Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Improving security testing with usage-based fuzz testing

: Schneider, Martin A.; Herbold, Steffen; Wendland, Marc-Florian; Grabowski, Jürgen

Postprint urn:nbn:de:0011-n-3742822 (648 KByte PDF)
MD5 Fingerprint: 87e3bcb2f9c76be5d0586a2e5081d768
The original publication is available at
Erstellt am: 15.1.2016

Seehusen, Fredrik (Ed.); Felderer, Michael (Ed.); Großmann, Jürgen (Ed.); Wendland, Marc-Florian (Ed.):
Risk assessment and risk-driven testing. Third International Workshop, RISK 2015 : Berlin, Germany, June 15, 2015; Revised selected papers
Cham: Springer International Publishing, 2015 (Lecture Notes in Computer Science 9488)
ISBN: 978-3-319-26415-8 (Print)
ISBN: 978-3-319-26416-5 (Online)
DOI: 10.1007/978-3-319-26416-5
International Workshop on Risk Assessment and Risk-Driven Testing (RISK) <3, 2015, Berlin>
European Commission EC
FP7-ICT; 318786; MIDAS
European Commission EC
FP7-ICT; 316853; RASEN
Konferenzbeitrag, Elektronische Publikation
Fraunhofer FOKUS ()

Along with the increasing importance of software systems for our daily life, attacks on these systems may have a critical impact. Since the number of attacks and their effects increases the more systems are connected, the secure operation of IT systems becomes a fundamental property. In the future, this importance will increase, due to the rise of systems that are directly connected to our environment, e.g., cyber-physical systems and the Internet of Things. Therefore, it is inevitable to find and fix security-relevant weaknesses as fast as possible. However, established automated security testing techniques such as fuzzing require significant computational effort. In this paper, we propose an approach to combine security testing with usage-based testing in order to increase the efficiency of security testing. The main idea behind our approach is to utilize that little tested parts of a system have a higher probability of containing security-relevant weaknesses than well tested parts. Since the execution of a system by users can also be to some degree being seen as testing, our approach plans to focus the fuzzing efforts such that little used functionality and/or input data are generated. This way, fuzzing is targeted on weakness-prone areas which in turn should improve the efficiency of the security testing.