SQA Careers   |   SQA Adepts   |   SQA forums   |   SQA Blogs   |    SQA Discussion Boards   |   SQA Links
 
Web VAssure.com
Infrastructure
 
Our Products
Contact Us
 
For more information, contact :

info@VAssure.com
Home > Infrastructure > VT Labs
Vulnerability Testing Labs


Vulnerabilities in software create a risk of compromise of information security. Thus, the security of software components should be analysed, preferably before they are deployed.VAssure is involved in the Vulnerability testing of lot of products and has successfully done vulnerability testing of Vmware products .. The testing is done by feeding exceptional input values to the software and observing the security aspects of the resulting behaviour. The method is effective in finding faults created when implementing the software, and has many applications. Some of the vulnerabilities hidden in software components can be found without testing them for the correctness of the software. The overall effort needed is smaller than the effort required by thorough testing.

Bugs persist in contemporary software and cause inconvenience and occasional loss of information. The growth of connectivity through public networks is apparent, especially in the form of the Internet. Both new and legacy systems are expected to interface with the public networks. This contributes to the risk of the vulnerabilities caused by the bugs being exploited to compromise the confidentiality, integrity and availability of information.

Security is one of the aspects of software quality. Quality is evaluated by software testing to reduce faults in released software. Traditionally, software testing attempts to ensure that the software meets the specifications rather than trying to find vulnerabilities in software .Vulnerability analysis is classically reactive, addressing vulnerabilities from released software products based on publicly disclosed vulnerabilities . There have been, and are, attempts to move towards a more proactive approach, eliminating vulnerabilities before software is deployed.

Vulnerabilities contribute to the security risk related to the use of software. Trivial vulnerabilities are constantly disclosed in the public mailing-lists. One significant type of software vulnerability is buffer overflow. A buffer overflow is caused when an input buffer in memory runs out, due to missing bound checking. Malicious code can be executed on a remote system by carefully designing a sequence of bytes to overwrite the program space after the buffer. Many of the discovered vulnerabilities are buffer overflows, which makes them deadly serious from the system security point of view.

Testing Techniques

VAssure follow all the necessary techniques to check vulnerabilities in the software.

1.1 Syntax Testing : In syntax testing, the test-cases, i.e. the input to the software, are created based on the specifications of languages understood by the interfaces of software Interfaces have many formats: command-line prompts, files, environment variables, pipes, sockets, etc. An interface has a language which defines what is legal input to the interface and what is not. This language may be hidden or open. The existence of a hidden language is not explicitly realised by developers of the software, but a piece of software might nevertheless read some input data, parse it, and act accordingly. In a broader sense, hidden languages exist also in data structures used to transfer information from a software module to another. An open language is appropriately specified in the software documentation.

The motivation for syntax testing springs from the fact that each interface has a language, whether it is hidden or open, from which effective tests can be created with a relatively small effort. Syntax testing is more likely to find faults from the portions of software responsible for hidden language handling, because open languages must have been explicitly considered by the programmer and thus the input handling portion is likely to be better.

Automated syntax testing requires a formal description of the input language in machine readable format. If the language is hidden, the tester must create a specification for it. Common choices are BNF (Backus-Naur form) and regular expressions. Both are notations to define context-free grammar languages. A sentence is a sequence of bytes which are arranged according to the rules of the language. Context-free languages have traditionally been used in compilers of various sorts to create parsers for input sentences. In syntax testing, a context-free language is the base used to generate sentences. These sentences are then fed, or injected, into the software being tested to see if it accepts them, rejects them or fails to process them altogether.

The selection of test-cases in syntax testing could start with single-error sentences. This is likely to reveal most faults assuming the faults are mutually independent and a fault is triggered by one error in a sentence.

Syntax errors : Syntax errors violate the grammar of the underlying language. They are created by removing an element, adding an extra element and providing the elements in wrong order. Syntax errors can exist on different levels in the grammar hierarchy: top-level, intermediate-level and field-level.

Delimiter errors : Delimiters mark the separation of fields in a sentence. In ASCII-coded languages the fields are normally characters and letters, and delimiter are white space characters (space, tab, line-feed, etc.), or other delimiters characters (commas, semicolons, etc.) or their combinations. Delimiters can be omitted, multiplied or replaced by other unusual characters. Paired delimiters, such as braces, can be left unbalanced.

Field-value errors : A field-value error is an illegal field in a sentence. Normally, a field value has a range or many disjoint ranges of allowable values. Field errors can include values which are one-below, one-above and totally out-of-range. Values exactly at the range boundary should also be checked.

Context-dependent errors : A context-dependent error violates some property of a sentence which cannot, in practise, be described by context-free grammar.

State dependency error : Not all sentences are acceptable in every possible state of a software component. A state dependency error is generated by inputting a correct sentence during an incorrect state.
Automatic generation of sentences leads to automatic test design where test-cases are designed by a computer. It is suitable, for example, for stress testing, where software is fed with a large amount of input data.

1.2 Software Fault Injection : Fault injection techniques are traditionally applied to hardware testing, where parts of the hardware are purposefully damaged to test the robustness of the whole system. In software fault injection code or software input is modified and the resulting behaviour of the software is monitored . Software fault injection gives information about how the software is likely to behave under exceptional conditions, i.e. how robust the software is.

1.3 Penetration Testing : Penetration testing is a search for vulnerabilities from software or a computer system. Penetration testing is normally done by a specialized team of experts called a VT TEAM... When vulnerability is found and exploited, the system is said to be penetrated.
During penetration testing, the tester can scan for vulnerabilities which have been found earlier from similar systems. This testing is based heavily on the experience of the tester. The search for known vulnerabilities can be manual, but there also are tools for it

Vulnerability Analysis through Syntax Testing : Based on the presented software testing techniques, VAssure introduces an approach for vulnerability analysis through syntax testing. In vulnerability testing, the security aspect of a software component is evaluated by injecting malicious input into it. The input creation methods of syntax testing are used. Vulnerability testing is a black-box testing method, and can thus be used to evaluate the robustness of both the deployed software and the software components under development. Vulnerability testing has the following phases:
1. Round-up of interfaces, which the software uses to get input, especially interfaces to external systems.
2. Specification of protocols used by the tested interfaces. One specification will do if multiple products implementing the same protocol are being tested.
3. Execution of tests.
4. Inspection and verification of test results.

A test is divided to test-cases. A test-case is made up of the selected input data fed to the software and the monitored software behaviour. An essential feature, derived from syntax testing, is that a test-case is failed if any behaviour that indicates the possible existence of a vulnerability is detected. Otherwise the test-case is passed. This is quite different from the testing for correctness, where a test-case is passed if the software behaved correctly and failed on other cases.

Vulnerability testing focuses on vulnerabilities. This focus affects the selection of input fed to the software, as well as the monitoring of the tested software component. Inputs should be selected so that the likelihood of the tests revealing the vulnerabilities is maximized. This requires understanding the reasons and mechanisms which lead to information security vulnerabilities. The monitoring should be capable of recognizing vulnerable behaviour, such as a software crash endangering integrity, and the availability of information. The instrumentation responsible for the monitoring must be placed between the tested software and the operating system, because failures caused by vulnerabilities often manifest themselves by system calls and signals.

Vulnerability testing has same limitations as syntax testing:
The tested software may behave completely inappropriately according to specifications, even if it has passed all tests.

Vulnerability testing is only likely to reveal errors in software implementation, as specification and design errors require complex test-cases with a specific sequence of events and conditions.

Not everything can be monitored (this applies to all software testing). The ways to compromise security are unlimited whereas we can only monitor limited aspects of behaviour.

Home | Company | Services | Engagement Model | Infrastructure | Insight | SQA Careers | SQA Adepts | Site Map | Contact us
Privacy Policy | Terms & Conditions | Disclaimer