Reference : Metamorphic Testing for Web System Security
Scientific journals : Article
Engineering, computing & technology : Computer science
Security, Reliability and Trust
Metamorphic Testing for Web System Security
Bayati Chaleshtari, Nazanin [University of Ottawa > School of Electrical Engineering and Computer Science]
Pastore, Fabrizio mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV >]
Goknil, Arda [SINTEF Digital Norway]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV >]
In press
IEEE Transactions on Software Engineering
Institute of Electrical and Electronics Engineers
United States - New York
[en] System Security Testing ; Metamorphic Testing ; Domain-specific Languages
[en] Security testing aims at verifying that the software meets its security properties. In modern Web systems, however, this often entails the verification of the outputs generated when exercising the system with a very large set of inputs. Full automation is thus required to lower costs and increase the effectiveness of security testing.
Unfortunately, to achieve such automation, in addition to strategies for automatically deriving test inputs, we need to address the oracle problem, which refers to the challenge, given an input for a system, of distinguishing correct from incorrect behavior (e.g., the response to be received after a specific HTTP GET request).
In this paper, we propose Metamorphic Security Testing for Web-interactions (MST-wi), a metamorphic testing approach that integrates test input generation strategies inspired by mutational fuzzing and alleviates the oracle problem in security testing. It enables engineers to specify metamorphic relations (MRs) that capture many security properties of Web systems. To facilitate the specification of such MRs, we provide a domain-specific language accompanied by an Eclipse editor. MST-wi automatically collects the input data and transforms the MRs into executable Java code to automatically perform security testing. It automatically tests Web systems to detect vulnerabilities based on the relations and collected data.
We provide a catalog of 76 system-agnostic MRs to automate security testing in Web systems. It covers 39% of the OWASP security testing activities not automated by state-of-the-art techniques; further, our MRs can automatically discover 102 different types of vulnerabilities, which correspond to 45% of the vulnerabilities due to violations of security design principles according to the MITRE CWE database. We also define guidelines that enable test engineers to improve the testability of the system under test with respect to our approach.
We evaluated MST-wi effectiveness and scalability with two well-known Web systems (i.e., Jenkins and Joomla). It automatically detected 85% of their vulnerabilities and showed a high specificity (99.81% of the generated inputs do not lead to a false positive); our findings include a new security vulnerability detected in Jenkins. Finally, our results demonstrate that the approach scale, thus enabling automated security testing overnight.
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation
European Commission - EC
Researchers ; Professionals
H2020 ; 957254 - COSMOS - DevOps for Complex Cyber-Physical Systems

File(s) associated to this reference

Fulltext file(s):

Open access
Nanazin_SecurityMetamorphicTesting_Journal.pdfAuthor postprint4.94 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.