Spelling suggestions: "subject:"white box"" "subject:"phite box""
11 |
Guidelines for white box penetration testing wired devices in secure network environmentsLe Vandolph, Daniel January 2023 (has links)
As technology is becoming a prevalent and ubiquitous part of society, increasing levels of cybercrime have drawn attention to the need for suitable frameworks for ensuring the security of systems by conducting penetration tests. There are several large and established frameworks for doing so, and they tend to focus on complicated large systems with multiple endpoints, devices, and network layers. The majority of new penetration testing research is also directed toward this scenario, by building automated tools that rely on new research in artificial intelligence. While it is admirable to see research adapt to address the tendency toward complexity in networks and systems, it has created a research gap in the other direction. There is no specialized type of framework to accurately and efficiently test an important type of scenario where there is a wired network device in a secure environment that is subject to the risk of insider threat. The large established frameworks mostly advocate for testing using a black-box approach and automated tools. This approach is unsuitable for the scenario since it is likely to produce a level of false positives that is too high, and black box testing also contains steps that are slow and unnecessary. This master thesis project has created a set of specialized penetration testing guidelines that are tailored to handle the scenario. By instead adopting a customized white-box approach and using mostly manual tools, the guidelines are built for accuracy, efficiency, and addressing the dangerous risk of insider threats. They were developed based on a systematic literature review of the scientific field. Further, they were produced using Design Science Research methodology, and evaluated by an expert panel of three professional penetration testers. They were also tested in a real-life scenario at a government agency focused on national security. The tests were able to find three vulnerabilities of the target device, where two of them would have been missed by a black-box approach. Compared to the established frameworks, the developed guidelines are estimated to be at least 20 percent faster.
|
12 |
Model Coverage vs System-under-test Coverage in Model-based testing : Using Edge-pair coverage, Edge coverage, Node coverage and Mutation analysis / Modelltäckning vs täckning av system-under-test inom modellbaserad testning : Med användning av kantparstäckning, kant-täckning, nodtäckning och mutationsanalysRezkalla, George January 2021 (has links)
Model-based testing (MBT) is a black-box software testing technique that focuses on specification of the system-under-test (SUT) and/or its environment. It uses models to automatically generate a large number of tests. To the best of our knowledge, no study has investigated the correlation of model coverage with SUT coverage using more advanced coverage criteria (such as edge-pair coverage) and the correlation of coverage (at model level and SUT level) with test suite effectiveness using non-adequate test suites in the context of MBT despite the prominence of non-adequate test suites in industry. To carry out the investigation, we extend an existing open-source MBT tool called Modbat to measure edge-pair coverage at model level, implement a new tool called PaCovForJbc to measure edge-pair coverage, edge coverage and node coverage at SUT level. Finally, we perform an experiment using these tools applied on three projects: “ArrayList”, and “LinkedList” of Java standard library, and “Apache ZooKeeper”. Overall, the results suggest the following: Edge and edge-pair coverage at model level often have a moderate to high correlation with the same type of coverage at SUT level, while that link between model and SUT for node coverage is weaker. Moreover, coverage criteria at SUT level often have a moderate to high correlation with test suite effectiveness, and a coverage criterion at SUT level has a slightly higher correlation with test suite effectiveness than the same type of coverage at model level. Regarding coverage at model level, edge and edge-pair coverage at model level have a slightly higher correlation with test suite effectiveness than node coverage at model level. Note that the mentioned suggestions need to be taken with discretion, because results vary depending on the project and/or coverage criterion under investigation. / Modellbaserad testning (MBT) är en black-box-testteknik som fokuserar på specifikation av system-under-test (SUT) och/eller dess miljö. MBT använder modeller för att generera ett stort antal tester automatiskt. Såvitt vi vet, finns ingen studie som undersökt korrelationen mellan modelltäckning och täckning av SUT med hjälp av mer avancerade täckningskriterier såsom kantparstäckning. Dessutom finns ingen studie som undersökt korrelationen mellan täckning (på modellnivå och SUT-nivå) och effektivitet av icke- adekvata testsviter som genereras med hjälp av MBT trots betydelsen av icke-adekvata testsviter i industrin. För att utföra undersökningen, utökar vi ett ”open-source” MBT-verktyg som kallas för Modbat för att mäta kantparstäckning på modellnivå. Dessutom implementerar vi ett nytt verktyg som kallas för PaCovForJbc för att mäta kantpars-, kant- och nodtäckning på SUT-nivå. Till slut utför vi experiment genom att applicera Modbat och PaCovForJbc på tre projekt: ”ArrayList” och ”LinkedList” av Javas standardbibliotek samt ”Apache ZooKeeper”. Sammantaget indikerar resultaten följande: Kant- och kantparstäckning på modellnivå har ofta en måttlig till hög korrelation med samma typ av täckning på SUT- nivå, medan länken mellan modell och SUT för nodtäckning är svagare. Dessutom har täckningskriterier på SUT-nivå ofta en måttlig till hög korrelation med testsvitseffektivitet, och ett täckningskriterium på SUT-nivå har en aning högre korrelation med testsvitseffektivitet än samma typ av täckning på modellnivå. Angående täckning på modellnivå har kant- och kantparstäckning på modellnivå en aning högre korrelation med testsvitseffektivitet än nodtäckning på modellnivå. Observera att de nämnda förslagen måste tas med diskretion, eftersom resultaten varierar beroende på projektet och/eller täckningskriteriet som undersöks.
|
13 |
High frequency model for transient analysis of transformer windings using multiconductor transmission line theoryFattal, Feras 30 March 2017 (has links)
Transients encountered by transformers in power stations during normal operation can have complex oscillatory overvoltages containing a large spectrum of frequency components. These transients can coincide with the natural frequencies of the transformers windings, leading to voltages that can be greater or more severe than the current factory proof tests. This may lead to insulation breakdown and catastrophic failures. Existing lumped parameter RLCG transformer models have been proven to be less accurate for very fast transient overvoltages (VFTO) with frequencies over 1 MHz.
A white box model for transient analysis of transformer windings has been developed
using Multiconductor Transmission Line (MTL) Theory. This model enables the simulation
of natural frequencies of the transformer windings up to frequencies of several MHz, and
can be used to compute voltages between turns by representing each turn as a separate
transmission line. Both continuous and interleaved disk windings have been modelled and a comparison and validation of the results is presented. / May 2017
|
14 |
Graybox-baserade säkerhetstest : Att kostnadseffektivt simulera illasinnade angreppLinnér, Samuel January 2008 (has links)
<p>Att genomföra ett penetrationstest av en nätverksarkitektur är komplicerat, riskfyllt och omfattande. Denna rapport utforskar hur en konsult bäst genomför ett internt penetrationstest tidseffektivt, utan att utelämna viktiga delar. I ett internt penetrationstest får konsulten ofta ta del av systemdokumentation för att skaffa sig en bild av nätverksarkitekturen, på så sätt elimineras den tid det tar att kartlägga hela nätverket manuellt. Detta medför även att eventuella anomalier i systemdokumentationen kan identifieras. Kommunikation med driftansvariga under testets gång minskar risken för missförstånd och systemkrascher. Om allvarliga sårbarheter identifieras meddelas driftpersonalen omgå-ende. Ett annat sätt att effektivisera testet är att skippa tidskrävande uppgifter som kommer att lyckas förr eller senare, t.ex. lösenordsknäckning, och istället påpeka att orsaken till sårbarheten är att angriparen har möjlighet att testa lösenord obegränsat antal gånger. Därutöver är det lämpligt att simulera vissa attacker som annars kan störa produktionen om testet genomförs i en driftsatt miljö.</p><p>Resultatet av rapporten är en checklista som kan tolkas som en generell metodik för hur ett internt penetrationstest kan genomföras. Checklistans syfte är att underlätta vid genomförande av ett test. Processen består av sju steg: förberedelse och planering, in-formationsinsamling, sårbarhetsdetektering och analys, rättighetseskalering, penetrationstest samt summering och rapportering.</p> / <p>A network architecture penetration test is complicated, full of risks and extensive. This report explores how a consultant carries it out in the most time effective way, without overlook important parts. In an internal penetration test the consultant are often allowed to view the system documentation of the network architecture, which saves a lot of time since no total host discovery is needed. This is also good for discovering anomalies in the system documentation. Communication with system administrators during the test minimizes the risk of misunderstanding and system crashes. If serious vulnerabilities are discovered, the system administrators have to be informed immediately. Another way to make the test more effective is to skip time consuming tasks which will succeed sooner or later, e.g. password cracking, instead; point out that the reason of the vulnerability is the ability to brute force the password. It is also appropriate to simulate attacks which otherwise could infect the production of the organization.</p><p>The result of the report is a checklist by means of a general methodology of how in-ternal penetration tests could be implemented. The purpose of the checklist is to make it easier to do internal penetration tests. The process is divided in seven steps: Planning, information gathering, vulnerability detection and analysis, privilege escalation, pene-tration test and final reporting.</p>
|
15 |
Graybox-baserade säkerhetstest : Att kostnadseffektivt simulera illasinnade angreppLinnér, Samuel January 2008 (has links)
Att genomföra ett penetrationstest av en nätverksarkitektur är komplicerat, riskfyllt och omfattande. Denna rapport utforskar hur en konsult bäst genomför ett internt penetrationstest tidseffektivt, utan att utelämna viktiga delar. I ett internt penetrationstest får konsulten ofta ta del av systemdokumentation för att skaffa sig en bild av nätverksarkitekturen, på så sätt elimineras den tid det tar att kartlägga hela nätverket manuellt. Detta medför även att eventuella anomalier i systemdokumentationen kan identifieras. Kommunikation med driftansvariga under testets gång minskar risken för missförstånd och systemkrascher. Om allvarliga sårbarheter identifieras meddelas driftpersonalen omgå-ende. Ett annat sätt att effektivisera testet är att skippa tidskrävande uppgifter som kommer att lyckas förr eller senare, t.ex. lösenordsknäckning, och istället påpeka att orsaken till sårbarheten är att angriparen har möjlighet att testa lösenord obegränsat antal gånger. Därutöver är det lämpligt att simulera vissa attacker som annars kan störa produktionen om testet genomförs i en driftsatt miljö. Resultatet av rapporten är en checklista som kan tolkas som en generell metodik för hur ett internt penetrationstest kan genomföras. Checklistans syfte är att underlätta vid genomförande av ett test. Processen består av sju steg: förberedelse och planering, in-formationsinsamling, sårbarhetsdetektering och analys, rättighetseskalering, penetrationstest samt summering och rapportering. / A network architecture penetration test is complicated, full of risks and extensive. This report explores how a consultant carries it out in the most time effective way, without overlook important parts. In an internal penetration test the consultant are often allowed to view the system documentation of the network architecture, which saves a lot of time since no total host discovery is needed. This is also good for discovering anomalies in the system documentation. Communication with system administrators during the test minimizes the risk of misunderstanding and system crashes. If serious vulnerabilities are discovered, the system administrators have to be informed immediately. Another way to make the test more effective is to skip time consuming tasks which will succeed sooner or later, e.g. password cracking, instead; point out that the reason of the vulnerability is the ability to brute force the password. It is also appropriate to simulate attacks which otherwise could infect the production of the organization. The result of the report is a checklist by means of a general methodology of how in-ternal penetration tests could be implemented. The purpose of the checklist is to make it easier to do internal penetration tests. The process is divided in seven steps: Planning, information gathering, vulnerability detection and analysis, privilege escalation, pene-tration test and final reporting.
|
16 |
Functional testing of an Android application / Funktionell testning av en AndroidapplikationBångerius, Sebastian, Fröberg, Felix January 2016 (has links)
Testing is an important step in the software development process in order to increase the reliability of the software. There are a number of different methods available to test software that use different approaches to find errors, all with different requirements and possible results. In this thesis we have performed a series of tests on our own mobile application developed for the Android platform. The thesis starts with a theory section in which most of the important terms for software testing are described. Afterwards our own application and test cases are presented. The results of our tests along with our experiences are reviewed and compared to existing studies and literature in the field of testing. The test cases have helped us find a number of faults in our source code that we had not found before. We have discovered that automated testing for Android is a field where there are a lot of good tools, although these are not often used in practice. We believe the app development process could be improved greatly by regularly putting the software through automated testing systems.
|
17 |
Interopérabilité sur les standards Modelica et composant logiciel pour la simulation énergétique des sytèmes de bâtiment / Interoperability based on Modelica and software component standard for building system energy simulationGaaloul Chouikh, Sana 18 October 2012 (has links)
Pour mieux maîtriser ses flux énergétiques et respecter les diverses restrictions mises en place dans ce secteur énergivore, le bâtiment devient un système de plus en plus complexe incluant divers technologies innovantes comme les systèmes de gestion énergétiques (SGEB), une isolation performante et intégrant les énergies renouvelables. Cette complexité exige un changement dans les techniques et paradigmes actuels de simulation du bâtiment pour la prise en compte de ses diverses évolutions. Une modélisation globale des différents composants de ce système et une simulation efficace de ses sous-systèmes hétérogènes doivent être dorénavant assurées.Ces objectifs ne pourront être atteints qu'à travers l’exploitation des approches méthodologiques d’interopérabilité. Plusieurs solutions d’interopérabilités ont été exploitées dans le secteur du bâtiment. L’état de l’art dans ce secteur, met l’accent sur le manque de standardisation des solutions appliquées. Une approche boîte blanche se basant sur le langage Modelica a remarquablement émergée. Pour monter ses intérêts ainsi que ses limites, cette solution est adoptée pour la modélisation du système de bâtiment «PREDIS», à haute performance énergétique. Une approche boîte noire complémentaire, s’appuyant sur le standard de composant logiciel dédié à la simulation, est également mise en ouvre pour palier aux difficultés rencontrées en utilisant la première approche de modélisation système. Cette approche s’articule autour du concept de bus à composants permettant une interopérabilité effective entre outils de modélisation et environnements de simulation. En plus de l’architecture logicielle autour de la plateforme d’interopérabilité, une simulation efficace du système hétérogène requière des techniques de simulations adaptées. Ces dernières peuvent exiger des adaptations des modèles utilisés qui sont prévues par la norme de composant. / To better reduce its invoices, control its energy flows and respect various restrictions in this sector characterised by important consumption, the building becomes more and more complex including various innovative technologies such as Energy Management Systems (BEMS), efficient insulation and integrating renewable energies. This complexity requires a changing in building simulation techniques and paradigms in order to take into account its various developments. A global modelling of this system taking into account its various components and ensuring an efficient simulation of its heterogeneous subsystems must be performed.These objectives can only be achieved through the use of interoperability methodological approaches. Several interoperability solutions have been explored in the building sector and the state of the art make an accent on the standardization lack of applied solutions. A white box approach based on Modelica language has emerged in this area. To raise its interest and limitations, this solution is adopted for “PREDIS” system, a high energy performance building, modelling. A complementary black box approach, based on software component standard and dedicated for simulation is also applied to overcome the first approach difficulties. This approach is based on software component bus concept that is able to ensure an effective interoperability between modelling tools and simulation environments.In addition of the established software architecture around the platform interoperability, an efficient simulation of heterogeneous systems requires appropriate simulations techniques. These techniques may require several adaptations of used models that are provided by the component standard.
|
18 |
Nástroj na testování síťových aplikací / A Tool for Testing Network ApplicationsHornický, Pavol January 2012 (has links)
This master thesis addresses the issue of software testing. It discusses different types and forms of testing such as white-box testing, black-box testing, unit testing, integration testing and regression testing. Further it deals with the specific problems of testing network applications and automation of the testing process. To solve these issues, the thesis presents a language based on XML for describing testing cases. The following chapter describes the design of this language interpreter. The thesis also deals with problems occurring during implementation phase of similar tools and their possible solutions. Functionality demonstration of designed tool helped to discover an error in product of AVG Technologies CZ, s.r.o..
|
19 |
Nosná železobetonová konstrukce bytového domu / Load bearing reinforced concrete structure of apartment houseRuber, Lukáš January 2018 (has links)
The subject of this diploma thesis is the design of the underground parts of the building. Part of this thesis is to comapare alternative designs and subsequentli evaluate the interaction of the upper structure with subsoil and pile fundantion. A detailed static assessment and implementation documentation is then prepared for the selected variant. The design of the base plate and reinforced concrete walls of the underground section are designed with respect to the crack width according to the principles for designing the white box. The theoretical part contains principles for designing and implementing a white box and evaluating design variants.
|
Page generated in 0.0434 seconds