Flinder pricing principles

Pricing of Flinder automated security and robustness testing tools and the related services depend on several factors:

• whether testing needs file format or protocol handling
• structure complexity of test vectors (use of special encoding, compression, encryption, digital signature)
• whether ToE uses generic or special proprietary formats

We also offer different packages:

• Test vector sets
• Test execution services
• Flinder Test Re-run Tools for regression testing

File format or protocol handling

There is a remarkable difference if test vectors form single files, where Flinder needs to handle only their file formats, or a communication protocol should be tested, where the protocol state machine and the variable fields, like session IDs or nonces should also be handled.

• File formats (such as images, videos, music or documents) are independent static test vectors, so they can be pre-manufactured according to their specifications. The creation of test vectors in this case does not require dynamically generated pieces of data unlike in case of protocols.
  This means that file format test vectors can be used on their own, the Flinder framework is not necessarily required for executing tests based on such test vectors. However, for the detection of the abnormal behavior, which can indicate the existence of dangerous bugs, additional modules are needed. These so-called actuators will then interact with the ToE, dispatch test vectors and observe the outcome. Usually SEARCH-LAB creates these modules, but the developers can also make them on their own.
• Protocols should be handled when several messages exchanged between communicating parties (e.g. between a client and a server, where both of them can be the Target of Evaluation). Usually several protocol messages contain such dynamic pieces of data that depend on the actual execution, e.g. a request contains a unique session ID of the connection and cannot be simply replayed in a static way. So in case of protocols, test vectors cannot be simply pre-generated since they include information dynamically created during the execution of the protocol test. Additionally to the dynamic nature, protocols represent increased complexity due to the larger number of message types and the relation and references between them.
  Contrary to file formats, where test vectors could be pre-generated and used as a set of input vectors, for protocols one cannot provide such test vector packages on their own. The Flinder framework (or more precisely the specialized execution-tool) is needed in order to execute protocol tests.

Structure complexity

Pricing of Flinder services and tools also depend on the structure complexity of the test vectors:

• Basic structure complexity includes file formats and protocols, which require only fixed- and computed-size binary (e.g. uint8, uint16, uint8[field]) and separator-based (e.g. comma-separated) serialization.
• Standard structure complexity relates to file formats and protocol messages, where compression algorithms (e.g. ZLIB or RLE) or other special encodings like ASN.1 and XML are used.
• Professional structure complexity extends the standard complexity group by the inclusion of cryptographic operations, such as hash computation (e.g. MD5, SHA1), symmetric (e.g. DES, 3DES, AES) and asymmetric key encryption (RSA) or symmetric (HMAC) and asymmetric digital signatures (DSS, RSAwithSHA1).

Generic or special proprietary formats

SEARCH-LAB offers Flinder-based testing for both generic formats (e.g. specified in international standards or by working groups) and well as for custom, proprietary formats.

In the case of generic formats, our customers can take advantage of the reduced resource needs and shorter project duration, whereas in case of proprietary formats our customers can be sure of thorough and systematic testing of their internal file format and protocol implementations.