* ICSE 2018 *
Sun 27 May - Sun 3 June 2018 Gothenburg, Sweden
Fri 1 Jun 2018 11:00 - 11:20 at Congress Hall - Testing III Chair(s): Myra Cohen

Certificate validation in Secure Socket Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet security. Thus, it is significant to check whether certificate validation in SSL/TLS is correctly implemented. With this motivation, we propose a novel differential testing approach which is directed by the standard Request For Comments (RFC). First, rules of certificates are extracted automatically from RFCs. Second, low-level test cases are generated through dynamic symbolic execution. Third, high-level test cases, i.e. certificates, are assembled automatically. Finally, with the assembled certificates being test cases, certificate validations in SSL/TLS implementations are tested to reveal latent vulnerabilities or bugs. Our approach named RFCcert has the following advantages: (1) certificates of RFCcert are discrepancy-targeted since they are assembled according to standards instead of genetics; (2) with the obtained certificates, RFCcert not only reveals the invalidity of traditional differential testing but also is able to conduct testing that traditional differential testing cannot do; and (3) the supporting tool of RFCcert has been implemented and extensive experiments show that the approach is effective in finding bugs of SSL/TLS implementations.

RFC-Directed Differential Testing of Certificate Validation in SSL/TLS implementations (beamerRFCcert.pdf)2.11MiB

Fri 1 Jun
Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:00 - 12:30: Testing IIITechnical Papers / Journal first papers at Congress Hall
Chair(s): Myra CohenUniversity of Nebraska-Lincoln
11:00 - 11:20
RFC-Directed Differential Testing of Certificate Validation in SSL/TLS Implementations
Technical Papers
DOI File Attached
11:20 - 11:40
Research paper
Symbolic Verification of Regular Properties
Technical Papers
Hengbiao Yu, Zhenbang ChenCollege of Computer, National University of Defense Technology, Ji Wang, Zhendong SuUniversity of California, Davis, Wei Dong
11:40 - 12:00
Metamorphic Testing of RESTful Web APIs
Journal first papers
Sergio Segura, José Antonio Parejo MaestreUniversity of Sevilla, Javier Troya, Antonio Ruiz-CortésUniversidad de Sevilla
12:00 - 12:20
Integrating Technical Debt Management and Software Quality Management Processes: A Normative Framework and Field Tests
Journal first papers
Narayan RamasubbuUniversity of Pittsburgh, USA , Chris KemererUniversity of Pittsburgh
12:20 - 12:30
Q&A in groups
Technical Papers