An Empirical Study of a Language - based Security Testing Technique
MetadataShow full item record
Application layer protocols have become sophisticated to the level that they have become languages in their own right. Security testing of network applications is indisputably an essential task that must be carried out prior to the release of software to the market. Since factors such as time-to-market constraints limit the scope or depth of the testing performed, it is difficult to carry out exhaustive testing prior to the release of the software. As a consequence, flaws may be left undiscovered by the software vendor, which may be discovered by those of malicious intent. We report the results of an empirical study of testing the Distributed Relational Database Architecture (DRDA®) protocol as implemented by the IBM® DB2® Database for Linux®, Unix®, and Windows® product, using a security testing approach, and a framework which implements that approach, that emerged from the joint work of the Royal Military College of Canada and Queen's University of Kingston. The previous version of the framework was used in the past to test the implementations of several network protocols. Compared to DRDA, these protocols are relatively simple, as they possess a much fewer number of structure types, messages and rules. From our study of the DRDA protocol, several omissions in the framework were uncovered, and were implemented as part of this work. In addition, the framework was automated, a preliminary automated test planner was created and a primitive language was created to provide the ability to describe custom-made test plans. Testing revealed two faults in the DB2 server, one of which was unknown to the vendor, prior to the testing that was carried out as part of this thesis work.