Book Extract:
How to Break Software - A practical guide to
Testing - James A. Whittaker
This book presents a model of testing: Fault model. By understanding faults that can occur in the software and applying tests that expose the faults, it is possible to break the software and uncover major defects in the system and ensure they are fixed.
Chapter 1: Explains the fault model and how to
use this for testing.
Chapter 2 and 3: Explains how user interface can be used to Attack software
Chapter 4 and 5: Explains how file interface and OS interface can be used to
attack software
This book comes with a Canned HEAT software that can be used to simulate system interface attacks.
The following is list of attacks that are suggested in the book which can be used as a checklist for test planning and testing.
List of Attacks:
From User Interface
1. Apply inputs that force all error messages to
occur
2. Apply inputs that force the software to establish default values
3. Explore allowable character sets and data types
4. Overflow input buffers
5. Find inputs that may interact and test combinations of their values
6. Repeat the same input or series of inputs numerous times
7. Force different outputs to be generated for each input
8. Force invalid outputs to be generated
9. Force properties of an output to change.
10. Force the screen to refresh
11. Apply inputs using a variety of initial conditions
12. Force a data structure to store too many or too few values
13. Investigate alternative ways to modify internal data constraints
14. Experiment with invalid operand and operator combinations
15. Force a function to call itself recursively
16. Force computation results to be too large or too small
17. Find features that share data or interact poorly
From System Interface
1. Fill the file system to its capacity
2. Force the media to be busy or unavailable
3. Damage the media
4. Assign an invalid file name
5. Vary file access permissions
6. Vary or corrupt file contents
7. Record and simulate attacks for Memory faults, Network Faults
8. Observe and fail attacks for Low-Level API, System Call Activity
Each attack is explained in the book in following sections with examples: WHEN to apply this attack, WHAT software faults make this attack successful, HOW to determine if this attack exposes failures and HOW to conduct this attack.
Links:
1. www.howtobreaksoftware.com