.121 • Joomla v. 3.8.7. Assessed MST-wi capability to detect known vulnerabilities: • 11 for Jenkins, 3 for Joomla. • One of them discovered by MST-wi (CVE-2018-17857) Considered two setups: • Derive source inputs with crawler only • Consider additional manually implemented functional test cases Metrics: • Sensitivity: proportion of vulnerabilities identified • Specificity: proportion of inputs not leading to false alarms
  • 19. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 19 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
  • 20. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 20 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 https://github.com/MetamorphicSecurityTesting/MST
  • 21. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 21 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing for Web System Security Presented by: Nazanin Bayati 13 September 2023 N. Bayati Chaleshtari, F. Pastore, A. Goknil, and L. Briand, "Metamorphic Testing for Web System Security", IEEE Transactions on Software Engineering, 2023, https://ieeexplore.ieee.org/document/10089522 n.bayati@uottawa.ca University of Ottawa University of Luxembourg
  • 22. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 23 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 56 MST can detect 56 weaknesses that any other approach cannot address.
  • 23. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 24 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address.
  • 24. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 25 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address. • The weaknesses that MST-wi cannot address are mostly those (i) that can only be discovered using program analysis, (ii) that are not related to user-system interactions, or (iii) that concern non-Web-based systems.
  • 25. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 26 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 Combining MST-wi with SA2 seems to be a particularly effective combination as it enables detecting 129 weaknesses (i.e., 101 + 28), which is 92% of the 140 weaknesses that can be detected by any approach.
  • 26. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 29 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework List of Predefined Metamorphic Relations Select and Specify the MRs Execute the Metamorphic Testing Framework Test results Transform MRs to Java List of MRs Executable MRs S(x,y) Source Inputs
  • 27. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 30 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs