Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

AIM: Automated Input Set Minimization for Metamorphic Security Testing (2402.10773v4)

Published 16 Feb 2024 in cs.CR and cs.SE

Abstract: Although the security testing of Web systems can be automated by generating crafted inputs, solutions to automate the test oracle, i.e., vulnerability detection, remain difficult to apply in practice. Specifically, though previous work has demonstrated the potential of metamorphic testing, security failures can be determined by metamorphic relations that turn valid inputs into malicious inputs, metamorphic relations are typically executed on a large set of inputs, which is time-consuming and thus makes metamorphic testing impractical. We propose AIM, an approach that automatically selects inputs to reduce testing costs while preserving vulnerability detection capabilities. AIM includes a clustering-based black-box approach, to identify similar inputs based on their security properties. It also relies on a novel genetic algorithm to efficiently select diverse inputs while minimizing their total cost. Further, it contains a problem-reduction component to reduce the search space and speed up the minimization process. We evaluated the effectiveness of AIM on two well-known Web systems, Jenkins and Joomla, with documented vulnerabilities. We compared AIM's results with four baselines involving standard search approaches. Overall, AIM reduced metamorphic testing time by 84% for Jenkins and 82% for Joomla, while preserving the same level of vulnerability detection. Furthermore, AIM significantly outperformed all the considered baselines regarding vulnerability coverage.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (70)
  1. Paul Ammann and Jeff Offutt. 2016. Introduction to Software Testing. Cambridge University Press, Cambridge.
  2. Andrea Arcuri. 2010. It Does Matter How You Normalise the Branch Distance in Search Based Software Testing. In Third International Conference on Software Testing, Verification and Validation. IEEE, Paris, France, 205–214. https://doi.org/10.1109/ICST.2010.17
  3. Andrea Arcuri and Lionel Briand. 2014. A Hitchhiker’s Guide to Statistical Tests for Assessing Randomized Algorithms in Software Engineering. Softw. Test. Verif. Reliab. 24, 3 (may 2014), 219–250. https://doi.org/10.1002/stvr.1486
  4. Automated Extraction and Clustering of Requirements Glossary Terms. IEEE Transactions on Software Engineering 43, 10 (2017), 918–945. https://doi.org/10.1109/TSE.2016.2635134
  5. Black-Box Safety Analysis and Retraining of DNNs Based on Feature Extraction and Clustering. ACM Trans. Softw. Eng. Methodol. 32, 3, Article 79 (apr 2023), 40 pages. https://doi.org/10.1145/3550271
  6. DNN Explanation for Safety Analysis: an Empirical Evaluation of Clustering-based Approaches. arXive (2023). https://doi.org/arXiv:2301.13506
  7. Generating Metamorphic Relations for Cyber-Physical Systems with Genetic Programming: An Industrial Case Study. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 1264–1274. https://doi.org/10.1145/3468264.3473920
  8. The Oracle Problem in Software Testing: A Survey. IEEE Transactions on Software Engineering 41, 5 (2015), 507–525. https://doi.org/10.1109/TSE.2014.2372785
  9. String matching with metric trees using an approximate distance. In String Processing and Information Retrieval: 9th International Symposium, SPIRE 2002 Lisbon, Portugal, September 11–13, 2002 Proceedings 9. Springer, Berlin, Heidelberg, 271–283.
  10. The impact of source test case selection on the effectiveness of metamorphic testing. In Proceedings of the 1st International Workshop on Metamorphic Testing (Austin, Texas) (MET ’16). Association for Computing Machinery, New York, NY, USA, 5–11. https://doi.org/10.1145/2896971.2896977
  11. Metamorphic Testing for Web System Security. IEEE Transactions on Software Engineering 49, 6 (2023), 3430–3471. https://doi.org/10.1109/TSE.2023.3256322
  12. Diversity-based web test generation. In Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Tallinn, Estonia) (ESEC/FSE 2019). Association for Computing Machinery, New York, NY, USA, 142–153. https://doi.org/10.1145/3338906.3338970
  13. MeMo: Automatically identifying metamorphic relations in Javadoc comments for test automation. Journal of Systems and Software 181 (2021), 111041. https://doi.org/10.1016/j.jss.2021.111041
  14. Replicability package. Our subject systems, experimental data and AIM prototype will be made available upon acceptance of the paper.
  15. Replicability package. https://doi.org/10.5281/zenodo.7702754.
  16. Metamorphic Testing: A Review of Challenges and Opportunities. ACM Comput. Surv. 51, 1, Article 4 (jan 2018), 27 pages. https://doi.org/10.1145/3143561
  17. METRIC: METamorphic Relation Identification based on the Category-choice framework. Journal of Systems and Software 116 (2016), 177–190. https://doi.org/10.1016/j.jss.2015.07.037
  18. Kalyanmoy Deb and Himanshu Jain. 2014. An Evolutionary Many-Objective Optimization Algorithm Using Reference-Point-Based Nondominated Sorting Approach, Part I: Solving Problems With Box Constraints. IEEE Transactions on Evolutionary Computation 18, 4 (Aug 2014), 577–601. https://doi.org/10.1109/TEVC.2013.2281535
  19. A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Transactions on Evolutionary Computation 6, 2 (April 2002), 182–197. https://doi.org/10.1109/4235.996017
  20. Eclipse Foundation. 2018. Jenkins CI/CD server. https://jenkins.io/.
  21. A density-based algorithm for discovering clusters in large spatial databases with noise. In Proceedings of the Second International Conference on Knowledge Discovery and Data Mining (KDD’96). AAAI Press, Portland, Oregon, 226–231.
  22. Gordon Fraser and Andrea Arcuri. 2011. EvoSuite: Automatic Test Suite Generation for Object-Oriented Software. In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Conference on Foundations of Software Engineering (Szeged, Hungary) (ESEC/FSE ’11). Association for Computing Machinery, New York, NY, USA, 416–419. https://doi.org/10.1145/2025113.2025179
  23. Gordon Fraser and Andrea Arcuri. 2013a. Whole Test Suite Generation. IEEE Transactions on Software Engineering 39, 2 (Feb 2013), 276–291. https://doi.org/10.1109/TSE.2012.14
  24. Gordon Fraser and Andrea Arcuri. 2013b. Whole Test Suite Generation. IEEE Trans. Softw. Eng. 39, 2 (feb 2013), 276–291. https://doi.org/10.1109/TSE.2012.14
  25. Marshall Jr. Hall. 1959. The Theory of Groups. MacMillan, USA.
  26. Achieving scalable model-based testing through test case diversity. ACM Transactions on Software Engineering and Methodology (TOSEM) 22, 1 (2013), 1–42.
  27. W.E. Howden. 1978. Theoretical and Empirical Studies of Program Testing. IEEE Transactions on Software Engineering SE-4, 4 (July 1978), 293–298. https://doi.org/10.1109/TSE.1978.231514
  28. MT-ART: A Test Case Generation Method Based on Adaptive Random Testing and Metamorphic Relation. IEEE Transactions on Reliability 70, 4 (Dec 2021), 1397–1421. https://doi.org/10.1109/TR.2021.3106389
  29. Himanshu Jain and Kalyanmoy Deb. 2014. An Evolutionary Many-Objective Optimization Algorithm Using Reference-Point Based Nondominated Sorting Approach, Part II: Handling Constraints and Extending to an Adaptive Approach. IEEE Transactions on Evolutionary Computation 18, 4 (Aug 2014), 602–622. https://doi.org/10.1109/TEVC.2013.2281534
  30. Joomla. 2018. Joomla, https://www.joomla.org/.
  31. SPEA2+: Improving the Performance of the Strength Pareto Evolutionary Algorithm 2. In Parallel Problem Solving from Nature - PPSN VIII, Xin Yao, Edmund K. Burke, José A. Lozano, Jim Smith, Juan Julián Merelo-Guervós, John A. Bullinaria, Jonathan E. Rowe, Peter Tiňo, Ata Kabán, and Hans-Paul Schwefel (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 742–751.
  32. Robust Statistical Methods for Empirical Software Engineering. Empirical Softw. Engg. 22, 2 (apr 2017), 579–630. https://doi.org/10.1007/s10664-016-9437-5
  33. Bernhard Korte and Rainer Schrader. 1981. On the Existence of Fast Approximation Schemes. In Nonlinear Programming 4, Olvi L. Mangasarian, Robert R. Meyer, and Stephen M. Robinson (Eds.). Academic Press, Madison, Wisconsin, 415–437. https://doi.org/10.1016/B978-0-12-468662-5.50020-3
  34. Many-Objective Evolutionary Algorithms: A Survey. ACM Comput. Surv. 48, 1, Article 13 (sep 2015), 35 pages. https://doi.org/10.1145/2792984
  35. Search Algorithms for Regression Test Case Prioritization. IEEE Transactions on Software Engineering 33, 4 (April 2007), 225–237. https://doi.org/10.1109/TSE.2007.38
  36. Modeling Security and Privacy Requirements: a Use Case-Driven Approach. Information and Software Technology 100 (2018), 165–182. https://doi.org/10.1016/j.infsof.2018.04.007
  37. A Natural Language Programming Approach for Requirements-Based Security Testing. 2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE) (2018), 58–69. https://api.semanticscholar.org/CorpusID:53711718
  38. Metamorphic Security Testing for Web Systems. 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST) (2019), 186–197. https://api.semanticscholar.org/CorpusID:209202564
  39. hdbscan: Hierarchical density based clustering. Journal of Open Source Software 2, 11 (2017), 205. https://doi.org/10.21105/joss.00205
  40. Sérgio Mergen. 2022. Extending the Bag Distance for String Similarity Search. SN Comput. Sci. 4, 2 (dec 2022), 15 pages. https://doi.org/10.1007/s42979-022-01502-5
  41. MITRE. [n. d.]. CWE-286: Incorrect User Management. MITRE. https://cwe.mitre.org/data/definitions/286.html
  42. MITRE. [n. d.]. CWE-863: Incorrect Authorization. https://cwe.mitre.org/data/definitions/863.html.
  43. MITRE. [n. d.]. CWE VIEW: Architectural Concepts. MITRE. https://cwe.mitre.org/data/definitions/1008.html
  44. MITRE. 2018a. CVE-2018-1000406, concerns CWE-276. MITRE. Retrieved 2018-11-22 from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000406
  45. MITRE. 2018b. CVE-2018-1000409, concerns OTG-SESS-003. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999003
  46. MITRE. 2018c. CVE-2018-11327, concerns CWE-200. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11327
  47. MITRE. 2018d. CVE-2018-17857, concerns CWE-200. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17857
  48. MITRE. 2018e. CVE-2018-1999003, concerns OTG-AUTHZ-002. MITRE. Retrieved 2018-11-22 from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999003
  49. MITRE. 2018f. CVE-2018-1999004, concerns OTG-AUTHZ-002. MITRE. Retrieved 2018-11-22 from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999004
  50. MITRE. 2018g. CVE-2018-1999006, concerns CWE-138. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999006
  51. MITRE. 2018h. CVE-2018-1999046, concerns OTG-AUTHZ-002. MITRE. Retrieved 2018-11-22 from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1999046
  52. MITRE. 2020. CVE-2020-2162, concerns OTG-INPVAL-003. MITRE. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2162
  53. OWASP. 2023. Open Web Application Security Project. OWASP Foundation. https://www.owasp.org/
  54. Reformulating Branch Coverage as a Many-Objective Optimization Problem. In 2015 IEEE 8th International Conference on Software Testing, Verification and Validation (ICST). IEEE, Graz, Austria, 1–10. https://doi.org/10.1109/ICST.2015.7102604
  55. Prashanta Saha and Upulee Kanewala. 2018. Fault detection effectiveness of source test case generation strategies for metamorphic testing. In Proceedings of the 3rd International Workshop on Metamorphic Testing (Gothenburg, Sweden) (MET ’18). Association for Computing Machinery, New York, NY, USA, 2–9. https://doi.org/10.1145/3193977.3193982
  56. Automated Generation of Metamorphic Relations for Query-Based Systems. In Proceedings of the 7th International Workshop on Metamorphic Testing (Pittsburgh, Pennsylvania) (MET ’22). Association for Computing Machinery, New York, NY, USA, 48–55. https://doi.org/10.1145/3524846.3527338
  57. A Survey on Metamorphic Testing. IEEE Transactions on Software Engineering 42, 9 (Sep. 2016), 805–824. https://doi.org/10.1109/TSE.2016.2532875
  58. Selenium 2018. Selenium Web Testing Framework, https://www.seleniumhq.org/. Selenium.
  59. Feedback-Directed Metamorphic Testing. ACM Trans. Softw. Eng. Methodol. 32, 1, Article 20 (feb 2023), 34 pages. https://doi.org/10.1145/3533314
  60. METRIC+{}^{+}start_FLOATSUPERSCRIPT + end_FLOATSUPERSCRIPT+: A Metamorphic Relation Identification Technique Based on Input Plus Output Domains. IEEE Transactions on Software Engineering 47, 9 (2021), 1764–1785. https://doi.org/10.1109/TSE.2019.2934848
  61. Path-directed source test case generation and prioritization in metamorphic testing. Journal of Systems and Software 183 (2022), 111091. https://doi.org/10.1016/j.jss.2021.111091
  62. Harnessing Multiple Source Test Cases in Metamorphic Testing: A Case Study in Bioinformatics. In 2017 IEEE/ACM 2nd International Workshop on Metamorphic Testing (MET). IEEE, Buenos Aires, Argentina, 10–13. https://doi.org/10.1109/MET.2017.4
  63. Search-driven string constraint solving for vulnerability detection. In 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE). IEEE, Buenos Aires, Argentina, 198–208.
  64. András Vargha and Harold D. Delaney. 2000. A Critique and Improvement of the CL Common Language Effect Size Statistics of McGraw and Wong. Journal of Educational and Behavioral Statistics 25, 2 (2000), 101–132. https://doi.org/10.3102/10769986025002101 arXiv:https://doi.org/10.3102/10769986025002101
  65. Experimentation in Software Engineering. Springer Publishing Company, Incorporated, Heidelberg, Germany.
  66. Automatic Discovery and Cleansing of Numerical Metamorphic Relations. In 2019 IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, Cleveland, USA, 235–245. https://doi.org/10.1109/ICSME.2019.00035
  67. Validating class integration test order generation systems with Metamorphic Testing. Information and Software Technology 132 (2021), 106507. https://doi.org/10.1016/j.infsof.2020.106507
  68. Research on string similarity algorithm based on Levenshtein Distance. In 2017 IEEE 2nd Advanced Information Technology, Electronic and Automation Control Conference (IAEAC). IEEE, Chongqing, China, 2247–2251. https://doi.org/10.1109/IAEAC.2017.8054419
  69. Using Metamorphic Testing to Evaluate DNN Coverage Criteria. In 2020 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). IEEE, Coimbra, Portugal, 147–148. https://doi.org/10.1109/ISSREW51248.2020.00055
  70. SPEA2: Improving the Strength Pareto Evolutionary Algorithm. Technical Report 103. Computer Engineering and Communication Networks Lab (TIK), Swiss Federal Institute of Technology (ETH), Zurich.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Nazanin Bayati Chaleshtari (2 papers)
  2. Yoann Marquer (4 papers)
  3. Fabrizio Pastore (27 papers)
  4. Lionel C. Briand (29 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets