dynamic analysis Archives – rescale-project.eu

The Tools Powering RESCALE’s Dynamic Testing Module

Ensuring the security of modern software requires more than just static analysis. Many vulnerabilities only emerge at runtime, making dynamic testing essential for detecting issues related to input validation, execution misconfigurations, and API security flaws. The Dynamic Testing Module in RESCALE integrates multiple specialized tools that execute software in controlled environments, providing a comprehensive assessment of software security before deployment. Each tool plays a distinct role in detecting different types of vulnerabilities, allowing for a multi-layered approach to security testing.

FATex: Fault Tolerance and Resilience Testing

FATex is designed to analyze how software behaves under fault conditions, focusing on the resilience of compiled applications. It introduces simulated failures and stress conditions, identifying points where an application may crash, behave unpredictably, or expose security risks. Unlike traditional fuzzers, FATex does not focus solely on input mutation but evaluates how execution paths respond to failures. This allows security teams to assess exception handling mechanisms, error recovery strategies, and overall system stability. By identifying weak points in an application’s fault tolerance, FATex helps developers build more robust and secure software.

RAISE: API Security Testing with ML-Driven Fuzzing

RAISE is a dynamic API security testing tool that automates the evaluation of web services, ensuring that API endpoints are resistant to attacks. Many modern applications rely on RESTful APIs, making API security a crucial aspect of software assurance. RAISE integrates with RESTler, a security-focused API fuzzer that generates API test cases using a grammar-based approach. By leveraging machine learning and genetic algorithms, RAISE optimizes the fuzzing process, identifying API vulnerabilities such as authentication bypasses, unauthorized access risks, and improper input validation. The tool systematically explores API execution paths, learning from previous test results to refine its approach and improve vulnerability detection.

The provided diagram illustrates how RAISE integrates with RESTler. The system starts with an OpenAPI or Swagger specification, which is compiled into an API grammar. The RESTler engine, enhanced with machine learning, generates fuzzing test cases designed to trigger security flaws. The results are stored in a trace database, where they are categorized into bug buckets for further analysis. This structured approach ensures that API vulnerabilities are identified efficiently and that the results are documented in a way that aids remediation efforts.

EvoMaster: AI-Driven Automated Test Case Generation

EvoMaster is designed to automate test case generation using evolutionary algorithms. Traditional testing relies on manually crafted test cases, which can be time-consuming and limited in coverage. EvoMaster generates test cases dynamically by leveraging OpenAPI schemas, systematically exploring execution paths, and identifying vulnerabilities through an AI-driven mutation-based approach. This method increases the likelihood of detecting hidden security flaws, particularly in applications with complex input handling.

The EvoMaster workflow diagram demonstrates how the tool interacts with a system under test (SUT). An API schema in OpenAPI format defines the expected structure of the API. The coverage plugin monitors execution coverage, helping EvoMaster optimize its test case generation process. The tool sends test requests and analyzes responses, using data from FuzzDB, a repository of attack payloads, to detect security weaknesses. Results are parsed and aggregated, contributing to the security assessment of the tested system. The final test report is generated and incorporated into the Dynamic Supply Chain Component Guarantee (DSCG), ensuring that all findings are properly documented.

Standardizing Security Findings with DSCG

The results from FATex, RAISE, and EvoMaster are aggregated into the Dynamic Supply Chain Component Guarantee (DSCG), a structured document that consolidates security assessment findings from dynamic testing. The DSCG ensures that runtime security evaluations are standardized and traceable, providing a detailed breakdown of vulnerabilities, risk assessments, and compliance with security policies.

The DSCG structure, as shown in the provided diagram, includes metadata such as the serial number, version, and tool information. It also contains declarations specifying security targets, claims, and evidence gathered during testing. Definitions and standards are incorporated to align the findings with established security frameworks. The CDX Validator processes the DSCG, ensuring that the results conform to industry standards before they are sent to the RESCALE Management Module. This guarantees that security assessments from dynamic testing contribute directly to the broader supply chain security framework.

Conclusion

The Dynamic Testing Module in RESCALE integrates multiple specialized tools to detect vulnerabilities that only emerge at runtime. FATex ensures that applications are resilient against faults and execution failures. RAISE systematically tests API security, using machine learning-driven fuzzing to uncover authentication and authorization flaws. EvoMaster automates test case generation, leveraging evolutionary algorithms to identify security risks in software execution paths. Together, these tools provide a comprehensive runtime security assessment, strengthening the security posture of software components before deployment.

Through the DSCG, the results of these security evaluations are standardized, validated, and integrated into the RESCALE security framework. As cyber threats evolve, dynamic testing plays a critical role in securing modern applications, ensuring that vulnerabilities are detected and mitigated before they can be exploited.

Follow us on Social Media

Ensuring Software Security with RESCALE’s Dynamic Testing Module

Modern software supply chains face growing security challenges, with vulnerabilities potentially emerging at any stage, during development, compilation, or execution. While static analysis is effective in detecting security flaws at the code level, many threats only manifest at runtime, making them invisible to static testing. Dynamic testing addresses this challenge by executing software in controlled environments, detecting vulnerabilities that arise from interactions, input handling, memory management, and real-world execution conditions. Within the RESCALE project, the Dynamic Testing Module plays a crucial role in analyzing software and hardware components under runtime conditions, ensuring a comprehensive security evaluation before deployment.

The Dynamic Testing Module is an integral part of the RESCALE security framework, ensuring that compiled software artifacts and their runtime behavior are assessed for security risks. Unlike static analysis, which primarily works with source code, dynamic testing focuses on compiled and running software, identifying weaknesses that only appear during execution. This module automates and standardizes the process of runtime security validation, ensuring that each tested component is documented, verified, and assigned a security guarantee based on the findings.

How the Dynamic Testing Module Works

The architecture of the Dynamic Testing Module is structured to execute software securely in a controlled environment while integrating various dynamic analysis techniques. The module consists of an Orchestrator Hub, which manages dynamic testing workflows and coordinates the execution of multiple security testing tools. It interacts with a software repository, where both compiled software and its runtime twin are stored, ensuring that analysis can be performed in a manner that mimics real-world deployment.

The Orchestrator Hub directs testing across different analyzers, each specializing in distinct aspects of software and hardware security. The Dynamic Software Testing Analyzers, which include tools such as FATex, RAISE, and EvoMaster, focus on fuzz testing, API security evaluation, and behavioral analysis. These tools are particularly effective in uncovering issues such as input validation failures, memory corruption, and execution logic errors that are difficult to detect without live execution. In parallel, the Low-Level Hardware Testing Analyzers, including Inspectre and the SCA Analysis Tool, assess security vulnerabilities at the firmware, device, and embedded system levels, ensuring that hardware components are tested alongside software.

The Role of the DSCG in Dynamic Testing

A key output of the Dynamic Testing Module is the Dynamic Supply Chain Component Guarantee (DSCG), a structured security assessment that consolidates and standardizes the results of runtime security evaluations. As the various dynamic analysis tools execute their respective security tests, their findings are aggregated and processed within the module. The DSCG Generator compiles these results, ensuring that vulnerabilities, security compliance checks, and risk assessments are standardized and traceable.

To maintain consistency with supply chain security requirements, the CDX Validator ensures that all findings align with structured reporting formats, making them usable for further security assessments within RESCALE. Once validated, the DSCG is integrated into the RESCALE Management Module, where it contributes to broader security assurance processes. The data collected through dynamic testing plays a key role in informing security decisions across the software supply chain, ultimately feeding into the generation of a Trusted Bill of Materials (TBOM), which consolidates security guarantees at all stages of software development and execution.

Why Dynamic Testing is Critical for Supply Chain Security

While static analysis plays an essential role in identifying security flaws in code, it does not account for vulnerabilities that arise only during execution. Many of the most exploitable security weaknesses, such as buffer overflows, race conditions, and input validation failures, cannot be detected without executing the software under realistic conditions. Attackers often exploit runtime-specific vulnerabilities that do not exist at the source code level, making dynamic testing an essential component of a comprehensive security strategy.

Beyond software vulnerabilities, dynamic testing is particularly valuable in securing hardware and embedded systems, which are becoming increasingly important in modern supply chain security models. With the growing reliance on third-party hardware components, firmware integrations, and external dependencies, security risks extend beyond just software flaws. The Dynamic Testing Module ensures that security assessments include hardware analysis, reducing the risk of firmware-based exploits, insecure device interactions, and physical-layer vulnerabilities.

Conclusion

The Dynamic Testing Module in RESCALE is a key component in ensuring comprehensive software and hardware security. By integrating multiple dynamic analysis tools, aggregating results into the DSCG, and feeding validated security assessments into the broader RESCALE framework, this module ensures that software and hardware undergo rigorous testing before deployment. By identifying runtime vulnerabilities and assessing security risks in compiled binaries, APIs, and embedded systems, it plays a crucial role in securing the software supply chain.

In the next article, we will examine the specific tools that power this module, including FATex, RAISE, EvoMaster, and Inspectre, exploring how each contributes to enhancing dynamic security analysis in RESCALE.