Research Assistant: W. K. Du
Sponsor: Microsoft
The goal of this project is to develop a methodology for testing software systems with the objective of discovering flaws that might lead to security breaches. We are currently experimenting with the "Environment Interaction Approach". The prime objective of the "Environment Interaction Approach", hereafter referred to as EIA, is to test a software system for possible flaws that might lead to security breaches during operation. The approach consist of two major steps. In the first step we prepare a model of various interactions between a software system and its environment. In the second step we use this model to systematize the process of testing for system-environment interactions. The end result of this process is (a) an assessment of the "completeness" of a test set with respect to the model, (b) a list of possible flaws in the software under test that might lead to security breaches, and (c) guidance into how the test set might be improved with respect to the model.
Currently the EIA is being developed in collaboration with Microsoft. The approach itself grew out of our earlier work with the classification of security errors. A technical report that describes this work can be found under "Computer Security" at: http://serc.uoregon.edu/serc/