Property-based testing of privileged programs

We address the problem of testing security-relevant software, especially privileged (typically setuid root) and daemon programs in UNIX. The problem is important , since it is these programs that are the source of most UNIX security aws. For some programs, such as the UNIX sendmail program, new security aws are still discovered, despite being in use for years. For special-purpose systems with fewer users, aws are likely to remain undiscovered for even longer. Our testing process is driven by speciications we create for the privileged programs. These speciications simultaneously deene the allowed behavior for these programs and identify problematic system calls, regions where the program is vulnerable, and generic security aws. The speciications serve three roles in our testing methodology: as criteria against which a program is sliced, as oracles against which it is tested, and as a basis for generating useful tests. Slicing is employed to signiicantly reduce the size of the program to be tested. We show that a slice of a privileged program (rdist) with respect to its security speciications is quite small. We introduce the Tester's Assistant, a collection of tools to mechanize the process of testing security-related C programs.