Nav: Home

IT Researchers develop automatic security tests for complex systems

March 15, 2017

These tests produce millions of valid program inputs within minutes. In this manner the researchers can automatically extract the required information from the program they are examining. They will present further details at the Cebit computer fair in Hannover in Hall 6, Stand C47.

Andreas Zeller, professor of Software Engineering at the Saarland University and CISPA researcher, is working on uncovering security vulnerabilities before they are exploited by cyber-criminals. "Modern test generators can generate inputs for the program in question at a high speed," explains Zeller. "But for that to work it is essential to know how the input is structured, because the program immediately disallows invalid inputs. This is precisely what our researchers are working on, namely deciphering exactly how these program inputs need to be constructed."

By looking at a given program and its range of inputs, Zeller and his doctoral students Matthias Hoeschele and Alexander Kampmann are able to automatically extract a so-called "context-free grammar": This is a description of all valid inputs for one specific program, quite like the German grammar is a description of correct sentences in the German language. The CISPA researchers also named the matching software system they developed for this central approach. The prototype is called "Autogram", for "automatic" and "grammar", and first results were already presented in September 2016, at the Automated Software Engineering conference in Singapore.

"With the grammar that Autogram generates, we can produce millions of valid inputs in minutes, allowing us to test a program more comprehensively," Zeller explains. The sheer amount of inputs considerably reduces the likelihood of overlooking security gaps, according to Zeller.

In order to extract the grammar for one specific program, Autogram observes how the program handles a given input. Different parts of the entry are processed in different parts of the program, which allows the Autogram system to collect the relevant information - data on the structure of valid inputs and their relation to the program code. The extracted grammars themselves are in fact very readable for humans, since they use specific identifiers from the program code. "At present, we are testing our prototype by letting it analyze a wide range of input formats, such as JSON or table data. We use about one thousand valid inputs as a foundation," says Alexander Kampmann. Prospectively, these inputs will be omitted, though, so that in a next step the grammar could be gleaned from the program directly.

Based on the extracted grammar, the researchers can create new test entries that analyze the program systematically. How this can be done efficiently is being further researched in their project "tribble", which is also being presented at Cebit. "Tribble" uses the grammars as provided by Autogram and then systematically compiles all valid input variables and code snippets. The IT security researchers around Zeller already have a wide range of experience with grammar-based testing. In 2012, they presented their test generator LANGFUZZ, which comprehensively analyzed the Firefox web browser, using a hand-made grammar at the time. LANGFUZZ has been in daily use with Firefox developers for four years, and with its help, so far more than 4,000 errors and security gaps have been identified and corrected.

So now the researchers from Saarbruecken are extending their range, from Firefox to virtually any program and input format. "The long term goal is fully automated security testing, applicable for all - from the smallest Internet of Things gadget to full-grown servers," says Zeller.
-end-
Background: Center for IT-Security, Privacy and Accountability (CISPA)

CISPA was founded at the Saarland University as a competence center for IT security in October 2011, with the support of the German Federal Ministry of Education and Research. It combines the IT security research of the Saarland University's Computer Science department, as well as that of its on-campus partners, the Max Planck Institute for Computer Science, the Max Planck Institute for Software Systems, and the German Research Center for Artificial Intelligence, DFKI. Meanwhile CISPA has developed into an established research center for IT security with international appeal. Due to the excellent quality of its scientific publications and projects, CISPA is one of the leading research centers for IT security in the world today.

Additional Information:

Publication and videos: https://www.st.cs.uni-saarland.de/models/autogram

Press photos can be found here free of charge:

http://www.uni-saarland.de/pressefotos

Further Inquiries:

Professor Andreas Zeller
Center for IT-Security, Privacy and Accountability
Saarland Informatics Campus E9.1
Phone: +49 681 302 70971
E-Mail: zeller@cispa.saarland

Editor:

Gordon Bolduan
Competence Center Computer Science Saarland
Phone: +49 681 302-70741
E-Mail: gbolduan@mmci.uni-saarland.de

Saarland University

Related Grammar Articles:

Unlikely wasp enemy of a serious alien pest in North America named Idris elba
Idris is a worldwide genus of microscopic, parasitic wasps. A new species of Idris from Mexico (Guanajuato) and the United States (California, New Mexico) proved to be an unlikely enemy of the invasive bagrada bug, a major pest of various crops, including cruciferous vegetables.
Growing minority of teachers in Northern Ireland working across sectarian divide
A study by researchers at the University of Ulster has found that more teachers in Northern Ireland than ever before are working across the sectarian divide, with teachers from Catholic communities working in Protestant schools and vice versa.
Community size matters when people create a new language
Why do some languages have simpler grammars than others? Researchers from the Netherlands and the UK propose that the size of the community influences the complexity of the language that evolves in it.
New framework improves performance of deep neural networks
Researchers have developed a new framework for building deep neural networks via grammar-guided network generators.
Study: Natural disaster affects children's schooling years later
A new study looked at changes in children's academic performance after major bushfires in Australia.
Learning to read comes at a cost
Learning how to read may have some disadvantages for learning grammar.
'No evidence' grammar schools can promote social mobility, study suggests
Expanding the number of grammar schools is unlikely to promote social mobility by providing more opportunities for disadvantaged pupils, a new study published in Educational Review finds.
Cognitive scientists define critical period for learning language
An MIT study suggests children remain skilled at learning language much longer than expected -- up to the age of 17 or 18.
SLU students learn Italian playing Assassin's Creed
A Saint Louis University professor has developed a method for teaching a new language through gaming.
Where language pionieer Paul Broca and alien music meet
What might alien music sound like? Would it be structured hierarchically as our music is with verses and a chorus?
More Grammar News and Grammar Current Events

Top Science Podcasts

We have hand picked the top science podcasts of 2019.
Now Playing: TED Radio Hour

In & Out Of Love
We think of love as a mysterious, unknowable force. Something that happens to us. But what if we could control it? This hour, TED speakers on whether we can decide to fall in — and out of — love. Guests include writer Mandy Len Catron, biological anthropologist Helen Fisher, musician Dessa, One Love CEO Katie Hood, and psychologist Guy Winch.
Now Playing: Science for the People

#543 Give a Nerd a Gift
Yup, you guessed it... it's Science for the People's annual holiday episode that helps you figure out what sciency books and gifts to get that special nerd on your list. Or maybe you're looking to build up your reading list for the holiday break and a geeky Christmas sweater to wear to an upcoming party. Returning are pop-science power-readers John Dupuis and Joanne Manaster to dish on the best science books they read this past year. And Rachelle Saunders and Bethany Brookshire squee in delight over some truly delightful science-themed non-book objects for those whose bookshelves are already full. Since...
Now Playing: Radiolab

An Announcement from Radiolab