Planning-Based Security Testing of the SSL/TLS Protocol

Josip Bozic, Kristoffer Kleine, Dimitris E. Simos, Franz Wotawa

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

With a growing amount of transferred data in an
interconnected world, the insurance of a secure communication
between two peers becomes a critical task in the software
industry. A leak of critical data can cause tremendous costs
in a financial, social but also political manner. For this sake,
cryptographic protocols are implemented and regulate the data
transfer, thus ensuring the safety of transferred data between
two peers. The widespread security protocol SSL/TLS provides
the mechanisms for this request, however, not without drawbacks
since several security leaks have been identified up to now. Since
vulnerabilities act as a starting point for a potential malicious
action, the identification of such leaks is of highest priority.
In this paper a novel testing approach is presented, which
adapts planning for security testing of cryptographic protocols.
The whole approach is implemented in one testing framework.
Its purpose is to automatically test for known vulnerabilities
in protocol implementations but to trigger other unintended
behavior as well so eventually new security flaws can be identified.
Additionally, the planning specification can be extended further
so new testing possibilities can be generated. New test cases can
be generated dynamically according to changing conditions.
Original languageEnglish
Title of host publicationIEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)
Publication statusPublished - 2017

Fingerprint

Planning
Testing
Insurance
Specifications
Defects

Cite this

Bozic, J., Kleine, K., Simos, D. E., & Wotawa, F. (2017). Planning-Based Security Testing of the SSL/TLS Protocol. In IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)

Planning-Based Security Testing of the SSL/TLS Protocol. / Bozic, Josip; Kleine, Kristoffer; Simos, Dimitris E.; Wotawa, Franz.

IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 2017.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Bozic, J, Kleine, K, Simos, DE & Wotawa, F 2017, Planning-Based Security Testing of the SSL/TLS Protocol. in IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW).
Bozic J, Kleine K, Simos DE, Wotawa F. Planning-Based Security Testing of the SSL/TLS Protocol. In IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 2017
Bozic, Josip ; Kleine, Kristoffer ; Simos, Dimitris E. ; Wotawa, Franz. / Planning-Based Security Testing of the SSL/TLS Protocol. IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW). 2017.
@inproceedings{806e2bc9ac5c4fb8881b71f741ee7840,
title = "Planning-Based Security Testing of the SSL/TLS Protocol",
abstract = "With a growing amount of transferred data in aninterconnected world, the insurance of a secure communicationbetween two peers becomes a critical task in the softwareindustry. A leak of critical data can cause tremendous costsin a financial, social but also political manner. For this sake,cryptographic protocols are implemented and regulate the datatransfer, thus ensuring the safety of transferred data betweentwo peers. The widespread security protocol SSL/TLS providesthe mechanisms for this request, however, not without drawbackssince several security leaks have been identified up to now. Sincevulnerabilities act as a starting point for a potential maliciousaction, the identification of such leaks is of highest priority.In this paper a novel testing approach is presented, whichadapts planning for security testing of cryptographic protocols.The whole approach is implemented in one testing framework.Its purpose is to automatically test for known vulnerabilitiesin protocol implementations but to trigger other unintendedbehavior as well so eventually new security flaws can be identified.Additionally, the planning specification can be extended furtherso new testing possibilities can be generated. New test cases canbe generated dynamically according to changing conditions.",
author = "Josip Bozic and Kristoffer Kleine and Simos, {Dimitris E.} and Franz Wotawa",
year = "2017",
language = "English",
booktitle = "IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)",

}

TY - GEN

T1 - Planning-Based Security Testing of the SSL/TLS Protocol

AU - Bozic, Josip

AU - Kleine, Kristoffer

AU - Simos, Dimitris E.

AU - Wotawa, Franz

PY - 2017

Y1 - 2017

N2 - With a growing amount of transferred data in aninterconnected world, the insurance of a secure communicationbetween two peers becomes a critical task in the softwareindustry. A leak of critical data can cause tremendous costsin a financial, social but also political manner. For this sake,cryptographic protocols are implemented and regulate the datatransfer, thus ensuring the safety of transferred data betweentwo peers. The widespread security protocol SSL/TLS providesthe mechanisms for this request, however, not without drawbackssince several security leaks have been identified up to now. Sincevulnerabilities act as a starting point for a potential maliciousaction, the identification of such leaks is of highest priority.In this paper a novel testing approach is presented, whichadapts planning for security testing of cryptographic protocols.The whole approach is implemented in one testing framework.Its purpose is to automatically test for known vulnerabilitiesin protocol implementations but to trigger other unintendedbehavior as well so eventually new security flaws can be identified.Additionally, the planning specification can be extended furtherso new testing possibilities can be generated. New test cases canbe generated dynamically according to changing conditions.

AB - With a growing amount of transferred data in aninterconnected world, the insurance of a secure communicationbetween two peers becomes a critical task in the softwareindustry. A leak of critical data can cause tremendous costsin a financial, social but also political manner. For this sake,cryptographic protocols are implemented and regulate the datatransfer, thus ensuring the safety of transferred data betweentwo peers. The widespread security protocol SSL/TLS providesthe mechanisms for this request, however, not without drawbackssince several security leaks have been identified up to now. Sincevulnerabilities act as a starting point for a potential maliciousaction, the identification of such leaks is of highest priority.In this paper a novel testing approach is presented, whichadapts planning for security testing of cryptographic protocols.The whole approach is implemented in one testing framework.Its purpose is to automatically test for known vulnerabilitiesin protocol implementations but to trigger other unintendedbehavior as well so eventually new security flaws can be identified.Additionally, the planning specification can be extended furtherso new testing possibilities can be generated. New test cases canbe generated dynamically according to changing conditions.

M3 - Conference contribution

BT - IEEE International Conference on Software Testing, Verification and Validation Workshops (ICSTW)

ER -