The Third International Workshop on Security Testing

Affiliated with ICST 2012

Montreal, Quebec, Canada
April 21, 2012

Home. Program. Invited Talk. Background, aim and scope. Publication. Audience. Committees. Additional information.

Program: Saturday - April 21

08:00 - 09:00 Registration and Breakfast
Session I Chairs: Wissam Mallouli and Luca Viganò Introduction
09:00 - 10:00 Invited talk
Model-Based Fuzz Testing
Ina Schieferdecker (Fraunhofer Fokus, Germany)
10:00 - 10:30 Managing Evolution by Orchestrating Requirements and Testing Engineering Processes
Federica Paci, Fabio Massacci, Fabrice Bouquet and Stephane Debricon.
10:30 - 11:00 Coffee break
Session II Chair: Ana Cavalli
11:00 - 11:30 XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuzzing
Fabien Duchene, Roland Groz, Jean-Luc Richier and Sanjay Rawat.
11:30 - 12:00 A Taint Based Approach for Smart Fuzzing
Sofia Bekrar, Chaouki Bekrar, Roland Groz and Laurent Mounier.
12:00 - 12:30 A Testing Model for Dynamic Malware Analysis Systems
Frédéric Massicotte, Mathieu Couture, Hugues Normandin and Frédéric Michaud.
12:30 - 14:00 Lunch
Session III Chair: Johan Oudinet
14:00 - 14:45 Automatic XACML requests generation for policy testing
Antonia Bertolino, Said Daoudagh, Francesca Lonetti and Eda Marchetti.
talk, demo
14:45 - 15:30 Solving Some Modeling Challenges when Testing Rich Internet Applications for Security
Suryakant Choudhary, Mustafa Emre Dincturk, Gregor V. Bochmann, Guy-Vincent Jourdan, Iosif Viorel Onut and Paul Ionescu.
15:30 - 16:00 Coffee break
Session IV Chair: Roland Groz
16:00 - 16:30 SPaCiTE - Web Application Testing Engine
Matthias Büchler, Johan Oudinet and Alexander Pretschner.
16:30 - 17:00 Events-Based Security Monitoring Using MMT Tool
Bachar Wehbi, Edgardo Montes de Oca and Michel Bourdellès.
17:00 - 17:30 The SmartLogic Tool: Analysing and Testing Smart Card Protocols
Gerhard de Koning Gans and Joeri de Ruiter.

Invited Talk

Ina Schieferdecker (Fraunhofer Fokus, Germany)
Model-Based Fuzz Testing.
The European ITEA2 project DIAMONDS (Development and Industrial Application of Multi-Domain Security Testing Technologies) develops under the direction of Fraunhofer FOKUS, Berlin efficient and automated security test methods for security-critical, networked systems in various industrial domains such as industrial automation, banking and telecommunications. DIAMONDS develops methods to design objective, transparent, repeatable, and automated security tests that focus on system specifications and related risks. The project goals include the development of a security test pattern catalogue and the development of model-based security testing techniques such as risk-based testing and model-based fuzz testing. The project results are made available through publications and contributions to the standardization at ETSI and other standardization bodies. The presentation focusses on model-based fuzz testing, reviews the state of the art, compare it to similar approaches such as mutation testing, and presents first results on behaviour fuzzing for security testing.

Background, aim and scope

To improve software security, several techniques, including vulnerability modelling and security testing, have been developed but the problem remains unsolved. On one hand, the workshop tries to answer how vulnerability modelling can help users understand the occurrence of vulnerabilities so to avoid them, and what the advantages and drawbacks of the existing models are to represent vulnerabilities. At the same time, the workshop tries to understand how to solve the challenging security testing problem given that testing the mere functionality of a system alone is already a fundamentally critical task, how security testing is different from and related to classical functional testing, and how to assess the quality of security testing. The objective of this workshop is to share ideas, methods, techniques, and tools about vulnerability modelling and security testing to improve the state of the art.

In particular, the workshop aims at providing a forum for practitioners and researchers to exchange ideas, perspectives on problems, and solutions. Both papers proposing novel models, methods, and algorithms and reporting experiences applying existing methods on case studies and industrial examples are welcomed. The topics of interest include, but are not restricted to:

This workshop is a follow-up and combination of the First International Workshop on Security Testing (SECTEST 2008) and the First International Workshop on Modelling and Detection of Vulnerabilities (MDV 2010), as well as the Second International Workshop on Security Testing (SECTEST 2011).


We solicit both full papers (8 pages) and short papers (2 pages) in IEEE two-column format. We also solicit demonstrations of security testing tools (2 pages).
All submissions will be peer-reviewed. Authors of accepted papers must guarantee that their paper will be presented at the workshop.

Authors are invited to submit their papers electronically, as portable document format (pdf) or postscript (ps); please, do not send files formatted for work processing packages (e.g., Microsoft Word or Wordperfect files). The only mechanism for paper submissions is via the electronic submission web-site powered by EasyChair.


The proceedings will be published in the IEEE digital library.


Participation to the workshop will be open to anybody willing to register.

Program Committee

Steering Committee

Additional Information

The workshop is supported by the projects Diamonds and SPaCIoS.

Last modified: Mon May 8 10:27:24 CEST 2006