|
OUSPG[This page is CSS2 enabled. Your browser might not fully support it] Test-suite releases in Theory and Practice$RCSfile: index.html,v $ $Revision: 1.43 $ $Date: 2004/01/16 21:07:44 $ ABSTRACTTrivial vulnerabilities foster in protocol implementations. Same kinds of bugs keep reappearing over and over again. The PROTOS test-suite release is an attempt to raise the bar by establishing a baseline. Test-suites aimed against a specific set of vulnerabilities are created for the chosen protocol implementations. Stand-alone test-suites are created for utilization in customer evaluation, during vendor development or as regression tests. Test-suites are published with supporting background material. Table of ContentsIntroductionThe PROTOS test-suite releases aim to provide material to both customers and vendors for evaluating software implementations for some trivial information security related vulnerabilities and for robustness. The test-suite releases are a byproduct of the "PROTOS - Security Testing of Protocol Implementations" project. The PROTOS project is a government funded research partnership between University of Oulu and VTT Electronics. The PROTOS project is supported by two partner companies from the telecommunication industry. A test-suite is created for a subset of a specific protocol. The test-suite consists of test-cases and code needed for evaluating the system under test against the test-suite. Protocol data units have been constructed using the principles described in "Software vulnerability analysis through syntax testing". The software vulnerabilities that are likely to be found with the test-suites have been caused by implementation level mistakes. A typical category of these types of vulnerabilities is reviewed in "Running Malicious Code By Exploiting Buffer Overflows: A Survey Of Publicly Available Exploits" The terminology used herein and in the test-suite releases has been adopted from definitions available from the "Glossary of Vulnerability Testing Terminology" document. The procedures for handling and reporting any internally found vulnerabilities have been documented in "The Vulnerability Process: a tiger team approach to resolving vulnerability cases". We recommend following these guidelines with any externally found vulnerabilities as well. The PROTOS test-suite concept follows the constructive disclosure model as illustrated in the "Introducing constructive vulnerability disclosures" conference paper. Release policy and processGoals
LimitationsUsual limitations for black-box testing and testing in general apply. Passing the test-suite is in no way a certificate for a vulnerability-free system. Test-suites are provided as a proof-of-concept only. They are in no way supported, sold as a service, or otherwise guaranteed to fill any particular need. In typical case, the test-suites are created for a very specific subset of the chosen protocol and for very specific types of errors. This means that only portion of the system under test is exercised and only a narrow subset of over-all security of the system is addressed. Test-material contains no arbitrary code exploits. However, running the test-material against production systems is strongly discouraged. All failure modes caused by the material may not be transient. Release processThree major phases of the test-suite release process are sketched below:
Test-material package and namingCycles 01-09Test-material is distributed as a JAR-package. This package comprises of the following elements:
Downloadable test-material packages are named as <cycle>-<test-suite>-<status><version>.jar , where:
For example: c04-wap-pr1.jar License and copyrightThe test-material is licensed under GNU General Public License (GPL) version 2, at no charge. This is done in order to ensure that vendors and their customers may freely utilize the test-material. Standard GPL terms for no warranty and no liability apply. We recommend some additional guidelines, although these do not restrict the test-material license:
A test-suite as whole contains the test-material package and related documentation from the PROTOS web pages. All material is under Copyright (C) 2000 - 2004 PROTOS Project Consortium [http://www.ee.oulu.fi/research/ouspg/protos/]. Only the test-material package is placed under the GPL license, normal restrictions apply to all other material. [This page is CSS2 enabled. Your browser might not fully support it] |