CSTS: A Prototype Tool for Testing COM Component Security

摘要

The automatic testing tools of component security bring great effect on component-based software engineering, and they can effectively ensure the security of component-based software. A prototype tool named CSTS (component security testing system) is designed and implemented to test the security of the widely-used COTS (Commercial-off-the-Shelf) Microsoft COM (component object model) component. CSTS, a GUI (graphical user interface) software, adopts both static and dynamic testing based on fault injection and dynamic monitoring. Firstly, CSTS analyzes component type information and statically injects parameter faults into interface methods. Secondly, environment faults such as memory fault, file fault and process fault are injected into the tested component when the component is driven. Dynamic monitoring mechanism can monitor the running process of component and analyze the component security exceptions. Some commercial components were tested in the CSTS. The experimental results show that CSTS is effective and operable.