Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

A negative input space complexity metric as selection criterion for fuzz testing

: Schneider, Martin A.; Wendland, Marc-Florian; Hoffmann, Andreas

Postprint urn:nbn:de:0011-n-3823525 (290 KByte PDF)
MD5 Fingerprint: aa7e468f22ff021a79275fc7c8e62b94
Erstellt am: 25.3.2016

El-Fakih, Khaled:
Testing software and systems. 27th IFIP WG 6.1 international conference, ICTSS 2015 : Sharjah and Dubai, United Arab Emirates, November 23-25, 2015; Proceedings
Cham: Springer International Publishing, 2015 (Lecture Notes in Computer Science 9447)
ISBN: 978-3-319-25944-4 (Print)
ISBN: 978-3-319-25945-1 (Online)
International Conference on Testing Software and Systems (ICTSS) <27, 2014, Sharjah>
European Commission EC
FP7-ICT; 318786; MIDAS
European Commission EC
FP7-ICT; 316853; RASEN
Konferenzbeitrag, Elektronische Publikation
Fraunhofer FOKUS ()

Fuzz testing is an established technique in order to find zero-day-vulnerabilities by stimulating a system under test with invalid or unexpected input data. However, fuzzing techniques still generate far more test cases than can be executed. Therefore, different kinds of risk-based testing approaches are used for test case identification, selection and prioritization. In contrast to many approaches that require manual risk analysis, such as fault tree analysis, failure mode and effect analysis, and the CORAS method, we propose an automated approach that takes advantage of an already shown correlation between interface complexity and error proneness. Since fuzzing is a negative testing approach, we propose a complexity metric for the negative input space that measures the boundaries of the negative input space of primitive types and complex data types. Based on this metric, the assumed most error prone interfaces are selected and used as a starting point for fuzz test case generation. This paper presents work in progress.