Coveringcerts: Combinatorial Methods for X.509 Certificate Testing

2017 IEEE International Conference on Software Testing, Verification and Validation (ICST) Pub Date : 2017-03-13 DOI:10.1109/ICST.2017.14

Kristoffer Kleine, D. Simos

{"title":"Coveringcerts: Combinatorial Methods for X.509 Certificate Testing","authors":"Kristoffer Kleine, D. Simos","doi":"10.1109/ICST.2017.14","DOIUrl":null,"url":null,"abstract":"Correct behaviour of X.509 certificate validation code in SSL/TLS implementations is crucial to ensure secure communication channels. Recently, there have been major efforts in testing these implementations, namely frankencerts and mucerts, which provide new ways to generate test certificates which are likely to reveal errors in the implementations of X.509 validation logic. However, it remains a significant challenge to generate effective test certificates. In this paper, we explore the applicability of a prominent combinatorial method, namely combinatorial testing, for testing of X.509 certificates. We demonstrate that combinatorial testing provides the theoretical guarantees for revealing errors in the certificate validation logic of SSL/TLS implementations. Our findings indicate that the introduced combinatorial testing constructs, coveringcerts, compare favorably to existing testing methods by encapsulating the semantics of the validation logic in the input model and employing combinatorial strategies that significantly reduce the number of tests needed. Besides the foundations of our approach, we also report on experiments that indicate its practical use.","PeriodicalId":112258,"journal":{"name":"2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)","volume":"21 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-03-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"15","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICST.2017.14","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 15

Abstract

Correct behaviour of X.509 certificate validation code in SSL/TLS implementations is crucial to ensure secure communication channels. Recently, there have been major efforts in testing these implementations, namely frankencerts and mucerts, which provide new ways to generate test certificates which are likely to reveal errors in the implementations of X.509 validation logic. However, it remains a significant challenge to generate effective test certificates. In this paper, we explore the applicability of a prominent combinatorial method, namely combinatorial testing, for testing of X.509 certificates. We demonstrate that combinatorial testing provides the theoretical guarantees for revealing errors in the certificate validation logic of SSL/TLS implementations. Our findings indicate that the introduced combinatorial testing constructs, coveringcerts, compare favorably to existing testing methods by encapsulating the semantics of the validation logic in the input model and employing combinatorial strategies that significantly reduce the number of tests needed. Besides the foundations of our approach, we also report on experiments that indicate its practical use.

查看原文本刊更多论文

覆盖证书:X.509证书测试的组合方法

在SSL/TLS实现中，X.509证书验证码的正确行为对于确保通信通道的安全至关重要。最近，在测试这些实现(即franencerts和mucerts)方面进行了大量工作，它们提供了生成测试证书的新方法，这些测试证书可能会揭示X.509验证逻辑实现中的错误。然而，生成有效的测试证书仍然是一个重大挑战。在本文中，我们探讨了一种突出的组合方法的适用性，即组合测试，用于测试X.509证书。我们证明了组合测试为揭示SSL/TLS实现的证书验证逻辑中的错误提供了理论保证。我们的研究结果表明，通过将验证逻辑的语义封装在输入模型中，并采用显著减少所需测试数量的组合策略，引入的组合测试结构(coveringts)优于现有的测试方法。除了我们的方法的基础之外，我们还报告了表明其实际用途的实验。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE International Conference on Software Testing, Verification and Validation (ICST)

自引率

0.00%

发文量