Project description
Automated test case generation to identify security threats
What security-related mistakes do software developers make and why do they make them? The answer to this will assist in forming a much-needed theoretical framework for the field of security testing, which identifies threats and measures vulnerabilities in software applications. The EU-funded EAST project will design new techniques that can be used to automatically generate test cases for large web/enterprise systems and that can find common types of security threats. Specifically, the tools and techniques developed in the EAST project will assist in studying and broadening our understanding of what kinds of security-related mistakes developers make in practice. Ultimately, it will contribute to software engineering, evolutionary computation and computer security, especially in developing breakthroughs in investigating the so-called oracle problem, which determines whether a test has passed or failed.
Objective
--------------------
With the EAST project, I aim to improve our understanding of the intrinsic characteristics of web/enterprise systems related to their security. I will achieve it by designing novel techniques that are able to scale to automatically generate test cases for large web/enterprise systems, and that can automatically find common types of security threats. This is a necessary stepping stone before reaching the high risk / high impact goal of designing testing systems that can adapt and learn, finding classes of security threats for which currently there is no automated solution due to the oracle-problem.
I will contribute towards this goal by constructing and studying classes of co-evolutionary algorithms that evolve in competition in separate populations of test cases for graphical user interfaces (e.g. web app GUIs) and direct network calls (e.g. HTTP).
The tools and techniques developed in the EAST project will be instrumental to study and broaden our understanding of what kinds of security-related mistakes do developers make in practice, and why they are made. Such scientific knowledge will be at the base to form a so much needed theoretical framework for the field of security testing.
The project will contribute to software engineering (insight in web/enterprise systems and automated methods for system testing), evolutionary computation (in particular co-evolutionary algorithms for the domain of software test generation), and computer security (in particular developing breakthroughs in investigating the so-called oracle-problem).
Fields of science
Programme(s)
Funding Scheme
ERC-COG - Consolidator GrantHost institution
0107 Oslo
Norway