Research On Security Testing Of Software Component Based On Fault Injection

Along with the appearance of software development technology based on component, the component, especially the third party component, raised the software development efficiency greatly. Component technology based on massive components, therefore the reliably and security of component are especially significant. However, the component testing is still weak, component security testing is a new research direction of the software testing, its theory and technology will have the important value and practical significance in the promotion of component technology's development.As is different from the traditional software modules, components developed for the third parties' reusable purpose, in most cases the source code is not visible, the security testing of component especially the third party component can only be based on the "black box" methods. In today's black box security testing, fault injection as an effective technology of attack simulation and dynamic analysis has obvious advantages in software evaluation and analysis of system security. From the running behavior rather than simply the structure of software to study security flaws, this approach is conducive to find the new potential security vulnerabilities which cannot be found by static analysis.SDFI (Static and Dynamic Fault Injection) is one kind of component security testing method based on fault injection. On the basis of the research in security vulnerabilities taxonomy, SDFI gave one kind of fault injection model-FIM (Fault Injection Model). Before running and after running, FIM respectively chose different fault injection methods–interface parameter fault injection and dynamic environment fault injection, to achieve the purpose of security testing of component vulnerability with high efficiency. For the problem of"Portfolio explosion"caused by interface parameter fault injection and dynamic environment fault injection, SDFI gave the corresponding test-cases reduction algorithms EEC (Exceptional Elements Coverage) and DSW (Division and Sorting by Weight). In the project of COM component security testing system (CSTS), designed and implemented the automated fault injection subsystem, and took the typical third party COM components as testing examples, confirmed the validity of SDFI.