Abstract
Security testing for applications is a critical practice used to protect data and users. Penetration testing is particularly important, and test case generation is one of its critical phases. In test case generation, the testers need to ensure that as many execution paths as possible are covered by using a set of test cases. Multiple models and techniques have been proposed to generate test cases for software penetration testing. These techniques include fuzz test case generation, which has been implemented in multiple forms. This work critically reviews different models and techniques used for fuzz test case generation and identifies strengths and limitations associated with each implementation and proposal. Reviewing results showed that previous test case generation methods disregard offloading parameters when generating test case sets. This paper proposes a test case generation technique that uses offloading as a generation parameter to overcome the lack of such techniques in previous studies. The proposed technique improves the coverage path on applications that use offloading, thereby improving the effectiveness and efficiency of penetration testing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Geer, D., Harthorne, J.: Penetration testing: a duet. In: 18th Annual Computer Security Applications Conference. IEEE, Las Vegas (2002)
Xiong, P., Peyton, L.: A model-driven penetration test framework for Web applications. In: Eighth Annual International Conference on Privacy, Security and Trust (PST). IEEE, Ottawa (2010)
Xu, W., Groves, B., Kwok, W.: Penetration testing on cloud—case study with owncloud. Glob. J. Inf. Technol. 5(2), 87–94 (2016)
Goel, J.N., et al.: Ensemble based approach to increase vulnerability assessment and penetration testing accuracy. In: 2016 International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH). IEEE (2016)
Zhao, J., et al.: Penetration testing automation assessment method based on rule tree. In: IEEE International Conference on Cyber Technology in Automation, Control, and Intelligent Systems (CYBER), Shenyang, China (2015)
Deptula, K.: Automation of cyber penetration testing using the detect, identify, predict, react intelligence automation model. In: Postgraduate School. Naval Postgraduate School, Monterey, p. 139 (2013)
Xing, B., et al.: Design and implementation of an XML-based penetration testing system. In: International Symposium on Intelligence Information Processing and Trusted Computing (IPTC). IEEE, Huanggang (2010)
Mainka, C., Somorovsky, J., Schwenk, J.: Penetration testing tool for web services security. In: 8th IEEE World Congress on Servicess. IEEE, Honolulu (2012)
Halfond, W.G., Choudhary, S.R., Orso, A.: Penetration testing with improved input vector identification. In: International Conference on Software Testing Verification and Validation. IEEE, Lillehammer (2009)
Jones, G.: Penetrating the cloud. Netw. Secur. 2013(2), 5–7 (2013)
Kang, B.-H.: About effective penetration testing methodology. J. Secur. Eng. 5(5), 10 (2008)
LaBarge, R., McGuire, T.: Cloud penetration testing. Int. J. Cloud Comput. Serv. Arch. (IJCCSA) 2(6), 43–62 (2013)
Al-Ahmad, A., Abu Ata, B., Wahbeh, A.: Pen testing for web applications. Int. J. Inf. Technol. Web Eng. (IJITWE), 7(3), 1–13 (2012)
Schneider, M., et al.: Online Model-based behavioral fuzzing. In: IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops (ICSTW). IEEE, Luxembourg (2013)
Schneider, M., et al.: Behavioral fuzzing operators for UML sequence diagrams. Springer (2013)
de Graaf, M.: Intelligent fuzzing of web applications. In: Software Engineering. Universiteit van Amsterdam: Digital Academic Repository – UBA, University of Amsterdam (2009)
Färnlycke, I.: An approach to automating mobile application testing on Symbian smartphones: functional testing through log file analysis of test cases developed from use cases. In: School of Information and Communication Technology (ICT), KTH Royal Institute Of Technology (2013). Open Access in DiVA
Karami, M., et al.: Behavioral analysis of android applications using automated instrumentation. In: IEEE 7th International Conference on Software Security and Reliability-Companion (SERE-C), Gaithersburg, Maryland, USA (2013)
Mahmood, R., et al.: A whitebox approach for automated security testing of Android applications on the cloud. In: Proceedings of the 7th International Workshop on Automation of Software Test (AST). IEEE, Zurich (2012)
Yang, Y., et al.: A model-based fuzz framework to the security testing of TCG software stack implementations. In: International Conference on Multimedia Information Networking and Security (MINES). IEEE, Hubei (2009)
Kaur, S. Sohal, H.S.: Hybrid application partitioning and process offloading method for the mobile cloud computing. In: Proceedings of the First International Conference on Intelligent Computing and Communication. Springer, Singapore (2017)
Shiraz, M., et al.: A study on the critical analysis of computational offloading frameworks for mobile cloud computing. J. Netw. Comput. Appl. 47(1), 47–60 (2015)
Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy. ACM, New Orleans (2013)
Wassermann, G., et al.: Dynamic test input generation for web applications. In: Proceedings of the International Symposium on Software Testing and Analysis. ACM, Seattle (2008)
Nageswaran, S.: Test effort estimation using use case points. In: Quality Week, San Francisco, California, USA (2001)
Mendez, X.: SQL injection fuzz strings (from wfuzz tool) (2014). https://wfuzz.googlecode.com/svn/trunk/wordlist/Injections/SQL.txt. Accessed 11 Sept 2015
Huang, D., et al.: MobiCloud: building secure cloud framework for mobile computing and communication. In: Fifth IEEE International Symposium on Service Oriented System Engineering (SOSE). IEEE, Nanjing (2010)
Kumar, K., Lu, Y.-H.: Cloud computing for mobile users: can offloading computation save energy? IEEE Comput. Soc. 43(4), 51–56 (2010)
Zhang, J., Sun, D., Zhai, D.: A research on the indicator system of cloud computing security risk assessment. In: International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE). IEEE, Chengdu (2012)
Giurgiu, I., et al.: Calling the cloud: enabling mobile phones as interfaces to cloud applications. In: Middleware, pp. 83–102. Springer, New York (2009)
Kovachev, D. Klamma, R.: Beyond the client-server architectures: a survey of mobile cloud techniques. In: 1st IEEE International Conference on Communications in China Workshops (ICCC). IEEE, Beijing (2012)
Singh, Y., et al.: Systematic literature review on regression test prioritization techniques. Inform. (Slov.) 36(4), 379–408 (2012)
Budgen, D., Brereton, P.: Performing systematic literature reviews in software engineering. In: Proceedings of the 28th International Conference on Software Engineering. ACM, Shanghai (2006)
Brereton, P., et al.: Lessons from applying the systematic literature review process within the software engineering domain. J. Syst. Softw. 80(4), 571–583 (2007)
Zeisberger, S., Irwin, B.: A fuzz testing framework for evaluating and securing network applications. In: the Annual Southern Africa Telecommunication Networks and Applications Conference (SATNAC), London, UK (2011)
Shahriar, H., North, S., Mawangi, E.: Testing of memory leak in android applications. In: IEEE 15th International Symposium on High-Assurance Systems Engineering (HASE). IEEE, Miami (2014)
Kaushik, M., Ojha, G.: Attack penetration system for SQL injection. Int. J. Adv. Comput. Res. 4(2), 724 (2014)
Fertig, T., Braun, P.: Model-driven testing of restful apis. In: Proceedings of the 24th International Conference on World Wide Web. ACM (2015)
Zhu, Z.: Automated penetration testing for PHP web applications, Georgia Institute of Technology, pp. 48, November 2016
Liu, L., et al.: An inferential metamorphic testing approach to reduce false positives in SQLIV penetration test. In: IEEE 41st Annual Computer Software and Applications Conference (COMPSAC) (2017)
Al-Ahmad, A.S., Aljunid, S.A., Sani, A.S.A.: Mobile cloud computing testing review. In: International Conference on Advanced Computer Science Applications and Technologies (ACSAT). IEEE, Kuala Lumpur (2013)
Paranjothi, A., Khan, M.S., Nijim, M.: Survey on three components of mobile cloud computing: offloading, distribution and privacy. J. Comput. Commun. 5(06), 1 (2017)
Acknowledgments
This research is supported by the Department of Research and Innovation of University Malaysia Pahang under Fundamental Research Grant Scheme (FRGS) RDU170102.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Al-Ahmad, A.S., Kahtan, H. (2019). Fuzz Test Case Generation for Penetration Testing in Mobile Cloud Computing Applications. In: Vasant, P., Zelinka, I., Weber, GW. (eds) Intelligent Computing & Optimization. ICO 2018. Advances in Intelligent Systems and Computing, vol 866. Springer, Cham. https://doi.org/10.1007/978-3-030-00979-3_27
Download citation
DOI: https://doi.org/10.1007/978-3-030-00979-3_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-00978-6
Online ISBN: 978-3-030-00979-3
eBook Packages: EngineeringEngineering (R0)