Dimitris Simos (SBA Research), Rick Kuhn (NIST), Jeff Yu Lei (University of Texas at Arlington) and Raghu Kacker (NIST) give a tutorial on Combinatorial Security Testing at QRS 2016.
The tutorial is comprised of two parts focusing on combinatorial testing methods and their usage to security testing.
Abstract: Combinatorial methods have attracted attention as a means of providing strong assurance at reduced cost, but when are these methods practical and cost-effective? This tutorial comprises of two parts. The first one explains the background, process, and tools available for combinatorial testing, with illustrations from industry experience with the method. The focus is on practical applications, including an industrial example of testing to meet FAA-required standards for life-critical software for commercial aviation. Other example applications include modeling and simulation, mobile devices, network configuration, and testing for a NASA spacecraft. It also discusses how to perform fault localization by leveraging the result of combinatorial testing.
The second part, explains combinatorial testing-based techniques for effective security testing of software components and large-scale software systems. It will develop quality assurance and effective re-verification for security testing of web applications and testing of operating systems. It will further address how combinatorial testing can be applied to ensure proper error-handling of network security protocols and provide the theoretical guarantees for exciting Trojans injected in cryptographic hardware. Procedures and techniques, as well as workaround will be presented and captured as guidelines for a broader audience.
QRS 2016 takes place from August 1st to August 3rd in Vienna, Austria. QRS is organized by University of Texas at Dallas and supported by Graz University of Technology and SBA Research.