Security Protocol Interaction Testing in Practice
The SPLIT project applied methods from the field of combinatorial (interaction) testing and model-based testing with the aim of providing quality assurance to software security protocols. The project thus made a significant contribution towards protecting the information of communicating parties in a digitally connected society.
Project Outline & Findings
In the SPLIT project, we presented a novel methodology to create test cases for security testing of TLS implementations. Moreover, we designed and implemented an automated test execution framework, which is capable of executing the derived test cases against different server-sides. The used test oracles combined with a sufficient planning depth and high combinatorial interaction strength, have the potential to allow a fine-grained analysis of the testing results. In particular, our results indicate that this new approach is strong enough to point out differences in the behavior of different TLS implementations.
In addition, we have explored the applicability of combinatorial testing for testing of certificates present in TLS implementations. In this regard, we demonstrated that combinatorial testing provides the theoretical guarantees for revealing errors in the certificate validation logic of TLS implementations.
At the end of the SPLIT project we strongly believe that we laid out the foundations and proved the applicability of interaction testing to security protocols. As a result of our research efforts, the newly established research area of security protocol interaction testing has emerged as a viable alternative testing approach especially when this is compared to the traditional security testing techniques available.
The project was led by Matris Group at SBA Research.
Related News & Events
This project has been funded by the FFG.