“Vulnerability Assessment Through Attack Injection”
Master’s thesis, Faculty of Sciences, University of Lisbon, Lisbon, Portugal, Nov. 2006
Abstract: Our reliance on computer systems for everyday life activities has increased over the years as more and more tasks are accomplished with their help. The increasing complexity of the problems they address also require the development of more elaborated solutions. So, applications tend to become larger and more complex. On the other hand, the ever present tradeoff between time to deployment and thorough testing puts pressure on the quality of the software. Hence, applications tend to be released with little testing. Software bugs are continuously detected afterwards, resulting in security vulnerabilities that can be exploited by malicious adversaries and compromise the systems’ security. The discovery of security vulnerabilities is then a valuable asset in the development of dependable systems. AJECT is presented as a new tool for vulnerability assessment, without requiring access to the source code or to any updated vulnerability database. The methodology utilized in the construction of AJECT emulates the behavior of an adversary by injecting attacks to trigger and detect abnormal behavior in the target systems. Preliminary experimental results in IMAP servers showed that AJECT was able to discover not only all known vulnerabilities, but also a previously unknown one.
Research line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)