Periodic Reporting for period 2 - EAST (Using Evolutionary Algorithms to Understand and Secure Web/Enterprise Systems)
Período documentado: 2022-02-01 hasta 2023-07-31
With the EAST project, we aim to improve our understanding of the intrinsic characteristics of web/enterprise systems related to their security. We will achieve it by designing novel techniques that are able to scale to automatically generate test cases for large web/enterprise systems, and that can automatically find common types of security threats. This is a necessary stepping stone before reaching the high risk / high impact goal of designing testing systems that can adapt and learn, finding classes of security threats for which currently there is no automated solution due to the oracle-problem.
We will contribute towards this goal by constructing and studying classes of co-evolutionary algorithms that evolve in competition in separate populations of test cases for graphical user interfaces (e.g. web app GUIs) and direct network calls (e.g. HTTP). The tools and techniques developed in the EAST project will be instrumental to study and broaden our understanding of what kinds of security-related mistakes do developers make in practice, and why they are made.
All this work has been done in a single open-source tool, called EvoMaster (www.evomaster.org). So far, the project has already achieved significant practical results and shown scientific excellence. For example, an independent study comparing 10 different tools shows that our scientific work done in this project achieves the best results in the literature. Furthermore, our work has been used to test tens of industrial systems, with millions of lines of code, from our industrial partners, automatically finding thousands of faults. The tool itself has been downloaded more than 1700 times, at the time of this writing, showing an interest of practitioners in industry for this scientific work.
The work done so far has been focused on functional testing, providing the needed scaffolding to start to tackle the main scientific challenge of this project: security testing for classes of vulnerabilities for which there is no existing automated solution. Based on the success so far, there is a good chance of providing ground-breaking scientific results by the end of project.