Article

Model-Based Tests for Access Control Policies

Authors:

Alexander Pretschner,

Tejeddine Mouelhi,

Yves Le TraonAuthors Info & Claims

ICST '08: Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation

Pages 338 - 347

https://doi.org/10.1109/ICST.2008.44

Published: 09 April 2008 Publication History

Publisher Site

Abstract

We present a model-based approach to testing access control requirements. By using combinatorial testing, we first automatically generate test cases from and without access control policies—i.e., the model—and assess the effectiveness of the test suites by means of mutation testing. We also compare them to purely random tests. For some of the investigated strategies, non-random tests kill considerably more mutants thanthe same number of random tests. Since we rely on policies only, no information on the application is required at this stage. As a consequence, our methodology applies to arbitrary implementations of the policy decision points.

Cited By

View all

Laverdière MJulien KMerlo E(2021)RBAC protection-impacting changes identificationInformation and Software Technology10.1016/j.infsof.2021.106630139:COnline publication date: 23-Aug-2021
https://dl.acm.org/doi/10.1016/j.infsof.2021.106630
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Botella JCapuron JDadeau FFourneret ELegeard BSchadle F(2019)Complementary test selection criteria for model-based testing of security componentsInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-018-0489-221:4(425-448)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10009-018-0489-2
Show More Cited By

Index Terms

Model-Based Tests for Access Control Policies

Recommendations

Automated Coverage-Based Testing of XACML Policies
SACMAT '18: Proceedings of the 23nd ACM on Symposium on Access Control Models and Technologies

While the standard language XACML is very expressive for specifying fine-grained access control policies, defects can get into XACML policies for various reasons, such as misunderstanding of access control requirements, omissions, and coding errors. ...
Testing access control and obligation policies
ICNC '13: Proceedings of the 2013 International Conference on Computing, Networking and Communications (ICNC)

As access control with obligatory constraints is critical to assuring system accountability, research on the specification and monitoring of obligation policy has gained increasing attention. However, a correctly specified obligation policy may be ...
Automated Strong Mutation Testing of XACML Policies
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and Technologies

While the existing methods for testing XACML policies have varying levels of effectiveness, none of them can reveal the majority of policy faults. The undisclosed faults may lead to unauthorized access and denial of service. This paper presents an ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

ICST '08: Proceedings of the 2008 International Conference on Software Testing, Verification, and Validation

April 2008

540 pages

ISBN:9780769531274

Publisher

IEEE Computer Society

United States

Publication History

Published: 09 April 2008

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Laverdière MJulien KMerlo E(2021)RBAC protection-impacting changes identificationInformation and Software Technology10.1016/j.infsof.2021.106630139:COnline publication date: 23-Aug-2021
https://dl.acm.org/doi/10.1016/j.infsof.2021.106630
Jabal ADavari MBertino EMakaya CCalo SVerma DRusso AWilliams C(2019)Methods and Tools for Policy AnalysisACM Computing Surveys10.1145/329574951:6(1-35)Online publication date: 4-Feb-2019
https://dl.acm.org/doi/10.1145/3295749
Botella JCapuron JDadeau FFourneret ELegeard BSchadle F(2019)Complementary test selection criteria for model-based testing of security componentsInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-018-0489-221:4(425-448)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10009-018-0489-2
Bertolino ADaoudagh SLonetti FMarchetti EBai XLi JUlrich A(2018)An automated model-based test oracle for access control systemsProceedings of the 13th International Workshop on Automation of Software Test10.1145/3194733.3194743(2-8)Online publication date: 28-May-2018
https://dl.acm.org/doi/10.1145/3194733.3194743
Limaye SZhang YBertino ESandhu RKrishnan R(2018)Combining Algorithm Based Data Flow Testing Approach for XACMLProceedings of the Third ACM Workshop on Attribute-Based Access Control10.1145/3180457.3180461(25-31)Online publication date: 14-Mar-2018
https://dl.acm.org/doi/10.1145/3180457.3180461
Daoudagh SLonetti FMarchetti EMatteucci IMori PPetrocchi M(2015)Assessment of access control systems using mutation testingProceedings of the First International Workshop on TEchnical and LEgal aspects of data pRIvacy10.5555/2821464.2821469(8-13)Online publication date: 16-May-2015
https://dl.acm.org/doi/10.5555/2821464.2821469
Le HNguyen CBriand LHourte BWeippl EKerschbaum FLee A(2015)Automated Inference of Access Control Policies for Web ApplicationsProceedings of the 20th ACM Symposium on Access Control Models and Technologies10.1145/2752952.2752969(27-37)Online publication date: 1-Jun-2015
https://dl.acm.org/doi/10.1145/2752952.2752969
Katkalov KMoebius NStenzel KBorek MReif W(2014)Modeling test cases for security protocols with SecureMDDComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2013.08.02458(99-111)Online publication date: 1-Jan-2014
https://dl.acm.org/doi/10.1016/j.comnet.2013.08.024
Bertolino ADaoudagh SLonetti FMarchetti EMartinelli FMori PHoffman DHughes JXu D(2012)Testing of PolPA authorization systemsProceedings of the 7th International Workshop on Automation of Software Test10.5555/2663608.2663611(8-14)Online publication date: 2-Jun-2012
https://dl.acm.org/doi/10.5555/2663608.2663611
Xu DThomas LKent MMouelhi TLe Traon YAtluri VVaidya JKern AKantarcioglu M(2012)A model-based approach to automated testing of access control policiesProceedings of the 17th ACM symposium on Access Control Models and Technologies10.1145/2295136.2295173(209-218)Online publication date: 20-Jun-2012
https://dl.acm.org/doi/10.1145/2295136.2295173
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

Automated Coverage-Based Testing of XACML Policies

Testing access control and obligation policies

Automated Strong Mutation Testing of XACML Policies

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations