Brucker, A.D., Brügger, L. and Wolff, B. (2015) Formal Firewall Conformance Testing: An Application of Test and Proof Techniques. Software Testing, Verification and Reliability, 25 (1). pp. 34-71. ISSN 0960-0833
Abstract
Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf prod\-ucts, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification-based conformance test case gen\-eration approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented.
Metadata
Item Type: | Article |
---|---|
Authors/Creators: |
|
Copyright, Publisher and Additional Information: | © 2014 John Wiley & Sons, Ltd.. This is an author produced version of a paper subsequently published in Software Testing, Verification and Reliability. Uploaded in accordance with the publisher's self-archiving policy. |
Keywords: | model-based testing; conformance testing; security testing; firewall; specification-based testing; testing cloud infrastructure; transformation for testability; HOL-Testgen; test and proof; security configuration testing |
Dates: |
|
Institution: | The University of Sheffield |
Academic Units: | The University of Sheffield > Faculty of Engineering (Sheffield) > Department of Computer Science (Sheffield) |
Depositing User: | Symplectic Sheffield |
Date Deposited: | 24 Feb 2016 12:37 |
Last Modified: | 24 Jul 2017 12:10 |
Published Version: | http://dx.doi.org/10.1002/stvr.1544 |
Status: | Published |
Publisher: | John Wiley & Sons |
Refereed: | Yes |
Identification Number: | 10.1002/stvr.1544 |
Open Archives Initiative ID (OAI ID): | oai:eprints.whiterose.ac.uk:95289 |