This paper presents results from analyzing the vulnerability of security-critical software applications to malicious threats and anomalous events using an automated fault injection analysis approach. The work is based on the well-understood premise that a large proportion of security violations result from errors in software source code and con guration. The methodology employs software fault injection to force anomalous program states during the execution of software and observes their corresponding e ects on system security. If insecure behavior is detected, the perturbed location that resulted in the violation is isolated for further analysis and possibly retro tting with faulttolerant mechanisms. 1 Analyzing the behavior of software It is now well understood that a vast majority of security intrusions are made possible by aws in software. One need only look at the annals of Bugtraq for empirical evidence of this assertion.1 To address this problem, computer security researchers an...
Anup K. Ghosh, Tom O'Connor, Gary McGraw