Computer Security Resource Center

Computer Security Resource Center

Computer Security
Resource Center

This is an archive
(replace .gov by .rip)

Automated Combinatorial Testing for Software

Combinatorial Methods in Cybersecurity Testing

Combinatorial testing provides more efficient software assurance across a variety of application domains. One of the most important today is cybersecurity. We are developing tools for using combinatorial methods in cybersecurity testing, and demonstrating their effectiveness. Below are some of the research areas we're working on now. 

Papers on this work can also be found on the top-level page publication list.

  • Access control policy testing - tools to specify security policies, then automatically generate tests for conformance to the policies. Full tests are generated, with both input values and expected results, not just test data. More details here: Access Control Policy Test (ACPT) tool.
  • Buffer overflow detection methods - our research, and others, shows that a small number of parameters are involved in software failures. For buffer overflows, more than 90% of vulnerabilities appear to be caused by a single parameter, and the rest by two or three parameters interacting (based on review of more than 3,000 reports in the National Vulnerability Database).
  • Network security - we have demonstrated the effectiveness of combinatorial methods with a network simulator to detect configurations that produce deadlock, useful for defending a network against attacks that attempt to force the network into a deadlock configuration that results in denial of service.

If you'd like to find out more on any of these topics, please email


Rick Kuhn - NIST
Vincent Hu - NIST
Tao Xie - North Carolina State University

Created May 24, 2016, Updated July 26, 2018