MCP: A Security Testing Tool Driven by Requirements

[en] We present MCP, a tool for automatically generating executable security test cases from misuse case specifications in natural language (i.e., use case specifications capturing the behavior of malicious users). MCP relies on Natural Language Processing (NLP), a restricted form of misuse case specifications, and a test driver API implementing basic utility functions for security testing. NLP is used to identify the activities performed by the malicious user and the control flow of misuse case specifications. MCP matches the malicious user’s activities to the methods of the provided test driver API in order to generate executable security test cases that perform the activities described in the misuse case specifications. MCP has been successfully evaluated on an industrial case study.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation

Disciplines :

Computer science

Author, co-author :

Mai, Xuan Phu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Pastore, Fabrizio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Goknil, Arda

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

External co-authors :

Language :

English

Title :

MCP: A Security Testing Tool Driven by Requirements

Publication date :

May 2019

Event name :

International Conference on Software Engineering

Event organizer :

IEEE/ACM

Event place :

Montreal, Canada

Event date :

from 25-05-2019 to 31-05-2019

Main work title :

2019 IEEE/ACM 41st International Conference on Software Engineering

Publisher :

IEEE, United States

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

European Projects :

H2020 - 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems

FnR Project :

FNR11213850 - Enhanced Daily Living And Health 2 – An Incentive Based Service, 2015 (01/06/2016-30/11/2018) - Lionel Briand

Funders :

CE - Commission Européenne [BE]
Union Européenne [BE]

Available on ORBilu :

since 03 June 2019

Statistics

Number of views

252 (39 by Unilu)

Number of downloads

223 (7 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

WoS citations^™

Bibliography

B. Fabian, S. Gurses, M. Heisel, T. Santen, and H. Schmidt, "a comparison of security requirements engineering methods," RE'10, vol. 15, pp. 7-40.
P. X. Mai, A. Goknil, L. K. Shar, F. Pastore, L. C. Briand, and S. Shaame, "Modeling security and privacy requirements: A use case-driven approach," Information and Software Technology, vol. 100, pp. 165-182, 2018.
A. L. Opdahl and G. Sindre, "Experimental comparison of attack trees and misuse cases for security threat identification," Information and Software Technology, vol. 51, pp. 916-932, 2009.
M. Meucci and A. Muller, "owasp Testing Guide v4," https://www.owasp.org/images/1/19/OTGv4.pdf.
M. Felderer, M. Büchler, M. Johns, A. D. Brucker, R. Breu, and A. Pretschner, "Chapter one-security testing: A survey," ser. Advances in Computers. Elsevier, 2016, vol. 101, pp. 1-51.
B. W. Ballard and A. W. Biermann, "Programming in natural language: "nlc" as a prototype," in ACM'79, 1979, pp. 228-237.
O. Pulido-Prieto and U. Juárez-Martínez, "a survey of naturalistic programming technologies," ACM Computing Surveys, vol. 50, no. 5, pp. 70:1-70:35, 2017.
C. Manning, M. Surdeanu, J. Bauer, J. abd Finkel, S. Bethard, and D. McClosky, "The stanford CoreNLP natural language processing toolkit," in ACL'14, 2014, pp. 55-60.
V. Le, S. Gulwani, and Z. Su, "SmartSynth: Synthesizing smartphone automation scripts from natural language," in MobiSys'13, 2013.
D. Guzzoni, C. Baur, and A. Cheyer, "Modeling human-agent interaction with active ontologies," in AAAI Spring Symposium'07, 2007, pp. 52-59.
M. Landhausser, S. Weigelt, and W. F. Tichy, "nlci: A natural language command interpreter," Automated Software Engineering, vol. 24, no. 4, pp. 839-861, 2017.
T. R. Gruber, "a translation approach to portable ontology specifications," Knowledge Acquisition, vol. 5, no. 2, pp. 199-220, 1993.
S. Ognawala, M. Ochoa, A. Pretschner, and T. Limmer, "macke: Compositional analysis of low-level vulnerabilities with symbolic execution," in ASE'16, 2016, pp. 780-785.
D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan, "Automated testing for sql injection vulnerabilities: An input mutation approach," in ISSTA'14, 2014, pp. 259-269.
F. Lebeau, B. Legeard, F. Peureux, and A. Vernotte, "Model-based vulnerability testing for web applications," in ICSTW'13, 2013.
G. Carvalho, D. Falcão, F. Barros, A. Sampaio, A. Mota, L. Motta, and M. Blackburn, "nat2testscr: Test case generation from natural language requirements based on scr specifications," Science of Computer Programming, vol. 95, pp. 275-297, 2014.
C. Wang, F. Pastore, A. Goknil, L. C. Briand, and M. Z. Z. Iqbal, "Automatic generation of system test cases from use case specifications," in ISSTA'15, 2015, pp. 385-396.
C. Wang, F. Pastore, A. Goknil, L. C. Briand, and M. Z. Z. Iqbal, "umtg: A toolset to automatically generate system test cases from use case specifications," in ESEC/FSE'15, 2015, pp. 942-945.
M. Kaplan, T. Klinger, A. M. Paradkar, A. Sinha, C. Williams, and C. Yilmaz, "Less is more: A minimalistic approach to uml model-based conformance test generation," in ICST'08, 2008, pp. 82-91.
P. X. Mai, F. Pastore, A. Goknil, and L. C. Briand, "a natural language programming approach for requirements-based security testing," in ISSRE'18, 2018, pp. 58-69.
T. Yue, L. C. Briand, and Y. Labiche, "Facilitating the transition from use case models to analysis models: Approach and experiments," ACM TOSEM, vol. 22, no. 1, pp. 1-38, 2013.
I. Hajri, A. Goknil, L. C. Briand, and T. Stephany, "Applying product line use case modeling in an industrial automotive embedded system: Lessons learned and a refined approach," in MODELS'15, 2015, pp. 338-347.
I. Hajri, A. Goknil, L. C. Briand, and T. Stephany, "Configuring use case models in product families," Software and System Modeling, vol. 17, no. 3, pp. 939-971, 2018.
I. Hajri, A. Goknil, L. C. Briand, and T. Stephany, "PUMConf: A tool to configure product specific use case and domain models in a product line," in FSE'16, 2016, pp. 1008-1012.
University of Pennsylvania, "CogComp nlp," http://cogcomp.org, 2018.
"edlah2: Active and Assisted Living Programme," http://www.aal-europe.eu/projects/edlah2/.
"owasp, Android Testing Guidelines." https://www.owasp.org/index.php/Android-Testing-Cheat-Sheet.