Uso de Árvores de Ataque e Técnicas de Mutação de Código na Segurança de Aplicações Web
Abstract
The proliferation of web-based applications has increased the exposure of companies to a variety of threats. There are several stages in the life cycle of the applications that are designed to prevent or mitigate those threats. The safety tests are very useful, provided they are efficient. This work focuses on the validation of security testing of web application and proposes a methodology for validation of tools and security testing, based on attack trees, derived from known vulnerabilities disseminated by related security communities. To validate the effectiveness of tests derived from these attack trees, security vulnerabilities are inserted into applications through Mutation Code techniques.
References
CVE, Common Vulnerabilities and Exposures. Disponível em: http://www.cve.mitre.org, 2006. Acesso em 23/08/2009.
Demillo, R.A.; Lipton, R.J.; Sayward, F.G. Hints on Test Data Selection: Help for the Practicing Programmer. IEEE Computer, abril, 1978.
Fonseca, J.; VIEIRA, M.; Mapping Software Faults with Web Security Vulnerabilities. IEEE/IFIP International Conference on Dependable Systems and Networks, June 2008.
Fonseca, J. et al. Vulnerability & Attack Injection for Web Applications, 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2009.
Giacometti, C. et al.; Teste de Mutação para a Validação de Aplicações Concorrentes usando PVM, REIC, Eletrônica de Iniciação científica, v.II, n.III, 2002.
Guidetti, S.A. Aplicação de Análise de Mutantes à Geração de Dados de Teste para Detecção de Vulnerabilidade do Tipo Buffer Overflow, Universidade Estadual de Campinas, Campinas, Brasil, 2005.
Hoglund, G. et al; Exploiting software: how to break code, Pearson, 2006.
Huang,Y.W.; Huang, S.K.; Lin,T.P.; Tsai, C.H. Web application security assessment by fault injection and behavior monitoring; 12th international conference on World Wide Web, Budapest, Hungary pp. 148 - 159, 2003.
Khand, P.A. System level Security modeling using Attack trees. IEEE; 2nd International Conference on Computer, Control and Communication, 2009.
LI, X.; He, K. A Unified Threat Model for Assessing Threat in Web Applications, International Conference on Information Security and Assurance, pp. 142-145, 2008.
Mauw, S.; Oostdijk, M. Foundations of Attack Trees. LNCS, 3935, 186-198, 2006.
Moore, A. P.; Ellison, R. J.; Linger, R. C. Attack Modeling for Information Security and Survivability. Technical report, Carnegie Mellon University, 2001.
Myers, G. J., The Art of Software Testing, 2º ed., New Jersey: John Wiley & Sons, 2004.
Offutt, A.J. A practical system for mutation testing: help for the common programmer, Test Conference, 1994. Proceedings, International, Washington, DC, USA.
OWASP (Open Web Application Security Project) Live CD Project, 2009. Disponível em: [link]. Acesso em: 15/dez/2009.
OWASP (Open Web Application Security Project) Ruby on Rails Security Guide V2, 2009. Disponível_em:[link] Acesso em: 15/dez/2009.
OWASP (Open Web Application Security Project) Testing Guide v2, 2007. Disponível em: [link] Acesso em: 15/dez/2009.
OWASP (Open Web Application Security Project) Top Ten, 2007. Disponível em: [link] Acesso em: 15/dez/2009.
Schneier, B. Attack Trees, 1999. Disponível em: [link], Dr. Dobb's Journal. Acesso em 13/mai/2009.
Shahriar, H.; Zulkernine, M. Mutation-based Testing of Format String Bugs, 11th IEEE High Assurance Systems Engineering Symposium, 2008.
Taquary C.; Uso de Árvores de Ataque e Técnicas de Mutação de Código na Segurança de Aplicações Web, NCE/UFRJ, 2010.
Vicenzi, A.M.R et al; Operadores Essenciais de Interface: Um Estudo de Caso, USP/UEM, 1999. Disponível em [link], Acesso em 12/ago/2009.
Demillo, R.A.; Lipton, R.J.; Sayward, F.G. Hints on Test Data Selection: Help for the Practicing Programmer. IEEE Computer, abril, 1978.
Fonseca, J.; VIEIRA, M.; Mapping Software Faults with Web Security Vulnerabilities. IEEE/IFIP International Conference on Dependable Systems and Networks, June 2008.
Fonseca, J. et al. Vulnerability & Attack Injection for Web Applications, 39th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2009.
Giacometti, C. et al.; Teste de Mutação para a Validação de Aplicações Concorrentes usando PVM, REIC, Eletrônica de Iniciação científica, v.II, n.III, 2002.
Guidetti, S.A. Aplicação de Análise de Mutantes à Geração de Dados de Teste para Detecção de Vulnerabilidade do Tipo Buffer Overflow, Universidade Estadual de Campinas, Campinas, Brasil, 2005.
Hoglund, G. et al; Exploiting software: how to break code, Pearson, 2006.
Huang,Y.W.; Huang, S.K.; Lin,T.P.; Tsai, C.H. Web application security assessment by fault injection and behavior monitoring; 12th international conference on World Wide Web, Budapest, Hungary pp. 148 - 159, 2003.
Khand, P.A. System level Security modeling using Attack trees. IEEE; 2nd International Conference on Computer, Control and Communication, 2009.
LI, X.; He, K. A Unified Threat Model for Assessing Threat in Web Applications, International Conference on Information Security and Assurance, pp. 142-145, 2008.
Mauw, S.; Oostdijk, M. Foundations of Attack Trees. LNCS, 3935, 186-198, 2006.
Moore, A. P.; Ellison, R. J.; Linger, R. C. Attack Modeling for Information Security and Survivability. Technical report, Carnegie Mellon University, 2001.
Myers, G. J., The Art of Software Testing, 2º ed., New Jersey: John Wiley & Sons, 2004.
Offutt, A.J. A practical system for mutation testing: help for the common programmer, Test Conference, 1994. Proceedings, International, Washington, DC, USA.
OWASP (Open Web Application Security Project) Live CD Project, 2009. Disponível em: [link]. Acesso em: 15/dez/2009.
OWASP (Open Web Application Security Project) Ruby on Rails Security Guide V2, 2009. Disponível_em:[link] Acesso em: 15/dez/2009.
OWASP (Open Web Application Security Project) Testing Guide v2, 2007. Disponível em: [link] Acesso em: 15/dez/2009.
OWASP (Open Web Application Security Project) Top Ten, 2007. Disponível em: [link] Acesso em: 15/dez/2009.
Schneier, B. Attack Trees, 1999. Disponível em: [link], Dr. Dobb's Journal. Acesso em 13/mai/2009.
Shahriar, H.; Zulkernine, M. Mutation-based Testing of Format String Bugs, 11th IEEE High Assurance Systems Engineering Symposium, 2008.
Taquary C.; Uso de Árvores de Ataque e Técnicas de Mutação de Código na Segurança de Aplicações Web, NCE/UFRJ, 2010.
Vicenzi, A.M.R et al; Operadores Essenciais de Interface: Um Estudo de Caso, USP/UEM, 1999. Disponível em [link], Acesso em 12/ago/2009.
Published
2010-10-11
How to Cite
TAQUARY SEGUNDO, Célio B.; CARMO, Luis Fernando Rust C.; PIRMEZ, Luci.
Uso de Árvores de Ataque e Técnicas de Mutação de Código na Segurança de Aplicações Web. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 171-184.
DOI: https://doi.org/10.5753/sbseg.2010.20586.
