Metamorphic Testing for Web System Security

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 1 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Journal First – IEEE Transaction on Software Engineering Presented by: Nazanin Bayati 13 September 2023 University of Ottawa University of Luxembourg Nazanin Bayati University of Ottawa Fabrizio Pastore University of Luxembourg Lionel Briand University of Ottawa University of Luxembourg Arda Goknil SINTEF Digital, Norway Metamorphic Testing for Web System Security
2 Security vulnerabilities are subtle Discovered when testing with many inputs Specifying expected results is infeasible
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 3 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing alleviates the Oracle Problem • Metamorphic Testing (MT) is based on the idea that • it may be simpler to reason about relations between outputs of multiple test executions, called Metamorphic Relations (MRs), than to specify the output of the system for a given input • In MT, system properties are captured as MRs that • specify how to automatically transform an initial set of test inputs (source inputs) into follow-up test inputs • specify the relation between the outputs obtained from source and follow-up inputs • A failure is observed when such relations are violated.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 4 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Security Testing • Source input: a sequence of valid interactions with the system {login(Admin), RequestURL(settings_page)} • Follow-up input: generated by altering valid interactions as an attacker would do {login(User1), RequestURL(settings_page)} • Relations: capture properties that hold when the system is not vulnerable if the user in the follow-up input cannot access the URL from her GUI then the output of the source and follow-up inputs should be different
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 5 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework Catalog of 76 Metamorphic Relations Select or Specify the Metamorphic Relations Execute the Metamorphic Testing Framework Test results Translate Metamorphic Relations to Java List of Metamorphic Relations Executable Metamorphic Relations in Java Source Inputs 1 2 3 4 Submit form logout Log in logout Log in
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 6 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 7 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 8 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 9 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 10 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 11 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 12 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema Our metamorphic testing algorithm executes each MR multiple times, to ensure that every possible combination of source and follow-up inputs is exercised
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 13 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Research Questions • RQ1. What testing activities can be automated thanks to oracle automation provided by MST-wi? • RQ2. What vulnerability types can MST-wi detect? • RQ3. What testability guidelines can we define to enable effective test automation with MST-wi? • RQ4. How does MST-wi compare to state-of-the-art SAST and DAST tools? • RQ5. Can we identify patterns for writing MST-wi relations? • RQ6. Is MST-wi effective? • RQ7. Is MST-wi efficient?
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 14 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? • We investigated the feasibility of implementing MRs that discover the vulnerability types described in the MITRE Common Weakness Enumeration (CWE) database • Considered three subsets: • CWE view for common security architectural tactics • CWE Top 25 most dangerous software errors • OWASP Top 10 Web security risks • To implement an MR, for each weakness, we first inspect its description, its demonstrative examples, the description of concrete vulnerabilities (CVE) and common attack patterns (CAPEC) associated with the weakness. • This process led to a catalog of 76 MRs.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 15 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? Security Design Principle Vulnerability types Addressed by MST-wi Rank Audit 6 1(16%) 10th Authenticate Actors 28 12 (43%) 4th Authorize Actors 60 34 (57%) 3rd Cross Cutting 9 3 (33%) 6th Encrypt Data 38 8 (21%) 8th Identify Actors 12 3 (25%) 7th Limit Access 8 3 (38%) 5th Limit Exposure 6 0 (0%) 11th Lock Computer 1 0 (0%) 11th Manage User Session 6 4 (67%) 2nd Validate Inputs 39 31 (79%) 1st Verify Message Integrity 19 2 (20%) 9th Total 223 101 (45%) Summary of the CWE architectural security design principles and weaknesses addressed by MST-wi.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 16 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? • We compared the vulnerability types detected by MST-wi, with the vulnerability types detected by state- of-the-art SAST and DAST tool reported in a recent empirical study
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 17 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 84 The set of weaknesses targeted by MST-wi is larger than what can be targeted by applying all four competing approaches together.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 18 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? Applied MST-wi to test well-known Web systems: • Jenkins v 2.121 • Joomla v. 3.8.7. Assessed MST-wi capability to detect known vulnerabilities: • 11 for Jenkins, 3 for Joomla. • One of them discovered by MST-wi (CVE-2018-17857) Considered two setups: • Derive source inputs with crawler only • Consider additional manually implemented functional test cases Metrics: • Sensitivity: proportion of vulnerabilities identified • Specificity: proportion of inputs not leading to false alarms
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 19 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 20 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 https://github.com/MetamorphicSecurityTesting/MST
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 21 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing for Web System Security Presented by: Nazanin Bayati 13 September 2023 N. Bayati Chaleshtari, F. Pastore, A. Goknil, and L. Briand, "Metamorphic Testing for Web System Security", IEEE Transactions on Software Engineering, 2023, https://ieeexplore.ieee.org/document/10089522 n.bayati@uottawa.ca University of Ottawa University of Luxembourg
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 23 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 56 MST can detect 56 weaknesses that any other approach cannot address.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 24 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 25 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address. • The weaknesses that MST-wi cannot address are mostly those (i) that can only be discovered using program analysis, (ii) that are not related to user-system interactions, or (iii) that concern non-Web-based systems.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 26 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 Combining MST-wi with SA2 seems to be a particularly effective combination as it enables detecting 129 weaknesses (i.e., 101 + 28), which is 92% of the 140 weaknesses that can be detected by any approach.
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 29 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework List of Predefined Metamorphic Relations Select and Specify the MRs Execute the Metamorphic Testing Framework Test results Transform MRs to Java List of MRs Executable MRs S(x,y) Source Inputs
University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 30 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
1 de 27

Metamorphic Testing for Web System Security

Descargar para leer sin conexión
Software

ASE 2023 presentation

Lionel Briand
Lionel BriandProfessor, Canada Research Chair (Tier 1), ERC Advanced grant recipient

Recomendados

IRJET- Machine Learning based Network Security por
IRJET- Machine Learning based Network SecurityIRJET- Machine Learning based Network Security
IRJET- Machine Learning based Network SecurityIRJET Journal
15 vistas3 diapositivas
spamzombieppt por
spamzombiepptspamzombieppt
spamzombiepptkajol agarwal
713 vistas27 diapositivas
A Study on Vulnerability Management por
A Study on Vulnerability ManagementA Study on Vulnerability Management
A Study on Vulnerability ManagementIRJET Journal
6 vistas5 diapositivas
Vulnerability Penetration Test por
Vulnerability Penetration TestVulnerability Penetration Test
Vulnerability Penetration TestTanya Williams
2 vistas83 diapositivas
An anomalous behavior detection model in cloud computing por
An anomalous behavior detection model in cloud computingAn anomalous behavior detection model in cloud computing
An anomalous behavior detection model in cloud computingredpel dot com
325 vistas11 diapositivas
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized... por
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...
IRJET- An Intrusion Detection Framework based on Binary Classifiers Optimized...IRJET Journal
43 vistas7 diapositivas

Más contenido relacionado

Similar a Metamorphic Testing for Web System Security

IEEE Projects 2012-2013 Network Security por
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network SecuritySBGC
540 vistas7 diapositivas
BLOCKHUNTER.pptx por
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptxBhanuCharan9
95 vistas12 diapositivas
VULNERABILITY ( CYBER SECURITY ) por
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )Kashyap Mandaliya
6.4K vistas26 diapositivas
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf por
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfElevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfSecurityGen1
2 vistas6 diapositivas
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers por
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET Journal
15 vistas6 diapositivas
Vulnerability assessment & Penetration testing Basics por
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Mohammed Adam
2K vistas17 diapositivas

Similar a Metamorphic Testing for Web System Security(20)

IEEE Projects 2012-2013 Network Security por SBGC
IEEE Projects 2012-2013 Network SecurityIEEE Projects 2012-2013 Network Security
IEEE Projects 2012-2013 Network Security
SBGC540 vistas
BLOCKHUNTER.pptx por BhanuCharan9
BLOCKHUNTER.pptxBLOCKHUNTER.pptx
BLOCKHUNTER.pptx
BhanuCharan995 vistas
VULNERABILITY ( CYBER SECURITY ) por Kashyap Mandaliya
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya6.4K vistas
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf por SecurityGen1
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdfElevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
Elevating Connectivity Exploring - Telecom Security Monitoring Solutions.pdf
SecurityGen12 vistas
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers por IRJET Journal
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed ServersIRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET- 3 Juncture based Issuer Driven Pull Out System using Distributed Servers
IRJET Journal15 vistas
Vulnerability assessment & Penetration testing Basics por Mohammed Adam
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam2K vistas
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks por IRJET Journal
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networksIRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET- Gray-Hole Attack Minimization based on contradiction for ad-hoc networks
IRJET Journal11 vistas
Analyze and Detect Packet Loss for Data Transmission in WSN por IJERA Editor
Analyze and Detect Packet Loss for Data Transmission in WSNAnalyze and Detect Packet Loss for Data Transmission in WSN
Analyze and Detect Packet Loss for Data Transmission in WSN
IJERA Editor55 vistas
Deploying Network Taps for Improved Security por Datacomsystemsinc
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
Datacomsystemsinc42 vistas
Network testing and debugging por SADEED AMEEN
Network testing and debuggingNetwork testing and debugging
Network testing and debugging
SADEED AMEEN2.5K vistas
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor... por IRJET Journal
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
Detecting Victim Systems In Client Networks Using Coarse Grained Botnet Algor...
IRJET Journal24 vistas
Vulnerability Management System por IRJET Journal
Vulnerability Management SystemVulnerability Management System
Vulnerability Management System
IRJET Journal5 vistas
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm por IRJET Journal
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN AlgorithmIRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
IRJET Journal10 vistas
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING por Nishanth Gandhidoss
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTINGNETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
NETWORK INTRUSION DETECTION AND NODE RECOVERY USING DYNAMIC PATH ROUTING
Nishanth Gandhidoss465 vistas
Security Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdf por SecurityGen1
Security Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdfSecurity Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdf
Security Gen's Telecom Security Monitoring Unleashes Unrivaled Protection.pdf
SecurityGen14 vistas
Secure Horizons: Navigating the Future with Network Security Solutions por SecurityGen1
Secure Horizons: Navigating the Future with Network Security SolutionsSecure Horizons: Navigating the Future with Network Security Solutions
Secure Horizons: Navigating the Future with Network Security Solutions
SecurityGen13 vistas
Telecom Network Incident Investigation Services - SecurityGen por SecurityGen1
Telecom Network Incident Investigation Services - SecurityGenTelecom Network Incident Investigation Services - SecurityGen
Telecom Network Incident Investigation Services - SecurityGen
SecurityGen14 vistas
SecurityGen Telecom network security assessment - legacy versus BAS (1).pdf por Security Gen
SecurityGen Telecom network security assessment - legacy versus BAS (1).pdfSecurityGen Telecom network security assessment - legacy versus BAS (1).pdf
SecurityGen Telecom network security assessment - legacy versus BAS (1).pdf
Security Gen16 vistas
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu... por IRJET Journal
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...
IRJET Journal16 vistas
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin... por IRJET Journal
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET - Detection of False Data Injection Attacks using K-Means Clusterin...
IRJET Journal8 vistas

Más de Lionel Briand

Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... por
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Lionel Briand
7 vistas24 diapositivas
Fuzzing for CPS Mutation Testing por
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation TestingLionel Briand
9 vistas24 diapositivas
Data-driven Mutation Analysis for Cyber-Physical Systems por
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical SystemsLionel Briand
19 vistas28 diapositivas
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems por
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsLionel Briand
18 vistas21 diapositivas
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... por
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...Lionel Briand
43 vistas17 diapositivas
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... por
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Lionel Briand
23 vistas19 diapositivas

Más de Lionel Briand(20)

Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-... por Lionel Briand
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Simulator-based Explanation and Debugging of Hazard-triggering Events in DNN-...
Lionel Briand7 vistas
Fuzzing for CPS Mutation Testing por Lionel Briand
Fuzzing for CPS Mutation TestingFuzzing for CPS Mutation Testing
Fuzzing for CPS Mutation Testing
Lionel Briand9 vistas
Data-driven Mutation Analysis for Cyber-Physical Systems por Lionel Briand
Data-driven Mutation Analysis for Cyber-Physical SystemsData-driven Mutation Analysis for Cyber-Physical Systems
Data-driven Mutation Analysis for Cyber-Physical Systems
Lionel Briand19 vistas
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems por Lionel Briand
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled SystemsMany-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Many-Objective Reinforcement Learning for Online Testing of DNN-Enabled Systems
Lionel Briand18 vistas
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu... por Lionel Briand
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
ATM: Black-box Test Case Minimization based on Test Code Similarity and Evolu...
Lionel Briand43 vistas
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ... por Lionel Briand
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Black-box Safety Analysis and Retraining of DNNs based on Feature Extraction ...
Lionel Briand23 vistas
PRINS: Scalable Model Inference for Component-based System Logs por Lionel Briand
PRINS: Scalable Model Inference for Component-based System LogsPRINS: Scalable Model Inference for Component-based System Logs
PRINS: Scalable Model Inference for Component-based System Logs
Lionel Briand24 vistas
Revisiting the Notion of Diversity in Software Testing por Lionel Briand
Revisiting the Notion of Diversity in Software TestingRevisiting the Notion of Diversity in Software Testing
Revisiting the Notion of Diversity in Software Testing
Lionel Briand226 vistas
Applications of Search-based Software Testing to Trustworthy Artificial Intel... por Lionel Briand
Applications of Search-based Software Testing to Trustworthy Artificial Intel...Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Applications of Search-based Software Testing to Trustworthy Artificial Intel...
Lionel Briand309 vistas
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety por Lionel Briand
Autonomous Systems: How to Address the Dilemma between Autonomy and SafetyAutonomous Systems: How to Address the Dilemma between Autonomy and Safety
Autonomous Systems: How to Address the Dilemma between Autonomy and Safety
Lionel Briand343 vistas
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ... por Lionel Briand
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Mathematicians, Social Scientists, or Engineers? The Split Minds of Software ...
Lionel Briand1.5K vistas
Reinforcement Learning for Test Case Prioritization por Lionel Briand
Reinforcement Learning for Test Case PrioritizationReinforcement Learning for Test Case Prioritization
Reinforcement Learning for Test Case Prioritization
Lionel Briand472 vistas
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ... por Lionel Briand
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Mutation Analysis for Cyber-Physical Systems: Scalable Solutions and Results ...
Lionel Briand196 vistas
On Systematically Building a Controlled Natural Language for Functional Requi... por Lionel Briand
On Systematically Building a Controlled Natural Language for Functional Requi...On Systematically Building a Controlled Natural Language for Functional Requi...
On Systematically Building a Controlled Natural Language for Functional Requi...
Lionel Briand216 vistas
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and... por Lionel Briand
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Efficient Online Testing for DNN-Enabled Systems using Surrogate-Assisted and...
Lionel Briand370 vistas
Guidelines for Assessing the Accuracy of Log Message Template Identification ... por Lionel Briand
Guidelines for Assessing the Accuracy of Log Message Template Identification ...Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Guidelines for Assessing the Accuracy of Log Message Template Identification ...
Lionel Briand151 vistas
A Theoretical Framework for Understanding the Relationship between Log Parsin... por Lionel Briand
A Theoretical Framework for Understanding the Relationship between Log Parsin...A Theoretical Framework for Understanding the Relationship between Log Parsin...
A Theoretical Framework for Understanding the Relationship between Log Parsin...
Lionel Briand400 vistas
Requirements in Cyber-Physical Systems: Specifications and Applications por Lionel Briand
Requirements in Cyber-Physical Systems: Specifications and ApplicationsRequirements in Cyber-Physical Systems: Specifications and Applications
Requirements in Cyber-Physical Systems: Specifications and Applications
Lionel Briand874 vistas
Practical Constraint Solving for Generating System Test Data por Lionel Briand
Practical Constraint Solving for Generating System Test DataPractical Constraint Solving for Generating System Test Data
Practical Constraint Solving for Generating System Test Data
Lionel Briand450 vistas
Automating System Test Case Classification and Prioritization for Use Case-Dr... por Lionel Briand
Automating System Test Case Classification and Prioritization for Use Case-Dr...Automating System Test Case Classification and Prioritization for Use Case-Dr...
Automating System Test Case Classification and Prioritization for Use Case-Dr...
Lionel Briand373 vistas

Último

Tridens DevOps por
Tridens DevOpsTridens DevOps
Tridens DevOpsTridens
9 vistas28 diapositivas
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... por
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...Deltares
10 vistas23 diapositivas
Neo4j y GenAI por
Neo4j y GenAI Neo4j y GenAI
Neo4j y GenAI Neo4j
35 vistas41 diapositivas
A first look at MariaDB 11.x features and ideas on how to use them por
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use themFederico Razzoli
44 vistas36 diapositivas
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema por
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDeltares
12 vistas13 diapositivas
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker por
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDeltares
8 vistas16 diapositivas

Último(20)

Tridens DevOps por Tridens
Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 vistas
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko... por Deltares
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
DSD-INT 2023 Simulation of Coastal Hydrodynamics and Water Quality in Hong Ko...
Deltares10 vistas
Neo4j y GenAI por Neo4j
Neo4j y GenAI Neo4j y GenAI
Neo4j y GenAI
Neo4j35 vistas
A first look at MariaDB 11.x features and ideas on how to use them por Federico Razzoli
A first look at MariaDB 11.x features and ideas on how to use themA first look at MariaDB 11.x features and ideas on how to use them
A first look at MariaDB 11.x features and ideas on how to use them
Federico Razzoli44 vistas
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema por Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares12 vistas
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker por Deltares
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - ParkerDSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
DSD-INT 2023 SFINCS Modelling in the U.S. Pacific Northwest - Parker
Deltares8 vistas
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ... por marksimpsongw
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
Mark Simpson - UKOUG23 - Refactoring Monolithic Oracle Database Applications ...
marksimpsongw74 vistas
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -... por Deltares
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...
DSD-INT 2023 Simulating a falling apron in Delft3D 4 - Engineering Practice -...
Deltares6 vistas
HarshithAkkapelli_Presentation.pdf por harshithakkapelli
HarshithAkkapelli_Presentation.pdfHarshithAkkapelli_Presentation.pdf
HarshithAkkapelli_Presentation.pdf
harshithakkapelli11 vistas
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove... por Deltares
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
DSD-INT 2023 HydroMT model building and river-coast coupling in Python - Bove...
Deltares15 vistas
WebAssembly por Jens Siebert
WebAssemblyWebAssembly
WebAssembly
Jens Siebert32 vistas
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea... por Safe Software
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Geospatial Synergy: Amplifying Efficiency with FME & Esri ft. Peak Guest Spea...
Safe Software391 vistas
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ... por Donato Onofri
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Unmasking the Dark Art of Vectored Exception Handling: Bypassing XDR and EDR ...
Donato Onofri643 vistas
MariaDB stored procedures and why they should be improved por Federico Razzoli
MariaDB stored procedures and why they should be improvedMariaDB stored procedures and why they should be improved
MariaDB stored procedures and why they should be improved
Federico Razzoli8 vistas
How to Make the Most of Regression and Unit Testing.pdf por Abhay Kumar
How to Make the Most of Regression and Unit Testing.pdfHow to Make the Most of Regression and Unit Testing.pdf
How to Make the Most of Regression and Unit Testing.pdf
Abhay Kumar10 vistas
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan... por Deltares
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
DSD-INT 2023 Baseline studies for Strategic Coastal protection for Long Islan...
Deltares10 vistas
Cycleops - Automate deployments on top of bare metal.pptx por Thanassis Parathyras
Cycleops - Automate deployments on top of bare metal.pptxCycleops - Automate deployments on top of bare metal.pptx
Cycleops - Automate deployments on top of bare metal.pptx
Thanassis Parathyras30 vistas
Neo4j : Graphes de Connaissance, IA et LLMs por Neo4j
Neo4j : Graphes de Connaissance, IA et LLMsNeo4j : Graphes de Connaissance, IA et LLMs
Neo4j : Graphes de Connaissance, IA et LLMs
Neo4j46 vistas
El Arte de lo Possible por Neo4j
El Arte de lo PossibleEl Arte de lo Possible
El Arte de lo Possible
Neo4j34 vistas
Les nouveautés produit Neo4j por Neo4j
Les nouveautés produit Neo4j Les nouveautés produit Neo4j
Les nouveautés produit Neo4j
Neo4j27 vistas

Metamorphic Testing for Web System Security

  • 1. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 1 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Journal First – IEEE Transaction on Software Engineering Presented by: Nazanin Bayati 13 September 2023 University of Ottawa University of Luxembourg Nazanin Bayati University of Ottawa Fabrizio Pastore University of Luxembourg Lionel Briand University of Ottawa University of Luxembourg Arda Goknil SINTEF Digital, Norway Metamorphic Testing for Web System Security
  • 2. 2 Security vulnerabilities are subtle Discovered when testing with many inputs Specifying expected results is infeasible
  • 3. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 3 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing alleviates the Oracle Problem • Metamorphic Testing (MT) is based on the idea that • it may be simpler to reason about relations between outputs of multiple test executions, called Metamorphic Relations (MRs), than to specify the output of the system for a given input • In MT, system properties are captured as MRs that • specify how to automatically transform an initial set of test inputs (source inputs) into follow-up test inputs • specify the relation between the outputs obtained from source and follow-up inputs • A failure is observed when such relations are violated.
  • 4. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 4 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Security Testing • Source input: a sequence of valid interactions with the system {login(Admin), RequestURL(settings_page)} • Follow-up input: generated by altering valid interactions as an attacker would do {login(User1), RequestURL(settings_page)} • Relations: capture properties that hold when the system is not vulnerable if the user in the follow-up input cannot access the URL from her GUI then the output of the source and follow-up inputs should be different
  • 5. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 5 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework Catalog of 76 Metamorphic Relations Select or Specify the Metamorphic Relations Execute the Metamorphic Testing Framework Test results Translate Metamorphic Relations to Java List of Metamorphic Relations Executable Metamorphic Relations in Java Source Inputs 1 2 3 4 Submit form logout Log in logout Log in
  • 6. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 6 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 7. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 7 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 8. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 8 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 9. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 9 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 10. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 10 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 11. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 11 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema
  • 12. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 12 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – MR Example • Security issue: Bypass Authorization Schema Our metamorphic testing algorithm executes each MR multiple times, to ensure that every possible combination of source and follow-up inputs is exercised
  • 13. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 13 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Research Questions • RQ1. What testing activities can be automated thanks to oracle automation provided by MST-wi? • RQ2. What vulnerability types can MST-wi detect? • RQ3. What testability guidelines can we define to enable effective test automation with MST-wi? • RQ4. How does MST-wi compare to state-of-the-art SAST and DAST tools? • RQ5. Can we identify patterns for writing MST-wi relations? • RQ6. Is MST-wi effective? • RQ7. Is MST-wi efficient?
  • 14. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 14 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? • We investigated the feasibility of implementing MRs that discover the vulnerability types described in the MITRE Common Weakness Enumeration (CWE) database • Considered three subsets: • CWE view for common security architectural tactics • CWE Top 25 most dangerous software errors • OWASP Top 10 Web security risks • To implement an MR, for each weakness, we first inspect its description, its demonstrative examples, the description of concrete vulnerabilities (CVE) and common attack patterns (CAPEC) associated with the weakness. • This process led to a catalog of 76 MRs.
  • 15. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 15 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – What vulnerability types can MST-wi detect? Security Design Principle Vulnerability types Addressed by MST-wi Rank Audit 6 1(16%) 10th Authenticate Actors 28 12 (43%) 4th Authorize Actors 60 34 (57%) 3rd Cross Cutting 9 3 (33%) 6th Encrypt Data 38 8 (21%) 8th Identify Actors 12 3 (25%) 7th Limit Access 8 3 (38%) 5th Limit Exposure 6 0 (0%) 11th Lock Computer 1 0 (0%) 11th Manage User Session 6 4 (67%) 2nd Validate Inputs 39 31 (79%) 1st Verify Message Integrity 19 2 (20%) 9th Total 223 101 (45%) Summary of the CWE architectural security design principles and weaknesses addressed by MST-wi.
  • 16. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 16 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? • We compared the vulnerability types detected by MST-wi, with the vulnerability types detected by state- of-the-art SAST and DAST tool reported in a recent empirical study
  • 17. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 17 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 84 The set of weaknesses targeted by MST-wi is larger than what can be targeted by applying all four competing approaches together.
  • 18. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 18 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? Applied MST-wi to test well-known Web systems: • Jenkins v 2.121 • Joomla v. 3.8.7. Assessed MST-wi capability to detect known vulnerabilities: • 11 for Jenkins, 3 for Joomla. • One of them discovered by MST-wi (CVE-2018-17857) Considered two setups: • Derive source inputs with crawler only • Consider additional manually implemented functional test cases Metrics: • Sensitivity: proportion of vulnerabilities identified • Specificity: proportion of inputs not leading to false alarms
  • 19. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 19 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs
  • 20. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 20 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 https://github.com/MetamorphicSecurityTesting/MST
  • 21. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 21 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 Metamorphic Testing for Web System Security Presented by: Nazanin Bayati 13 September 2023 N. Bayati Chaleshtari, F. Pastore, A. Goknil, and L. Briand, "Metamorphic Testing for Web System Security", IEEE Transactions on Software Engineering, 2023, https://ieeexplore.ieee.org/document/10089522 n.bayati@uottawa.ca University of Ottawa University of Luxembourg
  • 22. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 23 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 56 MST can detect 56 weaknesses that any other approach cannot address.
  • 23. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 24 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address.
  • 24. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 25 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses not addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 39 Combined together, DAST/SAST approaches can address only 39 weaknesses that MST-wi does not address. • The weaknesses that MST-wi cannot address are mostly those (i) that can only be discovered using program analysis, (ii) that are not related to user-system interactions, or (iii) that concern non-Web-based systems.
  • 25. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 26 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – How does MST-wi compare to state-of-the-art SAST and DAST tools? Security Design Principle Weaknesses Addresses by Weaknesses Addressed by MST but not by Weaknesses bot addresses by MST but addresses by MST Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Zap DA2 Sonar SA2 Audit 1 0 0 0 3 1 1 1 0 0 0 0 2 Authenticate Actors 12 0 2 1 9 12 11 11 7 0 1 0 4 Authorize Actors 34 2 0 1 13 32 34 34 25 0 0 1 4 Cross Cutting 3 0 0 2 0 3 3 2 3 0 0 1 0 Encrypt Data 8 2 5 8 10 8 8 7 4 2 5 7 6 Identify Actors 3 1 1 1 7 3 3 3 1 1 1 1 5 Limit Access 3 0 1 1 5 3 3 2 0 0 1 0 2 Limit Exposure 0 1 0 0 1 0 0 0 0 1 0 0 1 Lock Computer 0 0 0 0 0 0 0 0 0 0 0 0 0 Manage User Session 4 0 0 0 2 4 4 4 2 0 0 0 0 Validate Inputs 31 10 7 2 14 24 25 30 19 3 1 1 2 Verify Message Integrity 2 1 0 0 3 2 2 2 1 1 0 0 2 Total 101 17 16 16 67 92 94 96 62 8 9 11 28 Combining MST-wi with SA2 seems to be a particularly effective combination as it enables detecting 129 weaknesses (i.e., 101 + 28), which is 92% of the 140 weaknesses that can be detected by any approach.
  • 26. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 29 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi: Metamorphic Security Testing for Web Interfaces Web System Execute the Data Collection Framework List of Predefined Metamorphic Relations Select and Specify the MRs Execute the Metamorphic Testing Framework Test results Transform MRs to Java List of MRs Executable MRs S(x,y) Source Inputs
  • 27. University of Ottawa | University of Luxembourg University of Ottawa | University of Luxembourg 30 Nazanin Bayati - Metamorphic Testing for Web System Security 13 September 2023 MST-wi – Is MST-wi effective? • The high specificity indicates that only a negligible fraction of follow-up inputs leads to false alarms • Since sensitivity reflects the fault detection rate (i.e., the proportion of vulnerabilities discovered), we conclude that our approach is highly effective • We can discover more than 60% of vulnerabilities in a completely automated manner, using only the crawler • And up to 85% using both crawler and manual inputs