Testploit team
The Testploit-team, a group of four bachelor students in information security, performed extraordinarily in the design, implementation and usage of a new test and benchmarking laboratory for software and information security. The achieved results in terms of (i) programmed software prototype, (ii) conducted product benchmarking and (iii) written report are outstanding. The contracting entity, an Oslo-based software company, and the local Security Valley are using the project outcomes further. It is therefore highly recommended to consider the team for the Rosingprisene in 2008.
The team consists of Anders O. Flaglien, Aleksander F. Mallasvik, Knut E. Evensen and R. Daniel Rosenlund. The bachelor thesis was the only one marked with grade ?A? among all computer science and information security projects at the Gjøvik Universty College in 2008. The external examiner remarked during the evaluation meeting that the quality of the content and the scope of activities is far beyond the bachelor and possible the master level.
Background:
The expanded use of computers and information technology utilized by organizations, companies and ordinary people all around
the world leads to higher demands for security. In 2005 IBM detected 237 million launched network attacks, the total amount
of software vulnerabilities reported to CERT in 2007 was 7,236 and monthly reports generated by NorSIS shows the high amount
of vulnerabilities and performed computer attacks appearing each month. In order to conduct reliable and independent testing
of anti-virus software, spam and malware protection, the information-security group at HiG aims to provide an information-security-test
laboratory where industrial and governmental institutions can test their software solutions in secured test environments.
Scientific quality:
The high scientific standards by the student team are reflected by a comprehensive study and documentation of the current
state of the art in software-security testing and attack scenarios. Building up from these students proposed and realized
an innovative approach for software testing including the complete test environment, but also the test procedure for a specific
costumer solution. Finally, students designed, conduced, analyzed and documented extensive benchmarking tests that revealed
new insides in the performance of a costumer product and software-security measures in more general.
Innovative character of the project:
As a result of close discussions and cooperation with a first contractor, the student team has (A) designed and implemented
the first information-security laboratory in Norway, and according to our best knowledge in Europe. The laboratory architecture
comprises a comprehensive hard- and software environment (client-server architecture) that allows for software simulation
and benchmarking under secure, controlled conditions. In addition, students (B) designed and conducted software benchmarking
for specific software vulnerabilities and spam protection, namely (B1) code injection, (B2) key loggers, (B3) data manipulation,
(B4) toolbar alteration, and (B5) buffer overflow. The systematic benchmarks are the first of its kind.
Impact of the project results:
The contracting entity was highly satisfied with the results obtained by the students. In particular the systematic test approach
helped to reveal current weaknesses in the software developed by the company.
With this initial activity on the information-security-test laboratory a major milestone on further development and establishment
of Gjøvik as the center of information security in Norway is achieved. Two members of the team are already continuing on the
further expansion of the lab with financial support of industrial partners and the local Security Valley in order to develop
the test laboratory and benchmark suite further.
