Percorrer por autor "Dias, Tiago Fontes"
A mostrar 1 - 2 de 2
Resultados por página
Opções de ordenação
- Constrained adversarial learning for automated software testing: a literature reviewPublication . Vitorino, João; Machado Vitorino, João Pedro; Dias, Tiago; Dias, Tiago Fontes; Fonseca, Tiago; Caló Fonseca, Tiago Carlos; Maia, Eva; Maia, Eva; Praça, Isabel; Praça, IsabelIt is imperative to safeguard computer applications and information systems against the growing number of cyber-attacks. Automated software testing can be a promising solution to quickly analyze many lines of code and detect vulnerabilities and possible attack vectors by generating function-specific testing data. This process draws similarities to the constrained adversarial examples generated by adversarial learning methods, so there could be significant benefits to the integration of these methods in testing tools. Therefore, this literature review is focused on the current state-of-the-art of constrained data generation methods applied for adversarial learning and software testing, aiming to guide researchers and developers to enhance software testing tools with adversarial testing methods and improve the resilience and robustness of their information systems. The found constrained data generation applications were systematized, and the advantages and limitations of approaches specific for white-box, grey-box, and black-box testing were analyzed, identifying research gaps and opportunities to improve automated testing tools with data generated by adversarial attacks.
- FuzzTheREST - Intelligent Automated Blackbox RESTful API FuzzerPublication . Dias, Tiago Fontes; Pereira, Isabel Cecília Correia da Silva Praça GomesIn recent years, the pervasive influence of technology has deeply intertwined with human life, impacting diverse fields. This relationship has evolved into a dependency, with software systems playing a pivotal role, necessitating a high level of trust. Today, a substantial portion of software is accessed through Application Programming Interfaces, particularly web APIs, which predominantly adhere to the Representational State Transfer architecture. However, this architectural choice introduces a wide range of potential vulnerabilities, which are available and accessible at a network level. The significance of Software testing becomes evident when considering the widespread use of software in various daily tasks that impact personal safety and security, making the identification and assessment of faulty software of paramount importance. In this thesis, FuzzTheREST, a black-box RESTful API fuzzy testing framework, is introduced with the primary aim of addressing the challenges associated with understanding the context of each system under test and conducting comprehensive automated testing using diverse inputs. Operating from a black-box perspective, this fuzzer leverages Reinforcement Learning to efficiently uncover vulnerabilities in RESTful APIs by optimizing input values and combinations, relying on mutation methods for input exploration. The system's value is further enhanced through the provision of a thoroughly documented vulnerability discovery process for the user. This proposal stands out for its emphasis on explainability and the application of RL to learn the context of each API, thus eliminating the necessity for source code knowledge and expediting the testing process. The developed solution adheres rigorously to software engineering best practices and incorporates a novel Reinforcement Learning algorithm, comprising a customized environment for API Fuzzy Testing and a Multi-table Q-Learning Agent. The quality and applicability of the tool developed are also assessed, relying on the results achieved on two case studies, involving the Petstore API and an Emotion Detection module which was part of the CyberFactory#1 European research project. The results demonstrate the tool's effectiveness in discovering vulnerabilities, having found 7 different vulnerabilities and the agents' ability to learn different API contexts relying on API responses while maintaining reasonable code coverage levels.