Model-Based Security Testing

Kyle Larsen, Microsoft Corporation

Preventing the release of exploitable software defects is critical for all applications. Traditional software testing approaches are insufficient, and generic tools are incapable of properly targeting your code. We need to detect these defects before going live, and we need a methodology for detection that is cost-efficient and practical. A model-based testing strategy can be applied directly to the security testing problem. Starting with very simple models, you can generate millions of relevant tests that can be executed in a matter of hours. Learn how to build and refine models to focus quickly on the defects that matter. Kyle Larsen shows you how to create a test oracle that can detect application-specific security defects: buffer overflows, uninitialized memory references, denial of service attacks, assertion failures, and memory leaks. Take back information on the advanced file "fuzzing" techniques Microsoft has used successfully.

  • How to build a model and adjust it to find security defects
  • Ways to apply the model-based techniques to any product
  • Microsoft's results using this methodology on shipping code

Upcoming Events

Jun 02
Sep 22
Oct 13
Apr 27