Test and Diagnostics
نویسندگان
چکیده
Multiple techniques and tools, including static analysis and testing, should be used for software assurance. Fuzz testing is one such technique that can be effective for finding security vulnerabilities. In contrast with traditional testing, fuzz testing only monitors the program for crashes or other undesirable behavior. This makes it feasible to run a very large number of test cases. This article describes fuzz testing, its strengths and limitations, and an example of its application for detecting the Heartbleed bug. Fuzz Testing for Software Assurance Fuzz Testing and its Role for Software Assurance Software assurance is level of confidence that software is free from vulnerabilities, either intentionally designed into the software or accidentally inserted at any time during its life cycle and that the software functions in the intended manner [1]. Multiple techniques and tools should be used for software assurance. Static analysis tools examine code for weaknesses without executing it. On the other hand, testing evaluates a program by executing it with test inputs and then compares the outputs with expected outputs. Both static analysis and testing have a place in the software development life cycle. Positive testing checks whether a program behaves as expected when provided with valid input. On the other hand, negative testing checks program behavior by providing invalid data as input. Due to time constraints, negative testing is often excluded from the software development life cycle. This may allow vulnerabilities to persist long after release and be exploited by hackers. Fuzz testing is a type of negative testing that is conceptually simple and does not have a big learning curve. Fuzz testing, or fuzzing, is a software testing technique that involves providing invalid, unexpected, or random test inputs to the software system under test. The system is then monitored for crashes and other undesirable behavior [2]. The first fuzzing tool simply provided random inputs to about 90 UNIX utility programs [3]. Surprisingly, this simple approach led to crashes or hangs (never-ending execution) for a substantial proportion of the programs (25 to 33%). Fuzz testing has been used to find many vulnerabilities in popular real-life software. For example, a significant proportion of recent vulnerabilities in Wireshark (http://www.wireshark.org), a network protocol analyzer, were found by fuzzing. Large organizations are taking note. For example, Microsoft includes fuzz testing as part of its Security Development Lifecycle (http:// www.microsoft.com/security/sdl/default.aspx). A fuzzing tool, or fuzzer, consists of several components and a fuzzing process involves several steps [4]. First, a generator produces test inputs. Second, the test inputs are delivered to the system under test. The delivery mechanism depends on the type of input that the system processes. For example, a delivery mechanism for a command-line application is different from one for a web application. Third, the system under test is monitored for crashes and other basic undesirable behavior. Strengths and Limitations of Fuzz Testing Fuzz testing is conceptually simple and may offer a high benefit-to-cost ratio. In traditional testing, each test case consists of an input and the expected output, perhaps supplied by an oracle. The output of the program is compared to the expected output to see whether the test is passed or failed. In the absence of executable specifications or a test oracle (e.g. a reference implementation or checking procedure), finding the expected output for a lot of test cases can be costly. In contrast, fuzz testing only monitors the program for crashes or other undesirable behavior. This makes it feasible to run hundreds of thousands or millions of test cases.
منابع مشابه
Characterization of the BHK-21C5 Cell line and Its Introduction for use in Research, Diagnostics and Production of Biological Products
Background and Objectives: Several studies have been carried out on the use of cell lines in researches, production and processing of drugs and biological products, and on the identification of toxicity and efficacy.The present study was conducted to determine the characteristics of BHK-21 cell lines as a suitable substrate for use in vaccine production and quality control, viral culture and re...
متن کاملSclerosing Sertoli Cell Tumor of the Testis: Case Report and Review of the Literature
Sertoli cell tumors of the testis are extremely rare tumors with a heterogeneous pathology. Three histological variants have been described: Sertoli cell tumor not otherwise specified (NOS), large cell calcifying sertoli cell tumor and the Sclerosing Sertoli cell tumor. The sclerosing Sertoli cell tumor described herein is associated with prominent stromal sclerosis. They present as painless...
متن کاملFlorid Adnexal Polypoid Endometriosis Associated with Very High Serum Ca - 125 Levels Mimicking Ovarian Malignancy
We report a case of florid polypoid endometriosis presenting with advanced bulky disease in pelvis with serum CA – 125 levels of 7844U/ml. The extent of tumor, CT scan findings, elevated serum CA – 125 levels were suggestive of ovarian malignancy. Histopathology demonstrated endometrial glands and stroma. Glands were neither crowded nor complex and were separated by a fibromatous stroma that co...
متن کاملSystematic integrated approach to quantifying preventive diagnostics in a “smart” transport system
One of the main tasks facing all European countries for the next few years is the creation of the most dynamically organized transport sector. The constant passenger and freight traffic lead to congestions and pollutions at the transport highways, having negative impact on a person. Thus, introduction of new technologies, addressing the interrelated problems of optimizing transport flows and im...
متن کاملProtective Role of Hypothermia Against Heat Stress in Differentiated and Undifferentiated Human Neural Precursor Cells: A Differential Approach for the Treatment of Traumatic Brain Injury
Introduction: The present study aimed to explore protective mechanisms of hypothermia against mild cold and heat stress on highly proliferative homogeneous human Neural Precursor Cells (NPCs) derived from Subventricular Zone (SVZ) of human fetal brain. Methods: CD133+ve enriched undifferentiated and differentiated human NPCs were exposed to heat stress at 42°C. Then, Western-blot qua...
متن کاملSelf-Starting Control Chart and Post Signal Diagnostics for Monitoring Project Earned Value Management Indices
Earned value management (EVM) is a well-known approach in a project control system which uses some indices to track schedule and cost performance of a project. In this paper, a new statistical framework based on self-starting monitoring and change point estimation is proposed to monitor correlated EVM indices which are usually auto-correlated over time and non-normally distributed. Also, a new ...
متن کامل