improving network applications security: a new heuristic to generate stress testing data presented...
Post on 21-Dec-2015
214 views
TRANSCRIPT
Improving Network Applications Security: a New Heuristic
to Generate Stress Testing Data
Presented by Conrad Pack
Del Grosso et al
Overview
• Buffer Overflow problem– Network security– Critical systems
• Testing to identify/remove vulnerabilities– Combined static and dynamic approach– Static slicing– Genetic algorithms (GAs) in dynamic search
• New heuristic
Impact of Buffer Overflow
• Scope– Language variations (C++ vs. Java)– Prevalence of unaudited code
• Over 50% of vulnerabilities (CERT)• Potential harm
– Unauthorized access in network/security applications
– Serious accidents in critical embedded systems
Static Analysis
• Tools– RatScan (front end to RATS)– Splint
• Extracted Information– Potentially vulnerable source statements– Call to potentially unsafe functions/libraries– Estimated buffer sizes
Static Slicing
• Software maintenance technique– “all program code that can in anyway affect
the value of a given variable”
• Inputs and source code relationship– Data dependency– Some inputs not tied to vulnerable statements
• Tool: CodeSurfer (GrammaTech)
• Purpose: Search space reduction
Test Case Generation Using GA
• GA aspects– Chromosome (2 dimensional array)– Crossover/mutation operators (whole/creep)– Fitness function (to follow)– Parameters
• Number of generations (500)• Population size (70)• Propagation rules (2 best)
• Probabilities (pcross = 0.7, pmut = 0.01)
Fitness
• GA is an optimization problem
• Three Approaches– Vulnerable coverage fitness– Nesting fitness– Buffer boundary fitness
• Correlation to crashes alone not enough– Flat landscape– Random search
Vulnerable Coverage Fitness
• Statement coverage
• Vulnerable statement coverage
• Number of vulnerable statement executions
• Function
F(g) = w1 • scov + w2 • log(k) • vcov + w3 • crash
Nesting Fitness
• Unconstrained nodes (graph theory)– Control flow graphs– Do not dominate any node– Do not postdominate any node
• Often correspond with maximum nesting
• Function
F(g) = w1 • scov + w2 • log(k) • vcov + w3 • nesting
Buffer Boundary Fitness
• Buffer boundaries in fitness calculation– Often difficult to precisely determine– Intended for future implementation
• Distance from boundary by size estimate– Compile time (can’t always be determined)
• Function
F(g) = w1 • scov + w2 • log(k) • vcov + w3 • nesting
+ w4 • maxi{minj(Li,j – SBi)}
Empirical Results
• Two test programs– White noise generator (scientific application)– FTP client (network application)
• Random search as a control– Pure random search– GA search with no fitness
• White noise: fixed initial population
• FTP: random initial populations