State-of-the-art security validation technologies, when used in isolation, do not provide automated support to the discovery of important vulnerabilities and associated exploits that are already plaguing complex web-based security-sensitive applications, and thus severely affect the development of the IoS. Moreover, security validation should be applied not only at production time but also when services are deployed and consumed.
Tackling these challenges is the main objective of the EU FP7 SPaCIoS project (www.spacios.eu), which will lay the technological foundations for a new generation of analyzers for automated security validation at service provision and consumption time, thereby significantly improving the security of the IoS. This will be achieved by developing and combining state-of-the-art technologies for penetration testing, security testing, model checking and automatic learning. These will all be integrated into the SPaCIoS Tool, which we shall apply proof of concept on a set of security testing problem cases drawn from industrial and open-source IoS application scenarios. This will pave the way to transfer project results successfully in industrial practice.
SAP Research has a strong involvement in the project. Among the other activities, SAP Research contributes significantly in the following topics:
- Property-Driven Security Testing. We work on an approach binding specifications of security protocols to actual implementations, and show how it can be effectively used to automatically test implementations against putative attack traces found by the model checker. By using our approach we have been able to automatically detect and reproduce an attack witnessing an authentication flaw in the SAML-based Single Sign-On for Google Apps.
- Vulnerability-Driven Security Testing. We work on an approach which supports penetration tester in (semi-)automatic way, based on knowledge library of potential software vulnerabilities and exploits, while a formal model of the software application may not be available.
- Model Inference. We work on an algorithm which infers state models enriched with variables to record key security parameters such as session IDs or cookies, and also includes the inference of non-deterministic values.
- SPaCIoS Tool. The aforementioned techniques and methods are implemented and integrated into SPaCIoS Tool, to support various activities in security validation and testing.
- Proof of Concept. The SPaCIoS Tool is going to be applied as a proof of concept on a set of security testing problem cases drawn from industrial and open-source IoS application scenarios, thereby paving the way to transferring project results successfully to industrial practice.
- Industrial Migration. We work with colleagues in SAP business units to transfer the techniques built in the project to SAP’s software security validation and testing practices.
More results and achievements of SAP Research will be reported. Thank you for paying attention to future blog posts.