Below are some common questions:
- What is the goal of Securibench Micro?
The goal of Securibench Micro is to test the capabilities of security testing tools. Often the information about a particular analysis is hard to discern behind the marketing jargon and non-standard terminology. Unlike Securibench, which collects "natural" open-source benchmark applications, Securibench Micro addresses this problem by creating a large standard set of artificial test cases. Securibench Micro and Securibench were created as part of the Griffin Security Project at Stanford University.
- What kind of programs does Securibench Micro contain?
Securibench Micro is a suite of micro benchmarks written in Java and using J2EE libraries. Each test cases represents a small self-contained servlet that can be tested in isolation. Most benchmark programs in Securibench Micro are designed to have security vulnerabilities embedded in them.
- What are some of the design goals of Securibench Micro?
The overaching goal was to design an in-depth suite of benchmarks that would take the capabilities of a particular static analyzer to the limit. At the same time, we wanted to have a suite of benchmarks, all of which are executable so that they are amendable to manual penetration testing or some form of dynamic analysis.
Type # of entries arrays 10 basic 42 collections 15 factories 3 inter 14 pred 9 reflection 4 sanitizers 6 session 3 strong updates 5 aliasing 6 data structures 6 Total 123 - What is the structure of Securibench Micro?
Securibench Micro is designed as a number of packages designated to test a particular feature set of source-level security vulnerability scanners. Currently there are packages that test analysis interprocedural features, handling of collections, handling of predicates, handling of reflection, and more.
- How is Securibench Micro installed
Securibench Micro comes with an Ant installation script build.xml. Before running ant, please update file build.properties to refer to your server installation directory. Before running ant, make sure you have xdoclet available on your system. (If you are missing xdoclet, unzip it to a directory of your choice and change xdoclet variable in build.properties to refer to it.)
It is not strictly necessary to run ant install if you just intend to manually study or run static analysis tools on the test cases located in src/securibench/micro. Installation is only necessary if you indent to have running versions of the benchmarks running on the server. Since most of these micro-benchmarks have fairly obvious security holes, it's not recommended that you install Securibench Micro on a machine that is externally accessible.
- How many test cases are contained in Securibench Micro?
Version 1.08 of Securibench Micro ships with 96 test cases in 10 categories. Show in the table are more detailed statistics about the number of tests in each category. This information can be generated by running script stat.pl in src/securibench.