On the Use of Fault Injection to Discover Security Vulnerabilities in Applications
On the Use of Fault Injection to Discover Security Vulnerabilities in Applications
Files
Publication or External Link
Date
2006-05-04
Authors
Sivaramakrishnan, Hariharan
Advisor
Cukier, Michel
Citation
DRUM DOI
Abstract
The advent of the Internet has enabled developers to write and share software components with each other more easily. Developers have become increasingly reliant on code other than their own for application development; code that is often not well tested, and lacking any kind of security review, thus exposing its consumers to security vulnerabilities. The goal of this thesis is to adapt existing techniques, and discover new approaches that can be used to discover security vulnerabilities in applications. We use fault injection in each of our techniques and define a set of criteria to evaluate these approaches. The hierarchy of approaches, starting from a black box and ending in a full white box approach, allows a security reviewer to choose a technique depending on the amount of information available about the application under review, time constraints, and extent of security analysis and confidence desired in the program.