Abstract
In this paper, an integrated multiagent testing tool, is presented. Such tool comprises static analyzer, dynamic tester and an integrator of the two components for detecting security vulnerabilities and errors in agent based web applications written in Java. The static analysis component analyzes the source code of the web application to identify the locations of security vulnerabilities and displays them to the programmer. Consequently, dynamic testing of the web application is carried out. Here, a temporal-based assertion language is introduced to help in detecting security violations (errors) in the underlying application. The proposed language has operators for detecting SQL injection and cross-site scripting, XSS, security errors. The dynamic tester consists of two components: instrumentor (preprocessor) and run-time-agent. The instrumentor has many modules that have been implemented as software agents using Java language under the control of a multi agent framework. The agents of the instrumentor are: static analyzer agent, parser agent, and code converter agent. Moreover, an integrator for integrating both static and dynamic analyses is employed. Eventually the implementation details of IMATT are reported.
Highlights
The majority of the software testing tools are generic [2,23,25] in the sense that they are working independent of the style of the program under test
We went a step further in this direction, where IMATT extends AEC and introduces, an agent based tool for testing large agent based Web applications against security flaws
IMATT could be used with the following pragmatic advantages: 1. IMATT is homogeneous in the sense that both static and dynamic components are model based where the static analysis model is based on a set of grammar rules while the dynamic analysis model is based on temporal logic assertions in addition to a set of behavioral dynamic responses
Summary
There are several generic tools such as NuSVM, FDR2, ITS4, CHESS and NESSUS that could be exploited for program (code) analysis. The static analyzer, given by livshits et al[15] finds the potential matches conservatively using a context-sensitive, flow-insensitive, inclusion-based pointer alias analysis In addition their dynamic analyzer instruments the sources program to catch the security violations when the program runs to perform user specified actions. By making use of these techniques, an analyzer has been designed and implemented to detect security flaws, resource leaks and violations of the predefined rules In their recent work Keromytis et al[6] have presented MINESTRONE as an architecture that integrates static analysis, dynamic confinement and code diversification techniques to enable the identification of vulnerabilities in a third party software. The tool Apollo has been discussed by Artzi et al in [16] It aims at finding bugs in Web applications using dynamic testing and explicit state model checking.
Published Version (Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
More From: World Journal of Computer Application and Technology
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.