Titulo Estágio
Vulnerability Injection for Evaluation of Security Testing Tools
Áreas de especialidade
Engenharia de Software
Local do Estágio
SSE-CISUC
Enquadramento
To avoid injection vulnerabilities in their applications, developers should apply coding best practices, perform security reviews of the code, execute penetration tests, etc. Many times developers do not have the time or expertise required, leaving the task of security testing to automated vulnerability testing tools. However, research and practice show that such tools usually produce unsatisfactory results.
Although there are some techniques to assess the quality of vulnerability detection mechanisms, they have several limitations that still prevent them from being used by developing teams.
Objetivo
New techniques are thus required to evaluate the effectiveness of vulnerability detection tools. The goal of this work is to use vulnerability injection techniques to develop mechanisms to evaluate the effectiveness of tools that detect command injection vulnerabilities.
In the same way fault injection is widely used to validate specific fault handling and fault detection mechanisms, vulnerability injection is a powerful tool that can be used to evaluate the effectiveness of vulnerability and attack detection tools.
Using vulnerability injection it is possible to create controlled testbeds with a known number of vulnerabilities that later should be detected by the vulnerability testing techniques. This would be very useful as the developers could use this technique to evaluate the vulnerability detection tools that they intend to use in what they would select as realistic and representative scenarios.
The work has high potential also because it may allow in the future developing or improving benchmarks for vulnerability detection tools.
Plano de Trabalhos - Semestre 1
T1. [01/09/2015 a 31/10/2015] Study the state of the art
Study the state of the art in software vulnerabilities, vulnerability detection tools, evaluation of these tools, fault injection and vulnerability and attack injection.
T2. [01/11/2015 a 15/11/2015] Definition of the scope of the work
Definition of the types of vulnerabilities and applications that will be targeted by the techniques to be developed
T3. [15/11/2015 a 31/12/2015] Definition of the vulnerability operators
Understand the characteristics of the representative set of vulnerabilities to be injected, what must be modified and were to proceed to these modifications
T4. [01/01/2016 a 31/01/2016] Report writing
Plano de Trabalhos - Semestre 2
T5. [01/02/2016 a 28/02/2016] Implementation of the vulnerability injection technique
Development of a tool to automate the application of the vulnerability operators defined
T6. [01/03/2016 a 30/04/2016] Experimental evaluation of the approach
Conduct experimental case studies to demonstrate the approach and to evaluate its abilities in characterizing the effectiveness of multiple vulnerability detection tools
T7. [01/04/2016 a 31/05/2016] Write a paper
T8. [01/03/2016 a 31/07/2016] Thesis writing
Condições
The work is to be executed at the laboratories of the CISUC’s Software and Systems Engineering Group. A work place will be provided as well as the required computational resources.
Observações
No observations.
Orientador
Nuno Antunes
nmsa@dei.uc.pt 📩