Towards Analyzing Security-Critical Software During Development

We describe an approach and tool for analyzing the vulnerability of software applications to anomalous events and malicious threats during software development. Traditionally, security analysis has been applied at the network system level, after release, using tiger team approaches. After a successful tiger team penetration, speciic system vulnerabilities are patched. We make a case for applying software engineering analysis techniques that have proven successful in the software safety arena to security-critical software code. This work is based on the generally held belief that a large proportion of security violations result from errors introduced during software development. Our methodology employs software fault injection and automatic input generation to force anomalous program states while a piece of software is executing, in order to determine where it is most vulnerable. A software developer or security analyst can specify what constitutes a security policy violation for the software application under analysis by placing assertion functions in the code. Statistical estimates of the vulnerability (or conversely the security) of the software application are generated through repeated execution of the in-strumented application. These measures provide a simple and useful metric that can be used to compare the relative security of diierent releases of a given application. We present early results of applying our working prototype to security-critical Web applications. Abstract We describe an approach and tool for analyzing the vulnerability of software applications to anomalous events and malicious threats during software development. Traditionally, security analysis has been applied at the network system level, after release, using tiger team approaches. After a successful tiger team penetration, speciic system vulnerabilities are patched. We make a case for applying software engineering analysis techniques that have proven successful in the software safety arena to security-critical software code. This work is based on the generally held belief that a large proportion of security violations result from errors introduced during software development. Our methodology employs software fault injection and automatic input generation to force anomalous program states while a piece of software is executing, in order to determine where it is most vulnerable. A software developer or security analyst can specify what constitutes a security policy violation for the software application under analysis by placing assertion functions in the code. Statistical estimates of the vulnerability (or conversely the security) of the software application are generated through repeated execution of the in-strumented application. These measures provide a simple and useful metric that can …