TY - JOUR
T1 - AIM
T2 - Automated Input Set Minimization for Metamorphic Security Testing
AU - Chaleshtari, Nazanin Bayati
AU - Marquer, Yoann
AU - Pastore, Fabrizio
AU - Briand, Lionel C.
N1 - Publisher Copyright:
© 1976-2012 IEEE.
PY - 2024
Y1 - 2024
N2 - Although the security testing of Web systems can be automated by generating crafted inputs, solutions to automate the test oracle, i.e., vulnerability detection, remain difficult to apply in practice. Specifically, though previous work has demonstrated the potential of metamorphic testing - security failures can be determined by metamorphic relations that turn valid inputs into malicious inputs - metamorphic relations are typically executed on a large set of inputs, which is time-consuming and thus makes metamorphic testing impractical. We propose AIM, an approach that automatically selects inputs to reduce testing costs while preserving vulnerability detection capabilities. AIM includes a clustering-based black-box approach, to identify similar inputs based on their security properties. It also relies on a novel genetic algorithm to efficiently select diverse inputs while minimizing their total cost. Further, it contains a problem-reduction component to reduce the search space and speed up the minimization process. We evaluated the effectiveness of AIM on two well-known Web systems, Jenkins and Joomla, with documented vulnerabilities. We compared AIM's results with four baselines involving standard search approaches. Overall, AIM reduced metamorphic testing time by 84% for Jenkins and 82% for Joomla, while preserving the same level of vulnerability detection. Furthermore, AIM significantly outperformed all the considered baselines regarding vulnerability coverage.
AB - Although the security testing of Web systems can be automated by generating crafted inputs, solutions to automate the test oracle, i.e., vulnerability detection, remain difficult to apply in practice. Specifically, though previous work has demonstrated the potential of metamorphic testing - security failures can be determined by metamorphic relations that turn valid inputs into malicious inputs - metamorphic relations are typically executed on a large set of inputs, which is time-consuming and thus makes metamorphic testing impractical. We propose AIM, an approach that automatically selects inputs to reduce testing costs while preserving vulnerability detection capabilities. AIM includes a clustering-based black-box approach, to identify similar inputs based on their security properties. It also relies on a novel genetic algorithm to efficiently select diverse inputs while minimizing their total cost. Further, it contains a problem-reduction component to reduce the search space and speed up the minimization process. We evaluated the effectiveness of AIM on two well-known Web systems, Jenkins and Joomla, with documented vulnerabilities. We compared AIM's results with four baselines involving standard search approaches. Overall, AIM reduced metamorphic testing time by 84% for Jenkins and 82% for Joomla, while preserving the same level of vulnerability detection. Furthermore, AIM significantly outperformed all the considered baselines regarding vulnerability coverage.
KW - System security testing
KW - many-objective search
KW - metamorphic testing
KW - test suite minimization
UR - http://www.scopus.com/inward/record.url?scp=85208237785&partnerID=8YFLogxK
U2 - 10.1109/TSE.2024.3488525
DO - 10.1109/TSE.2024.3488525
M3 - Article
AN - SCOPUS:85208237785
SN - 0098-5589
VL - 50
SP - 3403
EP - 3434
JO - IEEE Transactions on Software Engineering
JF - IEEE Transactions on Software Engineering
IS - 12
ER -