Towards Security-aware Mutation Testing

Abstract

Mutation analysis forms a popular software analysis technique that has been demonstrated to be useful in supporting multiple software engineering activities. Yet, the use of mutation analysis in tackling security issues has received little attention. In view of this, we design security aware mutation operators to support mutation analysis. Using a known set of common security vulnerability patterns, we introduce 15 security-aware mutation operators for Java. We then implement them in the PIT mutation engine and evaluate them. Our preliminary results demonstrate that standard PIT operators are unlikely to introduce vulnerabilities similar to ours. We also show that our security-aware mutation operators are indeed applicable and prevalent on open source projects, providing evidence that mutation analysis can support security testing activities.

Publication
Software Testing, Verification and Validation Workshops (MUTATION@ICST ‘17), IEEE Tenth International Conference on
Xavier Devroey
Xavier Devroey
Postdoctoral Researcher

My research interests include search-based and model-based software testing, test suite augmentation, DevOps, and variability-intensive systems engineering.

Related