A New Security Testing Method for Detecting Flash Vulnerabilities by Generating Test Patterns

摘要

Flash has a number of security defects even though Flash Player is installed on most of world’s PC. Protection using sandbox has limitation to protect a user from vulnerabilities of Flash application because an attacker can attack a vulnerable Flash application when a sandbox can’t work if an engineer or a web administrator set sandbox permission wrongly. Another way to solve it is testing. As a testing, penetration testing is useful for detecting vulnerability of Flash Application. Existing penetration testing performs penetration test through UI manually, which is inefficient and time consuming. In this paper, to overcome a problem of existing penetration test, we design a new penetration testing, which enables to generate as many test patterns as possible from VM inputs, inputting test patterns into VM, and checks the existence of vulnerabilities from VM outputs automatically. We demonstrate our testing method using an example, which can detect Flash Parameter Injection that is a one kind of vulnerability of Flash application.