Abstract
Describes a methodology for testing a software system for possible security flaws. Based on the observation that most security flaws are caused by a program's inappropriate interactions with the and are triggered by a user's malicious perturbation on the (which we call an environment fault), we view the security testing problem as the problem of testing for the fault-tolerance properties of a software system. We consider each perturbation as a fault, and the resulting security compromise as a failure in the toleration of such faults. Our approach is based on the well-known technique of fault injection. Environment faults are injected into the system under test, and the system's behavior is observed. A failure to tolerate faults is an indicator of a potential security flaw in the system. An environment-application interaction (EAI) fault model is proposed which guides us to decide what faults to inject. Based on EAI, we have developed a security testing methodology, and we have applied it to several applications. We have successfully identified a number of vulnerabilities, including vulnerabilities in the Windows NT operating system.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
