Automated Security Testing of an Electronic Asset Transfer Platform

电子资产转移平台的自动化安全测试

• 批准号: 516011-2017
• 负责人: Tripunitara, Mahesh
• 金额: $ 1.82万
• 依托单位: University of Waterloo
• 依托单位国家: 加拿大
• 项目类别: Engage Grants Program
• 财政年份: 2017
• 资助国家: 加拿大
• 起止时间: 2017-01-01 至 2018-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=640112
• 关键词: Automated; Security; Testing; Electronic; Asset

Ensuring that software is bug-free is a significant technical challenge, recognized as such in both industry and academic research. Exacerbating this challenge is the very real possibility that malicious parties can tease out and trigger bugs for personal and institutional gain. The technology of the company-partner for this proposal, nanopay, relates to the transfer of assets, for example, money. Their technology is a particularly attractive target for such malicious exploitation. Like most enterprises, nanopay invests considerably in technology and processes to ensure software quality. Of importance in this context is automation --- integration of automated testing in the process of developing and delivering software and related services. Existing solutions are severely lacking in this regard when it comes to security properties. In particular, as nanopay's solution is for asset-transfer, security in their context includes properties for that domain, for example, questions such as: `Can a malicious user acquire an asset, yet not have paid for it?,' and, `Can a malicious merchant somehow cheat a user out of payments, yet not deliver corresponding goods and services?' While there is broad research in frameworks for articulating security properties, and reasoning about them, automation of the nature we discuss above remains a long-term goal in research. There is no existing technology, of which were are aware, that nanopay can leverage in the near-term. The proposed work will train Highly Qualified Personnel (HQP) and be of short- and long-term value to industry in Ontario, Canada.

确保软件没有bug是一个重大的技术挑战，在工业和学术研究中都是如此。加剧这一挑战的是，恶意方有真实的可能为了个人和机构的利益而梳理和触发漏洞。该公司合作伙伴的技术，纳米支付，涉及资产的转移，例如，钱。他们的技术是这种恶意利用的特别有吸引力的目标。像大多数企业一样，Nanopay在技术和流程上投入了大量资金，以确保软件质量。在这种情况下，重要的是自动化--在开发和交付软件及相关服务的过程中集成自动化测试。在安全属性方面，现有解决方案严重缺乏这方面的解决方案。特别是，由于nanopay的解决方案是针对资产转移的，因此其上下文中的安全性包括该域的属性，例如，诸如“恶意用户是否可以获得资产，但尚未支付？”“以及”恶意商家是否可以以某种方式欺骗用户付款，但不提供相应的商品和服务？“虽然在阐明安全属性的框架方面有广泛的研究，并对它们进行推理，但我们上面讨论的自动化仍然是研究的长期目标。我们知道，目前还没有任何现有的技术可以让纳米支付在短期内发挥作用。拟议的工作将培训高素质的人员（HQP），并在加拿大安大略的行业具有短期和长期的价值。