Towards Security-aware Mutation Testing

Thomas Loise; Xavier Devroey; Gilles Perrouin; Mike Papadakis; Patrick Heymans

doi:10.1109/icstw.2017.24

Towards Security-aware Mutation Testing

Thomas Loise, Xavier Devroey, Gilles Perrouin, Mike Papadakis, Patrick Heymans

Research output: Contribution in Book/Catalog/Report/Conference proceeding › Conference contribution

90 Downloads (Pure)

Abstract

Mutation analysis forms a popular software analysis technique that has been demonstrated to be useful in supporting multiple software engineering activities. Yet, the use of mutation analysis in tackling security issues has received little attention. In view of this, we design security aware mutation operators to support mutation analysis. Using a known set of common security vulnerability patterns, we introduce 15 security-aware mutation operators for Java. We then implement them in the PIT mutation engine and evaluate them. Our preliminary results demonstrate that standard PIT operators are unlikely to introduce vulnerabilities similar to ours. We also show that our security-aware mutation operators are indeed applicable and prevalent on open source projects, providing evidence that mutation analysis can support security testing activities.

Original language	English
Title of host publication	Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017
Subtitle of host publication	Mutation 2017
Publisher	IEEE
Pages	97-102
Number of pages	6
ISBN (Electronic)	9781509066766
DOIs	https://doi.org/10.1109/icstw.2017.24
Publication status	Published - 13 Mar 2017
Event	12th International Workshop on Mutation Analysis (Mutation 2017) - Tokyo, Japan Duration: 13 Mar 2017 → 13 Mar 2017 Conference number: 12 https://sites.google.com/site/mutation2017/

Publication series

Name	Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017

Scientific committee

Scientific committee	12th International Workshop on Mutation Analysis (Mutation 2017)
Abbreviated title	Mutation 2017
Country/Territory	Japan
City	Tokyo
Period	13/03/17 → 13/03/17
Internet address	https://sites.google.com/site/mutation2017/

Keywords

mutation analysis
mutation operators
security testing
PIT
FindBugs
Security Testing
Mutation operators
Mutation analysis

Access to Document

10.1109/icstw.2017.24

Mutation2017
IEEE Copyright Notice © 2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript, 135 KBLicence: Other

Cite this

Loise, T., Devroey, X., Perrouin, G., Papadakis, M., & Heymans, P. (2017). Towards Security-aware Mutation Testing. In Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017: Mutation 2017 (pp. 97-102). Article 7899041 (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017). IEEE. https://doi.org/10.1109/icstw.2017.24

Loise, Thomas ; Devroey, Xavier ; Perrouin, Gilles et al. / Towards Security-aware Mutation Testing. Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017: Mutation 2017. IEEE, 2017. pp. 97-102 (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017).

@inproceedings{c4a7f023d7a348b0a221898cc862d0f0,

title = "Towards Security-aware Mutation Testing",

abstract = "Mutation analysis forms a popular software analysis technique that has been demonstrated to be useful in supporting multiple software engineering activities. Yet, the use of mutation analysis in tackling security issues has received little attention. In view of this, we design security aware mutation operators to support mutation analysis. Using a known set of common security vulnerability patterns, we introduce 15 security-aware mutation operators for Java. We then implement them in the PIT mutation engine and evaluate them. Our preliminary results demonstrate that standard PIT operators are unlikely to introduce vulnerabilities similar to ours. We also show that our security-aware mutation operators are indeed applicable and prevalent on open source projects, providing evidence that mutation analysis can support security testing activities. ",

keywords = "mutation analysis, mutation operators, security testing, PIT, FindBugs, Security Testing, Mutation operators, Mutation analysis",

author = "Thomas Loise and Xavier Devroey and Gilles Perrouin and Mike Papadakis and Patrick Heymans",

note = "Publisher Copyright: {\textcopyright} 2017 IEEE. Copyright: Copyright 2017 Elsevier B.V., All rights reserved.; 12th International Workshop on Mutation Analysis (Mutation 2017), Mutation 2017 ; Conference date: 13-03-2017 Through 13-03-2017",

year = "2017",

month = mar,

day = "13",

doi = "10.1109/icstw.2017.24",

language = "English",

series = "Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017",

publisher = "IEEE",

pages = "97--102",

booktitle = "Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017",

url = "https://sites.google.com/site/mutation2017/",

}

Loise, T, Devroey, X , Perrouin, G, Papadakis, M & Heymans, P 2017, Towards Security-aware Mutation Testing. in Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017: Mutation 2017., 7899041, Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017, IEEE, pp. 97-102, 12th International Workshop on Mutation Analysis (Mutation 2017), Tokyo, Japan, 13/03/17. https://doi.org/10.1109/icstw.2017.24

Towards Security-aware Mutation Testing. / Loise, Thomas; Devroey, Xavier ; Perrouin, Gilles et al.
Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017: Mutation 2017. IEEE, 2017. p. 97-102 7899041 (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017).

Research output: Contribution in Book/Catalog/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Towards Security-aware Mutation Testing

AU - Loise, Thomas

AU - Devroey, Xavier

AU - Perrouin, Gilles

AU - Papadakis, Mike

AU - Heymans, Patrick

N1 - Conference code: 12

PY - 2017/3/13

Y1 - 2017/3/13

N2 - Mutation analysis forms a popular software analysis technique that has been demonstrated to be useful in supporting multiple software engineering activities. Yet, the use of mutation analysis in tackling security issues has received little attention. In view of this, we design security aware mutation operators to support mutation analysis. Using a known set of common security vulnerability patterns, we introduce 15 security-aware mutation operators for Java. We then implement them in the PIT mutation engine and evaluate them. Our preliminary results demonstrate that standard PIT operators are unlikely to introduce vulnerabilities similar to ours. We also show that our security-aware mutation operators are indeed applicable and prevalent on open source projects, providing evidence that mutation analysis can support security testing activities.

AB - Mutation analysis forms a popular software analysis technique that has been demonstrated to be useful in supporting multiple software engineering activities. Yet, the use of mutation analysis in tackling security issues has received little attention. In view of this, we design security aware mutation operators to support mutation analysis. Using a known set of common security vulnerability patterns, we introduce 15 security-aware mutation operators for Java. We then implement them in the PIT mutation engine and evaluate them. Our preliminary results demonstrate that standard PIT operators are unlikely to introduce vulnerabilities similar to ours. We also show that our security-aware mutation operators are indeed applicable and prevalent on open source projects, providing evidence that mutation analysis can support security testing activities.

KW - mutation analysis

KW - mutation operators

KW - security testing

KW - PIT

KW - FindBugs

KW - Security Testing

KW - Mutation operators

KW - Mutation analysis

UR - http://www.scopus.com/inward/record.url?scp=85018446786&partnerID=8YFLogxK

U2 - 10.1109/icstw.2017.24

DO - 10.1109/icstw.2017.24

M3 - Conference contribution

T3 - Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017

SP - 97

EP - 102

BT - Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017

PB - IEEE

T2 - 12th International Workshop on Mutation Analysis (Mutation 2017)

Y2 - 13 March 2017 through 13 March 2017

ER -

Loise T, Devroey X , Perrouin G, Papadakis M, Heymans P. Towards Security-aware Mutation Testing. In Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017: Mutation 2017. IEEE. 2017. p. 97-102. 7899041. (Proceedings - 10th IEEE International Conference on Software Testing, Verification and Validation Workshops, ICSTW 2017). doi: 10.1109/icstw.2017.24

Towards Security-aware Mutation Testing

Abstract

Publication series

Scientific committee

Keywords

Access to Document

Other files and links

Fingerprint

Thesis-X-Devroey: Behavioural Model Based Testing of Software Product Lines

Cite this

Towards Security-aware Mutation Testing

Abstract

Publication series

Scientific committee

Keywords

Access to Document

Other files and links

Fingerprint

Projects

Thesis-X-Devroey: Behavioural Model Based Testing of Software Product Lines

Cite this