SynapseIndia Feedback on Security

Quality of Infrastructure Software

Part 2

Action Create architecture security analysis - 3

This analysis could also be conducted on

pre/post-test basis
Use an architecture re-construction technique
such as OAR1 to extract the as built
architecture from the implementation.
Compare to the as designed architecture to
determine if changes have occurred

Action Discover test patterns for security

Test patterns are solutions to testing

problems in context. They often

correspond to design patterns.
Test patterns are language independent
Content of a test pattern1
Problem - Description of pattern to be

tested
Context - Special testing conditions
Forces - What types of faults are we
looking for?
Solution - Test case selection strategy that
tests the interactions among the
components that implement the pattern
Example A sample implementation

Action Discover test patterns for security - 2

Problem: The synchronous communication

between two objects is modified to be

asynchronous by adding a callback object.
How should this be tested?
Client
Client

Client
Client
Callback
Callback

Server
Server

Server
Server

Action Discover test patterns for security - 3

Context

An intermediate object forwards messages

Forces

Possible to intermingle successive messages/responses

Temporal considerations must be added to the test case

Solution

Construct tests that exercise the callback in a variety of states

Construct multiple clients, submit multiple requests through

multiple callback objects

Build test cases that submit a second message prior to
receiving the response from the first message

Action Discover test patterns for security - 4

In this task, security vulnerabilities and

standard designs to correct them would

be studied.
The standard designs would lead to a
catalog of specific test patterns.
Users of the test patterns could
implement them in whatever language
was in use.
Deliverables: test pattern catalog

Task force identified security patterns

49 security patterns have been identified. Here are a few.

1. Make the Client Invisible
2. Target Programs That Write to
Privileged OS Resources
3. Use a User-Supplied
Configuration File to Run
Commands That Elevate
Privilege
4. Make Use of Configuration File
Search Paths
5. Direct Access to Executable
Files
6. Embedding Scripts within
Scripts
7. Leverage Executable Code in
Non-executable Files
8. Argument Injection
9. Command Delimiters
10. Multiple Parsers and Double
Escapes

11. User-Supplied Variable

Passed to File System Calls
12. Postfix NULL Terminator
13. Postfix, Null Terminate, and
Backslash
14. Relative Path Traversal
15. Client-Controlled
Environment Variables
16. User-Supplied Global
Variables (DEBUG=1, PHP
Globals, and So Forth)
17. Session ID, Resource ID, and
Blind Trust
18. Analog In-Band Switching
Signals (aka Blue Boxing)
19. Attack Pattern Fragment:
Manipulating Terminal Devices
20. Simple Script Injection

Security Across the Software Development Lifecycle Task Force

Action Develop focused test techniques - 1

Operational profiles

establish a relative
frequency of operations
for a particular type of
user or application.
Test cases are chosen
with the same relative
frequency to mimic
actual use or to mimic
attack scenarios.
This narrows the range
of values to cover in
test.

User

Operation

Relative
frequency

Op1

.2

User1 Op
2

.6

Op3

.2

Op1

.4

User2 Op
2

.3

Op3

.3

Action Develop focused test techniques - 2

Testing all possible values even once,

much less all possible combinations of

values, is usually impossible.
Combinatorial test designs can
systematically sample test values to
ensure the maximum coverage with
minimum test cases.
Orthogonal array testing is one
combinatorial approach.

OATS tool - 1

Three variables,

each with three

possible values,
would require 27
test cases for all
Database
combinations
driver
coverage.

JDBC1.0

JDBC2.0

ODBC1.0

browser

Netscape IE5.0

Firefox

# of web
servers

200

50

OATS tool - 2

OATS reduces this

to 9 test cases,
testing pair-wise
but remains
approximately 96%
as effective as all
combinations
coverage at finding
defects.

JDBC1.0

Netscape

200

JDBC1.0

IE5.0

50

JDBC1.0

FoxFire

JDBC2.0

Netscape

50

JDBC2.0

IE5.0

JDBC2.0

FoxFire

200

ODBC1.0

Netscape

ODBC1.0

IE5.0

200

ODBC1.0

FoxFire

50

Action Develop focused test techniques - 3

Pair-wise value combinations can reduce

the size of the test suite dramatically

These techniques have been applied in
domains such as telecommunications.
In this task we would develop an industrial
strength tool that allows the design of
combinatorial test suites.

Action Develop focused test techniques - 4

This technique is used in conjunction with traditional

functional and structural strategies for test case

selection.
Functional tests ensure that all specified functions are
correct and structural tests ensure that all feasible paths
are valid.
The result is confidence that the software does
everything it is supposed to and nothing that it Is not
supposed to.
Combinatorial techniques increase the coverage of large
software products without significant increases in test
effort.
This approach allows for risk-based test selections.
Deliverables: software tool that uses combinatorial
techniques and risk-based techniques to define effective
test cases.

Action Develop a security defect model for

scientific codes
If you just found the 73rd defect in your

50,000 LOC program, do you feel good

about it?
With a validated defect model you would at
least know how to feel.
You would know approximately how many
defects to expect and what types of defects
to look for.

Action Develop a security defect model for scientific

codes - 2

Using the relative

frequency and
estimated size,
estimates can be
made of the number
of defects and the
test case selection
process be more
precisely directed.

Security
defect type

Relative
frequency
per KLOC

Static queue
sizes

60%

HTTP cookies

30%
10%

Argument
injection

Total

100%

Action Develop a security defect model for scientific

codes - 3
In this task we would develop a defect model

framework for scientific codes using historic

data.
The framework would be packaged with a
specialization method for tailoring the
framework to a specific development context.
This would allow us to provide statistical
estimates of the number of defects remaining
in a software product and to provide a
confidence interval on statistics such as
reliability.
Deliverables: defect model

Conclusion
No
single action or algorithm will produce secure

software. There must be a chain of quality activities.

The outlined strategy places security quality gates
at several places in the software product
development life cycle.
Use Case Name:
Use:

Requirements

Domain
Expert

User:
Frequency:
See Also:

Use Case Modeling

Systems
Engineering

Class Name
Responsibility

Super Class
Collaborator

Requirements
model inspection
Domain
Analysis

Client
Analysis
model inspection

Incremental
Integration
and
System Testing

Class Specification

Application
Analysis
Class
Design

Class
Derivation

Class
Reuse

Use Case Name:

Use:
User:
Frequency:
See Also:

Implementation

Architectural
Design

Analysis model inspection

Co

ntr

olle
r

Application Use Cases

Refinement

Model
Testing
Class Delivery

Architecture
inspection
View

Class
Development

Cluster
design inspection

Conclusion - 2
Implementing any part of this strategy will

improve the security of the software products

produced.

Develop method engineering tactics and guidelines that

enhance the security quality of the software through

improved processes.
Structure architecture evaluation techniques to focus on
security by searching for static security patterns.
Discover and capture test patterns that correspond to
dynamic security patterns.
Instrument combinatorial test techniques to effectively
explore security test patterns while reducing the test suite
size.
Create a defect model for security that can be used to
predict types and number of security vulnerabilities in a
given product.