Web applications have become integral part of everyday life, as they are used by a huge number of customers on regular basis, for daily operations in business, leisure, government or academia, and so correctness of these applications is fundamental. In particular, security is a crucial concern especially for these applications that are constantly exposed to potentially malicious environments. Cross-site scripting (XSS for short) is considered one of the major threats to the security of web applications. Missing input validation can be exploited by attackers to inject malicious code into the application under attack. Static analysis supports manual security review in mitigating the impact of XSS-related issues, by suggesting a set of potential problems, expressed in terms of candidate vulnerabilities. A security problem spotted by static analysis, however, only consists of a list of (possibly complicated) conditions that should be satisfied to concretely exploit a vulnerability. Static analysis does not provide examples of what input values must be used to make the application execute the sometimes complex execution path that causes a XSS vulnerability. Executable test cases, on the contrary, consist of a runnable and reproducible evidence of the vulnerability mechanics. Then, test cases represent a valuable support for developers who should concretely understand security problems in detail before fixing them. The urge for reliable and secure web applications motivates the development of automatic, inexpensive, thus effective security testing methods, whose aim is to verify the presence of security-related defects. Security tests consist of two major parts, input values that need to be generated to run the application in the hope of exposing the vulnerabilities, and the decision if the obtained output actually exposes the vulnerabilities, the latter is known as the “oracle”. However, current approaches to either generate security tests and to define security oracles have limitations. To address the shortcomings of approaches for input value generation for security, this dissertation proposes a structured approach, inspired by software testing, based on the combination of genetic algorithms and concrete symbolic execution. This combined strategy is compared with genetic algorithms and with concrete symbolic execution in their atomic forms, in terms of coverage and efficiency on four case study web applications, showing to be effective for security testing. In fact, genetic algorithms resulted to be able to generate input values only for few and simple vulnerabilities when not combined with other approaches. However, their contribution is fundamental to improve the coverage of those input values generated by concrete symbolic execution. The dissertation also explores the possibility to define oracle components that can be integrated with input generation strategies to perform security testing of web applications, so to expose security-related faults. A security oracle can be seen as a classifier able to detect when a vulnerability is exploited by a test case, i.e. verifying if a test case is an instance of a successful attack. This dissertation presents two distinct approaches to define security oracles, either (1) by applying tree kernel methods, and (2) by resorting to a model of the application under analysis when run in harmless situations. In the former approach, the classifier is trained on a set of test cases containing both safe executions and successful attacks, in the aim of learning important structural properties of web pages. In the latter, the learning phase is devoted to analyze web pages generated only in safe conditions, in order to build a “safe” model of their syntactic structure. Then, in the actual testing phase, both oracles are used to classify new output pages either as “safe tests” or as “successful attacks”. Furthermore, the dissertation moves few steps onto the world of applications for smartphone, in the attempt of breaking the barriers of our research and bringing the lesson learned from the experience in the domain of web applications towards a new domain. To motivate our work, we noticed that an important reason behind the popularity of smartphones and tablets is the huge amount of available applications to download, to expand functionalities of the devices with brand new features. Official stores provide a plethora of applications developed by third parties, for entertainment and business, mostly for free. Again, security represents a fundamental requirement: for example, confidential data (e.g., phone contacts, global GPS position, banking data and emails) might be disclosed by vulnerable applications and so, sensitive applications should carefully be tested to avoid security problems. The dissertation proposes a novel approach to perform security testing with respect to the communication among applications on mobile devices with the objective of spotting errors in the routines that validate incoming messages.
Security Testing of Web and Smartphone Applications / Avancini, Andrea. - (2013), pp. 1-178.
Security Testing of Web and Smartphone Applications
Avancini, Andrea
2013-01-01
Abstract
Web applications have become integral part of everyday life, as they are used by a huge number of customers on regular basis, for daily operations in business, leisure, government or academia, and so correctness of these applications is fundamental. In particular, security is a crucial concern especially for these applications that are constantly exposed to potentially malicious environments. Cross-site scripting (XSS for short) is considered one of the major threats to the security of web applications. Missing input validation can be exploited by attackers to inject malicious code into the application under attack. Static analysis supports manual security review in mitigating the impact of XSS-related issues, by suggesting a set of potential problems, expressed in terms of candidate vulnerabilities. A security problem spotted by static analysis, however, only consists of a list of (possibly complicated) conditions that should be satisfied to concretely exploit a vulnerability. Static analysis does not provide examples of what input values must be used to make the application execute the sometimes complex execution path that causes a XSS vulnerability. Executable test cases, on the contrary, consist of a runnable and reproducible evidence of the vulnerability mechanics. Then, test cases represent a valuable support for developers who should concretely understand security problems in detail before fixing them. The urge for reliable and secure web applications motivates the development of automatic, inexpensive, thus effective security testing methods, whose aim is to verify the presence of security-related defects. Security tests consist of two major parts, input values that need to be generated to run the application in the hope of exposing the vulnerabilities, and the decision if the obtained output actually exposes the vulnerabilities, the latter is known as the “oracle”. However, current approaches to either generate security tests and to define security oracles have limitations. To address the shortcomings of approaches for input value generation for security, this dissertation proposes a structured approach, inspired by software testing, based on the combination of genetic algorithms and concrete symbolic execution. This combined strategy is compared with genetic algorithms and with concrete symbolic execution in their atomic forms, in terms of coverage and efficiency on four case study web applications, showing to be effective for security testing. In fact, genetic algorithms resulted to be able to generate input values only for few and simple vulnerabilities when not combined with other approaches. However, their contribution is fundamental to improve the coverage of those input values generated by concrete symbolic execution. The dissertation also explores the possibility to define oracle components that can be integrated with input generation strategies to perform security testing of web applications, so to expose security-related faults. A security oracle can be seen as a classifier able to detect when a vulnerability is exploited by a test case, i.e. verifying if a test case is an instance of a successful attack. This dissertation presents two distinct approaches to define security oracles, either (1) by applying tree kernel methods, and (2) by resorting to a model of the application under analysis when run in harmless situations. In the former approach, the classifier is trained on a set of test cases containing both safe executions and successful attacks, in the aim of learning important structural properties of web pages. In the latter, the learning phase is devoted to analyze web pages generated only in safe conditions, in order to build a “safe” model of their syntactic structure. Then, in the actual testing phase, both oracles are used to classify new output pages either as “safe tests” or as “successful attacks”. Furthermore, the dissertation moves few steps onto the world of applications for smartphone, in the attempt of breaking the barriers of our research and bringing the lesson learned from the experience in the domain of web applications towards a new domain. To motivate our work, we noticed that an important reason behind the popularity of smartphones and tablets is the huge amount of available applications to download, to expand functionalities of the devices with brand new features. Official stores provide a plethora of applications developed by third parties, for entertainment and business, mostly for free. Again, security represents a fundamental requirement: for example, confidential data (e.g., phone contacts, global GPS position, banking data and emails) might be disclosed by vulnerable applications and so, sensitive applications should carefully be tested to avoid security problems. The dissertation proposes a novel approach to perform security testing with respect to the communication among applications on mobile devices with the objective of spotting errors in the routines that validate incoming messages.File | Dimensione | Formato | |
---|---|---|---|
andrea-avancini-phd-thesis-last.pdf
Solo gestori archivio
Tipologia:
Tesi di dottorato (Doctoral Thesis)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
2.54 MB
Formato
Adobe PDF
|
2.54 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione