Combinatorial
testing provides more efficient software assurance across a variety of
application domains. One of the most important today is
cybersecurity. We are developing tools for using
combinatorial methods in cybersecurity testing, and demonstrating their
effectiveness. Below are some
of the research areas we're working on now.
Papers on this work can
also be found on the top-level page publication list.
- Access
control policy testing - tools to specify security policies, then
automatically generate tests for conformance to the policies.
Full tests are generated, with both input values and expected
results, not just test data. More details here: Access
Control Policy Test (ACPT) tool.
- Buffer
overflow detection methods - our research, and others, shows that a
small number of parameters are involved in software failures.
For buffer overflows, more than 90% of vulnerabilities appear
to be caused by a single parameter, and the rest by two or three
parameters interacting (based on review of more than 3,000 reports in
the National Vulnerability Database).
- Network security - we have demonstrated
the effectiveness of combinatorial methods with a network simulator to
detect configurations that produce deadlock, useful for defending a
network against attacks that attempt to force the network into a
deadlock configuration that results in denial of service.
If you'd
like to find out more on any of these topics, please
email me: kuhn@nist.gov.
People
Rick Kuhn - NIST
Vincent Hu - NIST
Tao Xie - North Carolina State University
|