Software Vulnerability Detection in Service-Based Infrastructures: Techniques and Tools

摘要

Service-based infrastructures consist of several software resources that interact to support (critical) business services of organizations. These resources are packaged as services, which are well-defined, self-contained, standard-based and protocol-independent modules providing business functionalities that are independent from the state or context of other services. These infrastructures typically support the implementation of Service Oriented Architectures (SOAs) and can be supported by different types of services and technologies, although Web Services are usually the implementation of choice.Although software services should behave in a secure manner, they are often deployed with bugs that can be maliciously exploited. In fact, several studies show that, in general, web applications and services present dangerous flaws. Furthermore, the characteristics of service-based environments open the door to security challenges that must be handled properly, including services under the control of multiple providers and the dynamism of interactions and compositions.To prevent security vulnerabilities, developers should apply best coding practices, perform security inspections, execute penetration tests, etc. However, many times, developers focus on the satisfying user’s functional requirements and time-to-market constraints, disregarding security aspects. The problem is that software services are so exposed that hackers will most probably uncover any existing security vulnerability. Under this scenario, automated vulnerability detection techniques and tools play an extremely important role on helping deploying more secure service-based infrastructures, as they provide an easy and low cost way to detect software vulnerabilities. This thesis addresses the problem of automated detection of software vulnerabilities in services and service-based infrastructures. First, the thesis proposes a framework defining the assumptions, the concepts, and the generic approaches that lay the basis for the development of innovative vulnerability detection techniques and tools. In practice, the framework defines a reference service-based infrastructure and proposes generic approaches for designing vulnerability detection tools for web services and for service-based environments.The thesis also presents different techniques and tools to detect software vulnerabilities, designed following the approaches in the proposed framework. These include three new techniques to detect vulnerabilities in individual web services, each one addressing a different testing scenario and based on a different detection approach, namely: improved penetration testing, attack signatures and interface monitoring, and runtime anomaly detection. Built on top of such techniques, it is also proposed an integrated approach for security testing of service-based infrastructures, which is based on continuous monitoring to automatically discover and test the existing services, resources and interactions, coping with the specificities of these dynamic and complex environments.Finally, the thesis proposes a generic approach for designing benchmarks that allow assessing and comparing vulnerability detection tools for service environments. The approach specifies the components and the steps needed to implement concrete benchmarks, while focusing on two key metrics: precision and recall. It has been used to define two benchmarks, one supported by a predefined set of workload services and the other based on a set of services provided by the benchmark user. These benchmarks have been used to run several case studies to assess the vulnerability detection techniques proposed in the thesis, and to compare them to other existing tools, which at the same time allowed validating the benchmarking approach.