Towards Automated Software Security Testing: Augmenting Penetration Testing through LLMs (ESEC/FSE 2023 - Ideas, Visions and Reflections) - ESEC/FSE 2023

Sun 3 - Sat 9 December 2023 San Francisco, California, United States

Who

Andreas Happe, Jürgen Cito

Track

ESEC/FSE 2023 Ideas, Visions and Reflections

Time Zone

The program is currently displayed in (GMT-08:00) Pacific Time (US & Canada).

Use conference time zone: (GMT-08:00) Pacific Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

When

Tue 5 Dec 2023 14:45 - 15:00 at Golden Gate C1 - Testing II Chair(s): Brittany Johnson

Abstract

The field of software security testing, more specifically penetration testing, is an activity that requires high levels of expertise and involves many manual testing and analysis steps. This paper explores the potential usage of large-language models, such as GPT3.5, to augment penetration testers with AI sparring partners. We explore the feasibility of supplementing penetration testers with AI models for two distinct use cases: high-level task planning for security testing assignments and low-level vulnerability hunting within a vulnerable virtual machine. For the latter, we implemented a closed-feedback loop between LLM-generated low-level actions with a vulnerable virtual machine (connected through SSH) and allowed the LLM to analyze the machine state for vulnerabilities and suggest concrete attack vectors which were automatically executed within the virtual machine. We discuss promising initial results, detail avenues for improvement, and close deliberating on the ethics of providing AI-based sparring partners.

Andreas Happe

TU Wien

Austria

Jürgen Cito

TU Wien

Austria

Media

Time Zone

The program is currently displayed in (GMT-08:00) Pacific Time (US & Canada).

Use conference time zone: (GMT-08:00) Pacific Time (US & Canada)Select other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Session Program

Tue 5 Dec
Displayed time zone: Pacific Time (US & Canada) change

	14:00 - 15:30	Testing IIIndustry Papers / Research Papers / Demonstrations / Ideas, Visions and Reflections at Golden Gate C1 Chair(s): Brittany Johnson George Mason University

	14:00 15m Talk		Statfier: Automated Testing of Static Analyzers via Semantic-preserving Program Transformations Research Papers Huaien Zhang Southern University of Science and Technology, The Hong Kong Polytechnic University, Yu Pei Hong Kong Polytechnic University, Junjie Chen Tianjin University, Shin Hwei Tan Concordia University Media Attached
	14:15 15m Talk		Towards Efficient Record and Replay: A Case Study in WeChat Industry Papers Sidong Feng Monash University, Haochuan Lu Tencent, Ting Xiong Tencent Inc., Yuetang Deng Tencent Inc., Chunyang Chen Monash University DOI Media Attached
	14:30 15m Talk		Contextual Predictive Mutation Testing Research Papers Kush Jain Carnegie Mellon University, Uri Alon Carnegie Mellon University, Alex Groce Northern Arizona University, Claire Le Goues Carnegie Mellon University Media Attached
	14:45 15m Talk		Towards Automated Software Security Testing: Augmenting Penetration Testing through LLMs Ideas, Visions and Reflections Andreas Happe TU Wien, Jürgen Cito TU Wien Media Attached
	15:00 7m Talk		LazyCow: A Lightweight Crowdsourced Testing Tool for Taming Android Fragmentation Demonstrations Xiaoyu Sun Australian National University, Australia, Xiao Chen Monash University, Yonghui Liu Monash University, John Grundy Monash University, Li Li Beihang University Media Attached
	15:08 7m Talk		Rotten Green Tests in Google Test Industry Papers Paul Robinson Sony DOI Media Attached
	15:15 15m Talk		MuAkka: Mutation Testing for Actor Concurrency in Akka Using Real-World Bugs Research Papers Mohsen Moradi Moghadam Oakland University, Mehdi Bagherzadeh Oakland University, Raffi Khatchadourian City University of New York (CUNY) Hunter College, Hamid Bagheri University of Nebraska-Lincoln Pre-print Media Attached