QW2001 Paper 3T2

Dr. Mark R. Blackburn, Mr. Robert Busser, Mr. Aaron Nauman & Dr. Ramaswamy Chandramouli
(Software Productivity Consortium)

Model-based Approach To Security Test Automation

Key Points

Presentation Abstract

This paper describes the objective of the security functional testing initiative and the approach applied. It provides both a process perspective describing the roles of developers and tool automation to reduce significant manual effort from the traditional security testing process. It illustrates the development of a model for test automation using a small set of security specifications that deal with “Granting Object Privilege Capability” in the Common Criteria Security Target Document for an Oracle Database Server. It provides an overview of the test case generation process. It also describes the process used to generate test drivers for an SQL database engine.

To assure that audience that the underlying capabilities of model-based development and test automation can be applied to their applications, the paper and presentation will briefly summarize some of the other applications types in which this model-based approach has been used. Specifically, the approach has been applied to non-critical applications like workstation-based Java applications with GUI user interfaces, database applications, as well as critical applications like telemetry communication for heart monitors, flight navigation, guidance, autopilot logic, display systems, flight management and control laws, airborne traffic and collision avoidance while supporting automated test driver generation from standard languages (e.g., C, C++, Java, Ada, Perl, PL/I, SQL, etc.) as well as proprietary languages, COTS test injection products and test environments.

About the Author

Dr. Blackburn is a Software Productivity Consortium Fellow, President of T-VEC Technologies, Inc. and co-inventor of the T-VEC system. He has twenty years of software systems engineering experience in development, project leadership and applied research in object technology, requirement and design specification, model-based development, formal methods, and formal verification. His more recent technical activities have been focused on transforming various functional, OO, and control-system models from 3rd party tool systems into a representation that can support requirement defect removal and test automation. He is also involved in functional security testing, developing strategies for integrating knowledge management and e-business, and has also been involved in applied research and technology demonstrations in web-based knowledge engineering, domain engineering, and reverse engineering. He has also spent over ten years in the development of real-time flight critical avionics systems. He earned a BS in Mathematics from Arizona State, MS in Mathematics from Florida Atlantic University, and a Ph.D. in Information Technology from George Mason University.

Mr. Busser is co-founder of T-VEC Technologies, Inc. and co-inventor of the T-VEC system. He has over twenty years of software systems engineering experience in development, and management in the area of advanced software engineering, and expertise in software engineering processes, methods and tools. He is the chief architect of the T-VEC system. He has extensive experience in requirement and design methods, real-time systems, model-based development and test generation tools, model analysis, and verification. He has extensive knowledge about model transformation systems, theorem prover and constraint solving systems. In addition, he has extensive avionics engineering experience and has been involved in several FAA certifications. He has experience applying this knowledge in the development of highly-reliable software systems and the development of state of the art requirements-based software modeling and testing technologies. Mr. Busser has a B.S. in Electrical and Electronics Engineering from Ohio University.

Mr. Nauman has a wide range of systems and applications development experience in both real-time (telecommunications) and information systems domains. He is currently involved in the development of model transformation, and software verification through specification-based automated testing. His experience includes all aspects of product development from requirements analysis through test implementation. Additionally, he has experience in object-oriented technologies, distributed and client/server systems, web-based and components-based software and systems integration. He is a representative on the OMG UML Action Semantics working group. Mr. Nauman graduated Summa Cum Laude from North Carolina State University with a B.S. in Computer Science.

Dr. Ramaswamy Chandramouli is a computer scientist at NIST with over 15 years of experience in both Private Sector and Federal Agencies. His professional interests include Distributed System Security, Access Control Models and Security Specifications. He was one of the authors of “Role Based Access Control Protection Profile” which was the first Common Criteria (V 2.0) Protection Profile to be certified in the U.K. He was also the lead author of the paper titled “Comparison of Role Based Access Control Features in commercial DBMS” which won the Best Professional Paper award at the the 21st National Information Systems Security Conference held at Crystal City, VA, Oct 1998. Dr.Chandramouli holds an MS degree in Operations Research from the University of Texas and a PhD in Information Technology from George Mason University.