* ICSE 2018 *
Sun 27 May - Sun 3 June 2018 Gothenburg, Sweden
Fri 1 Jun 2018 11:00 - 11:20 at Congress Hall - Testing III Chair(s): Myra Cohen

Certificate validation in Secure Socket Layer or Transport Layer Security protocol (SSL/TLS) is critical to Internet security. Thus, it is significant to check whether certificate validation in SSL/TLS is correctly implemented. With this motivation, we propose a novel differential testing approach which is directed by the standard Request For Comments (RFC). First, rules of certificates are extracted automatically from RFCs. Second, low-level test cases are generated through dynamic symbolic execution. Third, high-level test cases, i.e. certificates, are assembled automatically. Finally, with the assembled certificates being test cases, certificate validations in SSL/TLS implementations are tested to reveal latent vulnerabilities or bugs. Our approach named RFCcert has the following advantages: (1) certificates of RFCcert are discrepancy-targeted since they are assembled according to standards instead of genetics; (2) with the obtained certificates, RFCcert not only reveals the invalidity of traditional differential testing but also is able to conduct testing that traditional differential testing cannot do; and (3) the supporting tool of RFCcert has been implemented and extensive experiments show that the approach is effective in finding bugs of SSL/TLS implementations.

RFC-Directed Differential Testing of Certificate Validation in SSL/TLS implementations (beamerRFCcert.pdf)2.11MiB

Conference Day
Fri 1 Jun

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:00 - 12:30
Testing IIIJournal first papers / Technical Papers at Congress Hall
Chair(s): Myra CohenUniversity of Nebraska-Lincoln
11:00
20m
Talk
RFC-Directed Differential Testing of Certificate Validation in SSL/TLS Implementations
Technical Papers
DOI File Attached
11:20
20m
Research paper
Symbolic Verification of Regular Properties
Technical Papers
Hengbiao Yu, Zhenbang ChenCollege of Computer, National University of Defense Technology, Ji Wang, Zhendong SuUniversity of California, Davis, Wei Dong
Pre-print
11:40
20m
Talk
Metamorphic Testing of RESTful Web APIs
Journal first papers
Sergio Segura, José Antonio Parejo MaestreUniversity of Sevilla, Javier Troya, Antonio Ruiz-CortésUniversidad de Sevilla
12:00
20m
Talk
Integrating Technical Debt Management and Software Quality Management Processes: A Normative Framework and Field Tests
Journal first papers
Narayan RamasubbuUniversity of Pittsburgh, USA , Chris KemererUniversity of Pittsburgh
12:20
10m
Talk
Q&A in groups
Technical Papers