A model-based attack injection approach for security validation

ACM International Conference Proceeding Series

Volumn , Issue , 2011, Pages 103-110

  Morais, Anderson ^a   Cavalli, Ana ^a   Martins, Eliane ^b  

^a TELECOM SUDPARIS   (France)

^b UNIVERSITY OF CAMPINAS   (Brazil)

Author keywords

attack injection; model based testing; security evaluation

Indexed keywords

ATTACK SCENARIOS; ATTACK TREE; COMPLETE CONTROL; DENIAL OF SERVICE; MODEL BASED TESTING; SECURITY BREACHES; SECURITY EVALUATION; SECURITY FAILURE; SECURITY TESTING; SECURITY VULNERABILITIES; TESTING TOOLS; VULNERABLE SYSTEMS; WIRELESS APPLICATION PROTOCOLS;

CELLULAR TELEPHONE SYSTEMS; COMMUNICATION SYSTEMS; COMPUTER CRIME; FREQUENCY HOPPING; MOBILE DEVICES; WIRELESS TELECOMMUNICATION SYSTEMS;

SECURITY OF DATA;

EID: 83455219837     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2070425.2070443     Document Type: Conference Paper

References (30)

1. Powell, D., Adelsbach, A., Cachin, C., Creese, S., Dacier, M., Deswarte, Y., McCutcheon, T., Neves, N., Pfitzmann, B., Randell, B., Stroud, R., Verissimo, P., and Waidner, M. 2001. MAFTIA (Malicious- and Accidental-Fault Tolerance for Internet Applications). In Supplement of the IEEE/IFIP Int. Conf. on Dependable Systems and Networks, pp. D32-D35, (Göteborg, Sweden, 1-4 July 2001).
2. Broadcasting & Cable, http://www.broadcastingcable.com/article/ 458457-Chilean-Miners-Rescue-Sets-Records-for-Univision.php. Accessed March 1, 2011.
3. Juniper Research - Low Cost Handsets & Entry Level Smartphones, http://juniperresearch.com/reports/low-cost-handsets-&-entry-level- smartphones, (March 1, 2011).
4. Wap Forum - Wireless Transport Layer Security Specification Version 06-Apr-2001, http://www.wapforum.org/what/technical.htm. Accessed September 1, 2010.
5. Moore, A.P., Ellison, R.J., and Linger, R.C. 2001. Attack Modeling for Information Security and Survivability. Technical Note CMU/SEI-2001-TN-001, March 2001.
6. Paton, N.W., Díaz, O., Williams, M.H., Campin, J., Dinn, A., and Jaime, A. 1993. Dimensions of Active Behaviour. In Proceedings of 1st Int. Workshop on Rules in Database Systems, (Edinburgh - Scotland, Sep. 1993).
7. Morais, A., Martins, E., and Cavalli, A. 2009. Security Protocol Testing Using Attack Trees. In Proceedings of 2009 International Conference on Computational Science and Engineering, (Vancouver, Canada, Aug. 2009).
8. Thompson, H.H., Whittaker, J.A., and Mottay, F.E. 2002. Software security vulnerability testing in hostile environments. In ACM Symposium on Applied Computing (SAC), 260-264, (Madrid, Spain 2002).
9. Wanner, P.C.H. and Weber, R.F. 2003. Fault Injection Tool for Network Security Evaluation. LNCS, vol. 2847/2003, Dependable Computing. Pp 127-136, (Sep. 2003).
10. Aitel, D. 2002. The Advantages of Block-Based Protocol Analysis for Security Testing. Immunity Inc., February 2002, http://www.immunitysec.com/ downloads/advantages-of-block-based-analysis.html.
11. Neves, N., Antunes, J., Correia, M., Veríssimo, P., and Neves, R. 2006. Using Attack Injection to Discover New Vulnerabilities. In Proc. of the International Conference on Dependable Systems and Networks, pp 457-466, (2006).
12. Protos - Security Testing of Protocol Implementations, 1999, https://www.ee.oulu.fi/research/ouspg/Protos. Accessed November 1, 2010.
13. Fuzz Testing of Application Reliability, 1990, http://pages.cs.wisc.edu/ ~bart/fuzz/.
14. Saarinen, M.J. 2000. Attacks Against the WAP WTLS Protocol, (May 2000). DOI=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.102.5246.
15. Wagner, D. and Schneier, B. 1996. Analysis of the SSL 3.0 protocol. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pages 29-40, (Berkeley, 1996).
16. Zhang, R. and Chen, K. 2005. Improvements on the WTLS protocol to avoid denial of service attacks. Computers and Security, Elsevier Science, Vol. 24, No 1, pp. 76-82, (2005).
17. Dolev, D. and Yao, A. 1983. On the security of public-key protocols. In IEEE Transactions on Information Theory, 2(29), 198-208, (1983).
18. Drebes, R.J., Jacques-Silva, G., da Trindade, J.F., and Weber, T.S. 2005. A Kernel-based Communication Fault Injector for Dependability Testing of Distributed Systems. In Parallel and Distributed Systems, Testing and Debugging, (Haifa, Israel, 2005).
19. Cavalli, A., Martins, E., and Morais, A. 2008. Use of invariant properties to evaluate the results of fault-injection-based robustness testing of protocol implementations. In Proc. of 4th Workshop on Advances in Model Based Testing (Lillehammer, Norway, Apr 2008).
20. Schneier, B. 1999. Attack Trees: Modeling Security Threats. Dr. Dobb's Journal, (December 1999).
21. Hussein, M. and Zulkernine, M. 2006. UMLintr: a UML profile for specifying intrusions. In Proceedings of the IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, pp. 279-288, (Tucson, AZ, USA, 2006).
22. Amenaza Technologies Limited - SecureITree, http://www.amenaza.com/. Accessed March 1, 2011.
23. Moore, A.P., Ellison, R.J., and Linger, R.C. 2001. Attack Modeling for Information Security and Survivability. Technical Note CMU/SEI-2001-TN-001, March 2001.
24. Keyword Driven Automation Framework Model, http://safsdev.sourceforge. net/FRAMESDataDrivenTestAutomationFrameworks.htm.
25. Bachmann, F., Bass, L., Buhman, C., Comella-Dorda, S., Long, F., Robert, J.E., Seacord, R.C., and Wallnau, K.C. 2000. Volume II:. Technical Concepts of Component-Based Software Engineering. 2nd Edition, May 2000, http://www.sei.cmu.edu/reports/00tr008.pdf.
26. Gamma, E., Helm, R., Johnson, R., and Vlissides, J. 1995. Design Patterns: Elements of Reusable Object-Oriented Software. Addison Wesley, 1995.
27. Nokia Mobile Browser Simulator 4.0., http://www.forum.nokia.com. Accessed March 1, 2011.
28. Columbitech WAP Connector, http://handheld.softpedia.com/get/ Network/Columbitech-WAPConnector-35124.shtml. Accessed April 1, 2010.
29. Network Packet Generator, http://www.wikistc.org/wiki/Network-packet- generator. Accessed November 1, 2010.
30. Vigna, G., Robertson, W., and Balzarotti D. 2004. Testing network-based intrusion detection signatures using mutant exploits. In Proceedings of the 11th ACM conference on Computer and communications security, (October 25-29, 2004, Washington DC, USA).