Software Engineering Conference, Australian (2007)
Apr. 10, 2007 to Apr. 13, 2007
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ASWEC.2007.31
Percy A. Pari Salas , Bond University, Australia
Padmanabhan Krishnan , Bond University, Australia
Kelvin J. Ross , K.J. Ross & Associates Pty. Ltd., Australia
In this work we present a model-based framework for security vulnerabilities testing. Security vulnerabilities are not only related to security functionalities at the application level but are sensitive to implementation details. Thus traditional model-based approaches which elide implementation details are by themselves inadequate for testing security vulnerabilities. We propose a framework that retains the advantages of model based testing that exposes only the necessary details relevant for vulnerability testing. We define a three-model framework: a model or specification of the key aspects of the application, a model of the implementation and a model of the attacker, for automatic test case generation. This separation allows the test case generation process to test contexts missed by other model-based approaches. We also describe the key aspects of our tool that generates the tests.
K. J. Ross, P. Krishnan and P. A. Pari Salas, "Model-Based Security Vulnerability Testing," Software Engineering Conference, Australian(ASWEC), Melbourne, Australia, 2007, pp. 284-296.