An automated approach for identifying potential vulnerabilities in software

27 November 2002

conference paper
Published by Institute of Electrical and Electronics Engineers (IEEE)

p. 104-114
https://doi.org/10.1109/secpri.1998.674827

Abstract

The paper presents results from analyzing the vulnerability of security-critical software applications to malicious threats and anomalous events using an automated fault injection analysis approach. The work is based on the well understood premise that a large proportion of security violations result from errors in software source code and configuration. The methodology employs software fault injection to force anomalous program states during the execution of software and observes their corresponding effects on system security. If insecure behaviour is detected, the perturbed location that resulted in the violation is isolated for further analysis and possibly retrofitting with fault tolerant mechanisms.

Keywords

This publication has 6 references indexed in Scilit:

Defining an adaptive software security metric from a dynamic software failure tolerance measure
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Predicting software's minimum-time-to-hazard and mean-time-to-hazard for rare input events
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2002
Property-based testing
ACM SIGSOFT Software Engineering Notes, 1997
Predicting how badly "good" software can behave
IEEE Software, 1997
An empirical study of the reliability of UNIX utilities
Communications of the ACM, 1990
The internet worm program: an analysis
ACM SIGCOMM Computer Communication Review, 1989