Research On Some Issues Of Software Vulnerability Testing

Software security vulnerability is one of the key factors that threaten network security and information systems. Malicious attacker could exploit the security vulnerabilities to threat the security of information systems by accessing unauthorized resources and destructing sensitive data. If we can find software security vulnerabilities prior to its being released, or detect vulnerabilities and prevent them being exploited in the run-time software, then we can significantly improve software security.Software vulnerability mining aims to discover potential security vulnerability in the software. It is an important technology to ensure the information security, and it has attracted the academic and industry attention over the past 20 years. Practice has shown that software testing is an effective mining method of software vulnerabilities.From the point of view of software testing, after investigating and summarizing a wide range of existing software testing technology extensively, this thesis carried out an in-depth analysis on some key issues of software testing particularly on vulnerability testing. This thesis proposed corresponding solutions and gave examples to demonstrate the effectiveness of the solutions.The main contributions of this thesis are as follows:(1) A software fault injection method based on wrapped function is proposed. By analyzing the key technology of concrete realization of the software fault injection testing based on EAI model, on how to highly efficiently and flexibly inject software fault into the process under test, a fault injection and safety testing method has been put forward by replacing safety-related functions with wrapped function. Through experiments, the method is proved to be feasibility.(2) A software testing method based on extended EAI model is proposed. The thesis proposed. This thesis presents an idea that summarizes the experience of vulnerability testing to the knowledge base and applies the priori knowledge to create test cases. The idea can enhance the capacity of the fault exposure. For the problem of very difficult to control and monitor the status of the measured process, the thesis presents a dynamic testing method based on a "virtual machine implementation". The dynamic testing method can solve the problem of how to observe and control the state of the tested process. We use Xen implement software testing based on the extended EAI model, and the validity of the model is confirmed.(3) For the problem of a large number of redundant test cases existed on the set of test suites, from the analysis of the relationship among various attributes of test demand, this thesis presents a method of test suite reduction based on attribute relevance analysis. The experimental results show that the proposed method can significantly reduce the test case set.(4) This thesis presents a method of vulnerability testing by applying process integrity. From the security relationship between the vulnerability categories, we give one kind of definition of process integrity measure. On the basis of this measure, a method of vulnerability testing is presented. The method applies source code conversion and function call status information to test the vulnerability of the procedure. The method can detect buffer overflow attacks and the results show that the method is simple and efficient.