MCP: A Security Testing Tool Driven by Requirements

[en] We present MCP, a tool for automatically generating executable security test cases from misuse case specifications in natural language (i.e., use case specifications capturing the behavior of malicious users). MCP relies on Natural Language Processing (NLP), a restricted form of misuse case specifications, and a test driver API implementing basic utility functions for security testing. NLP is used to identify the activities performed by the malicious user and the control flow of misuse case specifications. MCP matches the malicious user’s activities to the methods of the provided test driver API in order to generate executable security test cases that perform the activities described in the misuse case specifications. MCP has been successfully evaluated on an industrial case study.

Centre de recherche :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation

Disciplines :

Sciences informatiques

Auteur, co-auteur :

MAI, Xuan Phu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

PASTORE, Fabrizio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Goknil, Arda

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Co-auteurs externes :

Langue du document :

Anglais

Titre :

MCP: A Security Testing Tool Driven by Requirements

Date de publication/diffusion :

mai 2019

Nom de la manifestation :

International Conference on Software Engineering

Organisateur de la manifestation :

IEEE/ACM

Lieu de la manifestation :

Montreal, Canada

Date de la manifestation :

from 25-05-2019 to 31-05-2019

Titre de l'ouvrage principal :

2019 IEEE/ACM 41st International Conference on Software Engineering

Maison d'édition :

IEEE, Etats-Unis

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Projet européen :

H2020 - 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems

Projet FnR :

FNR11213850 - Enhanced Daily Living And Health 2 – An Incentive Based Service, 2015 (01/06/2016-30/11/2018) - Lionel Briand

Organisme subsidiant :

CE - Commission Européenne
Union Européenne

Disponible sur ORBilu :

depuis le 03 juin 2019

Statistiques

Nombre de vues

374 (dont 39 Unilu)

Nombre de téléchargements

381 (dont 7 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

citations WoS^™

Bibliographie

B. Fabian, S. Gurses, M. Heisel, T. Santen, and H. Schmidt, "a comparison of security requirements engineering methods," RE'10, vol. 15, pp. 7-40.
P. X. Mai, A. Goknil, L. K. Shar, F. Pastore, L. C. Briand, and S. Shaame, "Modeling security and privacy requirements: A use case-driven approach," Information and Software Technology, vol. 100, pp. 165-182, 2018.
A. L. Opdahl and G. Sindre, "Experimental comparison of attack trees and misuse cases for security threat identification," Information and Software Technology, vol. 51, pp. 916-932, 2009.
M. Meucci and A. Muller, "owasp Testing Guide v4," https://www.owasp.org/images/1/19/OTGv4.pdf.
M. Felderer, M. Büchler, M. Johns, A. D. Brucker, R. Breu, and A. Pretschner, "Chapter one-security testing: A survey," ser. Advances in Computers. Elsevier, 2016, vol. 101, pp. 1-51.
B. W. Ballard and A. W. Biermann, "Programming in natural language: "nlc" as a prototype," in ACM'79, 1979, pp. 228-237.
O. Pulido-Prieto and U. Juárez-Martínez, "a survey of naturalistic programming technologies," ACM Computing Surveys, vol. 50, no. 5, pp. 70:1-70:35, 2017.
C. Manning, M. Surdeanu, J. Bauer, J. abd Finkel, S. Bethard, and D. McClosky, "The stanford CoreNLP natural language processing toolkit," in ACL'14, 2014, pp. 55-60.
V. Le, S. Gulwani, and Z. Su, "SmartSynth: Synthesizing smartphone automation scripts from natural language," in MobiSys'13, 2013.
D. Guzzoni, C. Baur, and A. Cheyer, "Modeling human-agent interaction with active ontologies," in AAAI Spring Symposium'07, 2007, pp. 52-59.
M. Landhausser, S. Weigelt, and W. F. Tichy, "nlci: A natural language command interpreter," Automated Software Engineering, vol. 24, no. 4, pp. 839-861, 2017.
T. R. Gruber, "a translation approach to portable ontology specifications," Knowledge Acquisition, vol. 5, no. 2, pp. 199-220, 1993.
S. Ognawala, M. Ochoa, A. Pretschner, and T. Limmer, "macke: Compositional analysis of low-level vulnerabilities with symbolic execution," in ASE'16, 2016, pp. 780-785.
D. Appelt, C. D. Nguyen, L. C. Briand, and N. Alshahwan, "Automated testing for sql injection vulnerabilities: An input mutation approach," in ISSTA'14, 2014, pp. 259-269.
F. Lebeau, B. Legeard, F. Peureux, and A. Vernotte, "Model-based vulnerability testing for web applications," in ICSTW'13, 2013.
G. Carvalho, D. Falcão, F. Barros, A. Sampaio, A. Mota, L. Motta, and M. Blackburn, "nat2testscr: Test case generation from natural language requirements based on scr specifications," Science of Computer Programming, vol. 95, pp. 275-297, 2014.
C. Wang, F. Pastore, A. Goknil, L. C. Briand, and M. Z. Z. Iqbal, "Automatic generation of system test cases from use case specifications," in ISSTA'15, 2015, pp. 385-396.
C. Wang, F. Pastore, A. Goknil, L. C. Briand, and M. Z. Z. Iqbal, "umtg: A toolset to automatically generate system test cases from use case specifications," in ESEC/FSE'15, 2015, pp. 942-945.
M. Kaplan, T. Klinger, A. M. Paradkar, A. Sinha, C. Williams, and C. Yilmaz, "Less is more: A minimalistic approach to uml model-based conformance test generation," in ICST'08, 2008, pp. 82-91.
P. X. Mai, F. Pastore, A. Goknil, and L. C. Briand, "a natural language programming approach for requirements-based security testing," in ISSRE'18, 2018, pp. 58-69.
T. Yue, L. C. Briand, and Y. Labiche, "Facilitating the transition from use case models to analysis models: Approach and experiments," ACM TOSEM, vol. 22, no. 1, pp. 1-38, 2013.
I. Hajri, A. Goknil, L. C. Briand, and T. Stephany, "Applying product line use case modeling in an industrial automotive embedded system: Lessons learned and a refined approach," in MODELS'15, 2015, pp. 338-347.
I. Hajri, A. Goknil, L. C. Briand, and T. Stephany, "Configuring use case models in product families," Software and System Modeling, vol. 17, no. 3, pp. 939-971, 2018.
I. Hajri, A. Goknil, L. C. Briand, and T. Stephany, "PUMConf: A tool to configure product specific use case and domain models in a product line," in FSE'16, 2016, pp. 1008-1012.
University of Pennsylvania, "CogComp nlp," http://cogcomp.org, 2018.
"edlah2: Active and Assisted Living Programme," http://www.aal-europe.eu/projects/edlah2/.
"owasp, Android Testing Guidelines." https://www.owasp.org/index.php/Android-Testing-Cheat-Sheet.