forked from too4words/securibench-micro
-
Notifications
You must be signed in to change notification settings - Fork 1
/
readme.txt
61 lines (52 loc) · 3.35 KB
/
readme.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Stanford Securibench Micro
Version 1.06, $Id: readme.txt,v 1.9 2006/04/21 17:14:26 livshits Exp $
--------------------------
1) What is Securibench Micro?
Securibench Micro is a suite of micro benchmarks written in Java and using J2EE libraries. Most
benchmark programs in Securibench Micro are designed to have security vulnerabilities embedded
in them. The goal of Securibench Micro is to test the capabilities of security testing tools.
Securibench and Securibench Micro were created as part of the Griffin Security Project at
Stanford University (http://suif.stanford.edu/~livshits/work/griffin/).
2) What is the strucure of Securibench Micro?
Securibench Micro is designed as a number of packages designated to test a particular feature
set of source-level security vulnerability scanners. Currently there are packages that test
- interprocedural features
- handling of collections
- handling of predicates
- handling of predicates
- handling of reflection
- and more...
3) What are some of the design goals of Securibench Micro?
The overaching goal was to design an in-depth suite of benchmarks that would take the capabilities of a
particular static analyzer to the limit. At the same time, we wanted to have a suite of benchmarks,
all of which are executable so that they are amendable to manual penetration testing or some form
of dynamic analysis.
4) How is Securibench Micro installed
Securibench Micro comes with an ant installation script build.xml. Before running ant,
please update file build.properties to refer to your server installation directory. Before
running ant, make sure you have xdoclet available on your system. xdoclet may be dowloaded
from http://easynews.dl.sourceforge.net/sourceforge/xdoclet/xdoclet-lib-1.2.3.zip. Unzip it
to a directory of your choice and change xdoclet variable in build.properties to refer to it.
It is not strictly necessary to run ant install if you just intend to manually study or run
static analysis tools on the test cases located in src/securibench/micro. Installation is
only necessary if you indent to have running versions of the benchmarks running on the server.
Since most of these micro-benchmarks have pretty obvious security holes, it's not recommended
that you install Securibench Micro on a machine that is externally accessible.
5) How many benchmarks are contained in Securibench Micro?
Version 1.08 of Securibench Micro ships with 96 test cases in 10 categories.
Below is more detailed statistics about the number of tests in each category:
------------------------------------------------------------
arrays 10
basic 42
collections 7
factories 3
inter 7
pred 9
reflection 4
sanitizers 6
session 3
strong_updates 5
------------------------------------------------------------
Total 96
------------------------------------------------------------
This information can be generated by running script stat.pl in src/securibench.