Andrew F. Tappenden's research while affiliated with The King’s University and other places

Access control systems (ACS) are a critical component of modern information technology systems and require rigorous testing. If the ACS has defects, then the deployment is not secure and is a threat to system security. Firewalls are an important example of an ACS, and formally verifying firewall systems has recently attracted attention. We present an automated software-testing tool, PG, for the production of firewall policies for use in firewall policy enforcement testing. PG utilizes a number of heuristic techniques to improve space coverage over traditional systems based on randomly generated firewall policies. An empirical study is presented demonstrating that PG generates firewall policies with superior coverage compared to traditional policy-generation techniques. The extension of PG beyond firewall systems to other ACS situations is outlined.

Building capacity for carrying out and understanding responsible science that is relevant to local challenges is a key ingredient in the OPCW’s strategy for achieving and maintaining a world free of chemical weapons. Two important contexts for building that capacity for responsible science are (1) the global attention being drawn to the rapidly increasing human chemical footprint on our planet and (2) the pervasive use of digital technologies. We describe an effort coordinated by the Organisation for the Prohibition of Chemical Weapons to build capacity among young people around the world to harness the power of small mobile chemical sensors to develop data literacy in complex chemical analysis based on measuring analytes that are relevant to their lives and local contexts. This new type of data literacy is an emergent element in educational programs and is key to developing the capacity for decision-making on chemical measurement data. The project brings together student and faculty collaborators from the fields of chemistry, social sciences and informatics, to provide proof of concept in four areas that support the overall goal of building a collective effort for scientific analysis; the development of low cost environmental sensors for air and water samples; the collection of representative test data sets on priority contaminants; the assessment and visualization of data; and education about the effect of priority pollutants on human and environmental health. We report on the project goals and preliminary steps taken to achieve them.

An automated process for generating test inputs for web services from a WSDL is presented. A grammatical representation of the web service is extracted from the WSDL and used to produce test cases. A context-free grammar (CFG) is generated from the XSD that is stored in the WSDL. The CFG is provided as input into a constraint-satisfaction problem solver to automatically generate a diverse set of structurally correct XML documents. Testing data is then inserted into the XML templates in accordance with any constraints specified in the XSD. Web service-specific testing can be performed with the inclusion of external datasets and service-specific configurations.

Cookies are used by over 80% of Web applications utilizing dynamic Web application frameworks. Applications deploying cookies must be rigorously verified to ensure that the application is robust and secure. Given the intense time-to-market pressures faced by modern Web applications, testing strategies that are low cost and automatable are required. Automated Cookie Collection Testing (CCT) is presented, and is empirically demonstrated to be a low-cost and highly effective automated testing solution for modern Web applications. Automatable test oracles and evaluation metrics specifically designed for Web applications are presented, and are shown to be significant diagnostic tests. Automated CCT is shown to detect faults within five real-world Web applications. A case study of over 580 test results for a single application is presented demonstrating that automated CCT is an effective testing strategy. Moreover, CCT is found to detect security bugs in a Web application released into full production.

Although Random Testing (RT) is low cost and straightforward, its effectiveness is not satisfactory. To increase the effectiveness of RT, researchers have developed Adaptive Random Testing (ART) and Quasi-Random Testing (QRT) methods which attempt to maximize the test case coverage of the input domain. This paper proposes the use of Centroidal Voronoi Tessellations (CVT) to address this problem. Accordingly, a test case generation method, namely, Random Border CVT (RBCVT), is proposed which can enhance the previous RT methods to improve their coverage of the input space. The generated test cases by the other methods act as the input to the RBCVT algorithm and the output is an improved set of test cases. Therefore, RBCVT is not an independent method and is considered as an add-on to the previous methods. An extensive simulation study and a mutant-based software testing investigation have been performed to demonstrate the effectiveness of RBCVT against the ART and QRT methods. Results from the experimental frameworks demonstrate that RBCVT outperforms previous methods. In addition, a novel search algorithm has been incorporated into RBCVT reducing the order of computational complexity of the new approach. To further analyze the RBCVT method, randomness analysis was undertaken demonstrating that RBCVT has the same characteristics as ART methods in this regard.

Given that phishing is an ever-increasing problem, a better authentication system is required. We propose a system that uses a graphical password deployed from a Trojan and virus-resistant embedded device. The graphical password utilizes a personal image to construct an image hash, which is provided as input into a cryptosystem that returns a password. The graphical password requires the user to select a small number of points on the image. The embedded device will then stretch these points into a long alphanumeric password. With one graphical password, the user can generate many passwords from their unique embedded device. The image hash algorithm employed by the device is demonstrated to produce random and unique 256-bit message digests and was found to be responsive to subtle changes in the underlying image. Furthermore, the device was found to generate passwords with entropy significantly larger than that of users passwords currently employed today.

Random testing is a low cost strategy that can be applied to a wide range of testing problems. While the cost and straightforward application of random testing are appealing, these benefits must be evaluated against the reduced effectiveness due to the generality of the approach. Recently, a number of novel techniques, coined Adaptive Random Testing, have sought to increase the effectiveness of random testing by attempting to maximize the testing coverage of the input domain. This paper presents the novel application of an evolutionary search algorithm to this problem. The results of an extensive simulation study are presented in which the evolutionary approach is compared against the Fixed Size Candidate Set (FSCS), Restricted Random Testing (RRT), quasi-random testing using the Sobol sequence (Sobol), and random testing (RT) methods. The evolutionary approach was found to be superior to FSCS, RRT, Sobol, and RT amongst block patterns, the arena in which FSCS, and RRT have demonstrated the most appreciable gains in testing effectiveness. The results among fault patterns with increased complexity were shown to be similar to those of FSCS, and RRT; and showed a modest improvement over Sobol, and RT. A comparison of the asymptotic and empirical runtimes of the evolutionary search algorithm, and the other testing approaches, was also considered, providing further evidence that the application of an evolutionary search algorithm is feasible, and within the same order of time complexity as the other adaptive random testing approaches.

This paper presents the results of a novel survey probing the use of cookies with respect to country of origin and related web technologies. A number of significant relationships are established between the origin of the web application and cookie deployment. Cookie usage amongst five popular dynamic web application frameworks is analyzed providing a per-country breakdown of platform adoption and the establishment of a link between dynamic web technologies and first-party and sessional cookies. The prevalence of vendor-specific third-party technologies both globally and within specific countries is studied. Although global leaders emerged, a number of country-specific market leaders were discovered, suggesting that country-specific niche technologies are competing with the globally dominant technologies within specific markets. A large association is identified between third-party persistent cookie usage and a country's e-business environment--the strongest evidence that cookies are an integral part of the global e-commerce environment.

The results of an extensive investigation of cookie deployment amongst 100,000 Internet sites are presented. Cookie deployment is found to be approaching universal levels and hence there exists an associated need for relevant Web and software engineering processes, specifically testing strategies which actively consider cookies. The semi-automated investigation demonstrates that over two-thirds of the sites studied deploy cookies. The investigation specifically examines the use of first-party, third-party, sessional, and persistent cookies within Web-based applications, identifying the presence of a P3P policy and dynamic Web technologies as major predictors of cookie usage. The results are juxtaposed with the lack of testing strategies present in the literature. A number of real-world examples, including two case studies are presented, further accentuating the need for comprehensive testing strategies for Web-based applications. The use of antirandom test case generation is explored with respect to the testing issues discussed. Finally, a number of seeding vectors are presented, providing a basis for testing cookies within Web-based applications.