Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Approaches for automated software security evaluations

Ansätze für automatische Softwaresicherheitsüberprüfungen
: Poller, A.

Fulltext urn:nbn:de:0011-n-484495 (3.7 MByte PDF)
MD5 Fingerprint: ec9b312a0a9969984ba11fd3b761ecf5
Created on: 03.11.2006

Darmstadt, 2006, 107 pp.
Chemnitz, TU, Dipl.-Arb., 2006
Thesis, Electronic Publication
Fraunhofer SIT ()
Black Box - Test; Computersicherheit; Fuzzer; Programminspektion; Sicherheitsevaluierung; Sicherheitstest; software engineering; Softwareschwachstelle; Softwarewerkzeug; Test Framework

As a consequence of the highly increasing cross-linking of computer systems in computer networks, the possibilities for accessing programs operated at these machines is becoming more and more independent from the possibilities of having physical access to them. Thus the former existing physical access controls have to be replaced by logical access controls which ensure that computer systems are only used for the intended purpose and that the stored data are handled securely and confidentially. The efficiency of such logical protection mechanism is verified by applying software security tests. During such tests it is proved whether security functions can be bypassed especially by exploiting software errors. In this diploma thesis approaches for the automation of software security tests are examined regarding their effectiveness and applicability. The results are used to introduce a requirement and evaluation model for the qualitative analysis of such security evaluation automation approaches. Additionally, the assertion is made that a highly automated software security evaluation is not a sensible development goal referring to the estimated cost-benefit ratio which is gained by trying to realise this goal. Based on this assertion, this diploma thesis discuss es how to join the capabilities of a human tester and a software evaluation assistance system in an efficient test process. Based on this considerations, the design and implementation of a software security evaluation system which has been developed prototypically for this diploma thesis is described. This system significantly involves the human tester in the evaluation process but provides approaches for automation where possible. Furthermore this proof-of-concept prototype is evaluated regarding its practical applicability.