References of "Nguyen, Duy Cu 50002755"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailAutomated Reverse Engineering of Role-based Access Control Policies of Web Applications
Le, Ha Thanh UL; Shar, Lwin Khin UL; Bianculli, Domenico UL et al

in Journal of Systems and Software (2022), 184

Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with ... [more ▼]

Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with respect to policy specifications or intended access rights. However, in practice, AC policy specifications are often missing or poorly documented; in some cases, AC policies are hard-coded in business logic implementations. This leads to difficulties in validating the correctness of policy implementations and detecting AC defects. In this paper, we present a semi-automated framework for reverse-engineering of AC policies from Web applications. Our goal is to learn and recover role-based access control (RBAC) policies from implementations, which are then used to validate implemented policies and detect AC issues. Our framework, built on top of a suite of security tools, automatically explores a given Web application, mines domain input specifications from access logs, and systematically generates and executes more access requests using combinatorial test generation. To learn policies, we apply machine learning on the obtained data to characterize relevant attributes that influence AC. Finally, the inferred policies are presented to the security engineer, for validation with respect to intended access rights and for detecting AC issues. Inconsistent and insufficient policies are highlighted as potential AC issues, being either vulnerabilities or implementation errors. We evaluated our approach on four Web applications (three open-source and a proprietary one built by our industry partner) in terms of the correctness of inferred policies. We also evaluated the usefulness of our approach by investigating whether it facilitates the detection of AC issues. The results show that 97.8% of the inferred policies are correct with respect to the actual AC implementation; the analysis of these policies led to the discovery of 64 AC issues that were reported to the developers. [less ▲]

Detailed reference viewed: 137 (12 UL)
Full Text
Peer Reviewed
See detailA Machine Learning-Driven Evolutionary Approach for Testing Web Application Firewalls
Appelt, Dennis UL; Nguyen, Duy Cu UL; Panichella, Annibale UL et al

in IEEE Transactions on Reliability (2018), 67(3), 733-757

Web application firewalls (WAF) are an essential protection mechanism for online software systems. Because of the relentless flow of new kinds of attacks as well as their increased sophistication, WAFs ... [more ▼]

Web application firewalls (WAF) are an essential protection mechanism for online software systems. Because of the relentless flow of new kinds of attacks as well as their increased sophistication, WAFs have to be updated and tested regularly to prevent attackers from easily circumventing them. In this paper, we focus on testing WAFs for SQL injection attacks, but the general principles and strategy we propose can be adapted to other contexts. We present ML-Driven, an approach based on machine learning and an evolutionary algorithm to automatically detect holes in WAFs that let SQL injection attacks bypass them. Initially, ML-Driven automatically generates a diverse set of attacks and submit them to the system being protected by the target WAF. Then, ML-Driven selects attacks that exhibit patterns (substrings) associated with bypassing the WAF and evolve them to generate new successful bypassing attacks. Machine learning is used to incrementally learn attack patterns from previously generated attacks according to their testing results, i.e., if they are blocked or bypass the WAF. We implemented ML-Driven in a tool and evaluated it on ModSecurity, a widely used open-source WAF, and a proprietary WAF protecting a financial institution. Our empirical results indicate that ML-Driven is effective and efficient at generating SQL injection attacks bypassing WAFs and identifying attack patterns. [less ▲]

Detailed reference viewed: 841 (106 UL)
Full Text
Peer Reviewed
See detailA Search-based Testing Approach for XML Injection Vulnerabilities in Web Applications
Jan, Sadeeq UL; Nguyen, Duy Cu UL; Andrea, Arcuri UL et al

in 10th IEEE International Conference on Software Testing, Verification and validation (ICST 2017), Tokyo 13-18 March 2017 (2017)

In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to ... [more ▼]

In most cases, web applications communicate with web services (SOAP and RESTful). The former act as a front-end to the latter, which contain the business logic. A hacker might not have direct access to those web services (e.g., they are not on public networks), but can still provide malicious inputs to the web application, thus potentially compromising related services. Typical examples are XML injection attacks that target SOAP communications. In this paper, we present a novel, search-based approach used to generate test data for a web application in an attempt to deliver malicious XML messages to web services. <br />Our goal is thus to detect XML injection vulnerabilities in web applications. The proposed approach is evaluated on two studies, including an industrial web application with millions of users. Results show that we are able to effectively generate test data (e.g., input values in an HTML form) that detect such vulnerabilities. [less ▲]

Detailed reference viewed: 413 (39 UL)
Full Text
Peer Reviewed
See detailAutomated and Effective Testing of Web Services for XML Injection Attacks
Jan, Sadeeq UL; Nguyen, Duy Cu UL; Briand, Lionel UL

in ISSTA'16-The International Symposium on Software Testing and Analysis, Saarbrücken 18-20 July 2016 (2016, July 18)

XML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been ... [more ▼]

XML is extensively used in web services for integration and data exchange. Its popularity and wide adoption make it an attractive target for attackers and a number of XML-based attack types have been reported recently. This raises the need for cost-effective, automated testing of web services to detect XML-related vulnerabilities, which is the focus of this paper. We discuss a taxonomy of the types of XML injection attacks and use it to derive four different ways to mutate XML messages, turning them into attacks (tests) automatically. Further, we consider domain constraints and attack grammars, and use a constraint solver to generate XML messages that are both malicious and valid, thus making it more difficult for any protection mechanism to recognise them. As a result, such messages have a better chance to detect vulnerabilities. Our evaluation on an industrial case study has shown that a large proportion (78.86%) of the attacks generated using our approach could circumvent the first layer of security protection, an XML gateway (firewall), a result that is much better than what a state-of-the-art tool based on fuzz testing could achieve. [less ▲]

Detailed reference viewed: 492 (32 UL)
Full Text
See detailReACP: A Semi-Automated Framework for Reverse-engineering and Testing of Access Control Policies of Web Applications
Le, Ha Thanh UL; Nguyen, Duy Cu UL; Briand, Lionel UL

Report (2016)

This technical report details our a semi-automated framework for the reverse-engineering and testing of access control (AC) policies for web-based applications. In practice, AC specifications are often ... [more ▼]

This technical report details our a semi-automated framework for the reverse-engineering and testing of access control (AC) policies for web-based applications. In practice, AC specifications are often missing or poorly documented, leading to AC vulnerabilities. Our goal is to learn and recover AC policies from implementation, and assess them to find AC issues. Built on top of a suite of security tools, our framework automatically explores a system under test, mines domain input specifications from access request logs, and then, generates and executes more access requests using combinatorial test generation. We apply machine learning on the obtained data to characterise relevant attributes that influence access control to learn policies. Finally, the inferred policies are used for detecting AC issues, being vulnerabilities or implementation errors. We have evaluated our framework on three open-source applications with respect to correctness and completeness. The results are very promising in terms of the quality of inferred policies, more than 94% of them are correct with respect to implemented AC mechanisms. The remaining incorrect policies are mainly due to our unrefined permission classification. Moreover, a careful analysis of these policies has revealed 92 vulnerabilities, many of them are new. [less ▲]

Detailed reference viewed: 314 (25 UL)
Full Text
See detailAutomated Testing of Web Application Firewalls
Appelt, Dennis UL; Nguyen, Duy Cu UL; Briand, Lionel UL

Report (2016)

Web application firewalls (WAF) are an indispensable mechanism to protect online systems from attacks. However, the fast pace at which new kinds of attacks appear and their increasing sophistication ... [more ▼]

Web application firewalls (WAF) are an indispensable mechanism to protect online systems from attacks. However, the fast pace at which new kinds of attacks appear and their increasing sophistication require WAFs to be updated and tested regularly as otherwise they will be circumvented. In this paper, we focus our research on WAFs and SQL injection attacks, but the general principles and strategy could be adapted to other contexts. We present a machine learning-driven testing approach to automatically detect holes in WAFs that let SQL injection attacks bypass them. At the beginning, the approach can automatically generate diverse attacks (tests) and then submit them to a system that is protected by a WAF. Incrementally learning from the tests that are blocked or accepted by the WAF, our approach can then select tests that exhibit characteristics associated with bypassing the WAF and mutate them to efficiently generate new bypassing attacks. In the race against cyberattacks, time is vital. Being able to learn and anticipate more attacks that can circumvent a WAF in a timely manner is very important in order to quickly fix or fine-tune protection rules. We developed a tool that implements the approach and evaluated it on ModSecurity, a widely used WAF, and a proprietary WAF that protects a financial institution. Evaluation results indicate that our proposed technique is efficient at generating SQL injection attacks that can bypass a WAF and can be used to identify successful attack patterns. [less ▲]

Detailed reference viewed: 891 (29 UL)
Full Text
Peer Reviewed
See detailSOFIA: An Automated Security Oracle for Black-Box Testing of SQL-Injection Vulnerabilities
Ceccato, Mariano; Nguyen, Duy Cu UL; Appelt, Dennis UL et al

in Proceedings of the 31th IEEE/ACM International Conference on Automated Software Engineering (2016)

Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any ... [more ▼]

Security testing is a pivotal activity in engineering secure software. It consists of two phases: generating attack inputs to test the system, and assessing whether test executions expose any vulnerabilities. The latter phase is known as the security oracle problem. In this work, we present SOFIA, a Security Oracle for SQL-Injection Vulnerabilities. SOFIA is programming-language and source-code independent, and can be used with various attack generation tools. Moreover, because it does not rely on known attacks for learning, SOFIA is meant to also detect types of \sqli attacks that might be unknown at learning time. The oracle challenge is recast as a one-class classification problem where we learn to characterise legitimate SQL statements to accurately distinguish them from \sqli attack statements. We have carried out an experimental validation on six applications, among which two are large and widely-used. SOFIA was used to detect real \sqli vulnerabilities with inputs generated by three attack generation tools. The obtained results show that SOFIA is computationally fast and achieves a recall rate of 100\% (i.e., missing no attacks) with a low false positive rate (0.6\%). [less ▲]

Detailed reference viewed: 340 (30 UL)
Full Text
Peer Reviewed
See detailKnown XML Vulnerabilities Are Still a Threat to Popular Parsers and Open Source Systems
Jan, Sadeeq UL; Nguyen, Duy Cu UL; Briand, Lionel UL

in The 2015 IEEE International Conference on Software Quality, Reliability & Security, Vancouver 3-5 August 2015 (2015, August 03)

The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been ... [more ▼]

The Extensible Markup Language (XML) is extensively used in software systems and services. Various XML-based attacks, which may result in sensitive information leakage or denial of services, have been discovered and published. However, due to development time pressures and limited security expertise, such attacks are often overlooked in practice. In this paper, following a rigorous and extensive experimental process, we study the presence of two types of XML-based attacks: BIL and XXE in 13 popular XML parsers. Furthermore, we investigate whether open-source systems that adopt a vulnerable XML parser apply any mitigation to prevent such attacks. Our objective is to provide clear and solid scientific evidence about the extent of the threat associated with such XML-based attacks and to discuss the implications of the obtained results. Our conclusion is that most of the studied parsers are vulnerable and so are systems that use them. Such strong evidence can be used to raise awareness among software developers and is a strong motivation for developers to provide security measures to thwart BIL and XXE attacks before deployment when adopting existing XML parsers. [less ▲]

Detailed reference viewed: 295 (25 UL)
Full Text
Peer Reviewed
See detailAutomated Inference of Access Control Policies for Web Applications
Le, Ha Thanh UL; Nguyen, Duy Cu UL; Briand, Lionel UL et al

in 20th ACM Symposium on Access Control Models and Technologies (SACMAT), 1-3 June 2015 (2015, June)

Detailed reference viewed: 327 (27 UL)
Full Text
Peer Reviewed
See detailDo Automatically Generated Test Cases Make Debugging Easier? An Experimental Assessment of Debugging Effectiveness and Efficiency
Ceccato, Mariano; Marchetto, Alessandro; Mariani, Leonardo et al

in ACM Transactions on Software Engineering and Methodology (2015), 25(1), 51--538

Detailed reference viewed: 151 (22 UL)
Full Text
Peer Reviewed
See detailBehind an Application Firewall, Are We Safe from SQL Injection Attacks?
Appelt, Dennis UL; Nguyen, Duy Cu UL; Briand, Lionel UL

in 2015 IEEE 8th International Conference on Software Testing, Verification, and Validation (ICST) (2015)

Web application firewalls are an indispensable layer to protect online systems from attacks. However, the fast pace at which new kinds of attacks appear and their sophistication require that firewalls be ... [more ▼]

Web application firewalls are an indispensable layer to protect online systems from attacks. However, the fast pace at which new kinds of attacks appear and their sophistication require that firewalls be updated and tested regularly as otherwise they will be circumvented. In this paper, we focus our research on web application firewalls and SQL injection attacks. We present a machine learning-based testing approach to detect holes in firewalls that let SQL injection attacks bypass. At the beginning, the approach can automatically generate diverse attack payloads, which can be seeded into inputs of web-based applications, and then submit them to a system that is protected by a firewall. Incrementally learning from the tests that are blocked or passed by the firewall, our approach can then select tests that exhibit characteristics associated with bypassing the firewall and mutate them to efficiently generate new bypassing attacks. In the race against cyber attacks, time is vital. Being able to learn and anticipate more attacks that can circumvent a firewall in a timely manner is very important in order to quickly fix or fine-tune the firewall. We developed a tool that implements the approach and evaluated it on ModSecurity, a widely used application firewall. The results we obtained suggest a good performance and efficiency in detecting holes in the firewall that could let SQLi attacks go undetected. [less ▲]

Detailed reference viewed: 634 (60 UL)
Full Text
Peer Reviewed
See detailAutomated Testing for SQL Injection Vulnerabilities: An Input Mutation Approach
Appelt, Dennis UL; Nguyen, Duy Cu UL; Briand, Lionel UL et al

in Proc. of the International Symposium on Software Testing and Analysis 2014 (2014, July 21)

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of ... [more ▼]

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this paper an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach is effective to detect SQL injection vulnerabilities and to produce inputs that bypass application firewalls, which is a common configuration in real world. [less ▲]

Detailed reference viewed: 602 (40 UL)
Full Text
Peer Reviewed
See detailInterpolated N-Grams for Model Based Testing
Tonella, Paolo; Tiella, Roberto; Nguyen, Duy Cu UL

in Interpolated N-Grams for Model Based Testing (2014, May 31)

Models – in particular finite state machines models – provide an invaluable source of information for the derivation of effective test cases. However, models usually approximate part of the program ... [more ▼]

Models – in particular finite state machines models – provide an invaluable source of information for the derivation of effective test cases. However, models usually approximate part of the program semantics and capture only some of the relevant dependencies and constraints. As a consequence, some of the test cases that are derived from models are in- feasible. In this paper, we propose a method, based on the computation of the N-gram statistics, to increase the likelihood of deriving feasible test cases from a model. Furthermore, the level of model coverage is also expected to increase because infeasible test cases do not contribute to coverage. While N-grams do improve existing test case derivation methods, they show limitations when the N-gram statistics is incomplete, which is expected to necessarily occur as N increases. Interpolated N-grams overcome such limitation and show the highest performance of all test case derivation methods compared in this work. [less ▲]

Detailed reference viewed: 155 (24 UL)
Full Text
See detailBlack-box SQL Injection Testing
Appelt, Dennis UL; Alshahwan, Nadia UL; Nguyen, Duy Cu UL et al

Report (2014)

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of ... [more ▼]

Web services are increasingly adopted in various domains, from finance and e-government to social media. As they are built on top of the web technologies, they suffer also an unprecedented amount of attacks and exploitations like the Web. Among the attacks, those that target SQL injection vulnerabilities have consistently been top-ranked for the last years. Testing to detect such vulnerabilities before making web services public is crucial. We present in this report an automated testing approach, namely μ4SQLi, and its underpinning set of mutation operators. μ4SQLi can produce effective inputs that lead to executable and harmful SQL statements. Executability is key as otherwise no injection vulnerability can be exploited. Our evaluation demonstrated that the approach outperforms contemporary known attacks in terms of vulnerability detection and the ability to get through an application firewall, which is a popular configuration in real world. [less ▲]

Detailed reference viewed: 753 (59 UL)
Full Text
Peer Reviewed
See detailAutomated Inference of Classifications and Dependencies for Combinatorial Testing
Nguyen, Duy Cu UL; Tonella, Paolo

Scientific Conference (2013, November 14)

Detailed reference viewed: 118 (3 UL)
Full Text
Peer Reviewed
See detailN-Gram Based Test Sequence Generation from Finite State Models
Tonella, Paolo; Tiella, Roberto; Nguyen, Duy Cu UL

Scientific Conference (2013, November 10)

Detailed reference viewed: 151 (2 UL)
Full Text
Peer Reviewed
See detailEvaluating the FITTEST Automated Testing Tools: an Industrial Case Study
Nguyen, Duy Cu UL; Mendelson, Bilha; Citron, Daniel et al

Scientific Conference (2013, October)

Detailed reference viewed: 116 (2 UL)
Full Text
Peer Reviewed
See detailAutomated Generation of State Abstraction Functions using Data Invariant Inference
Nguyen, Duy Cu UL; Tonella, Paolo; Marchetto, Alessandro et al

Scientific Conference (2013, May 18)

Detailed reference viewed: 145 (3 UL)
Full Text
Peer Reviewed
See detailAutomated Detection of Discontinuities in Models Inferred from Execution Traces
Nguyen, Duy Cu UL; Marchetto, Alessandro; Tonella, Paolo

Scientific Conference (2011, March)

Detailed reference viewed: 112 (2 UL)