ABSTRACT
Access control policies in software systems can be implemented incorrectly for various reasons. This paper presents a model-based approach for automated testing of access control implementation. To feed the model-based testing process, test models are constructed by integrating declarative access control rules and contracts (preconditions and post-conditions) of the associated activities. The access control tests are generated from the test models to exercise the interactions of access control activities. Test executability is obtained through a mapping of the modeling elements to implementation constructs. The approach has been implemented in an industry-adopted test automation framework that supports the generation of test code in a variety of languages, such as Java, C, C++, C#, and HTML/Selenium IDE. The full model-based testing process has been applied to two systems implemented in Java. The effectiveness is evaluated in terms of access-control fault detection rate using mutation analysis of access control implementation. The experiments show that the model-based tests killed 99.7% of the mutants and the remaining mutants caused no policy violations.
- Pretschner, A., Prenninger, W., Wagner, S., Kühnel, C., Baumgartner, M., Sostawa, B., Zölch, R. and Stauner, T. 2005. One evaluation of model-based testing and its automation. In Proc. of the 27th International Conf. on Software Engineering (ICSE'05), 392--401. Google ScholarDigital Library
- Pretschner, A., Slotosch, O., Aiglstorfer, E. and Kriebel, S. 2004. Model-based testing for real - The inhouse card case study. J. Software Tools for Technology Transfer 5(2-3): 140--157. Google ScholarDigital Library
- Zander, J., Schiefewrdecker, I., and Mosterman, P. J. (eds.). 2011. Model-Based Testing for Embedded Systems, CRC Press. Google ScholarDigital Library
- Genrich, H. J. 1987. Predicate/transition nets. Petri Nets: Central Models and Their Properties, 207--247. Google ScholarDigital Library
- Xu, D. and Nygard, K. E. 2006. Threat-driven modeling and verification of secure software using aspect-oriented Petri nets, IEEE Trans. on Software Engineering, vol. 32, no. 4, 265--278. Google ScholarDigital Library
- Xu, D. 2011. A tool for automated test code generation from high-level Petri nets. In Proc. of Petri Nets'11, LNCS 6709, 308--317, Newcastle upon Tyne, UK, June 2011. Google ScholarDigital Library
- Meyer, B. 1997. Object-Oriented Software Construction, 2nd Edition, Prentice-Hall PTR. Google ScholarDigital Library
- Xu, D., Tu, M., Sanford, M., Thomas, L., Woodraska, D., and Xu, W. 2012. Automated security test generation with formal threat models. IEEE Trans. on Dependable and Secure Computing. In press. Google ScholarDigital Library
- Le Traon, Y., Mouelhi, T., Pretschner, A., and Baudry, B. 2008. Test-driven assessment of access control in legacy applications. In Proc. of the First IEEE International Conference on Software, Testing, Verification and Validation (ICST'08), Norway, 238--247. Google ScholarDigital Library
- Mouelhi, T., Fleurey, F., Baudry, B., and Le Traon, Y. 2008. A model-based framework for security policy specification, deployment and testing. In Proc. of the ACM/IEEE 11th International Conf. on Model Driven Engineering Languages and Systems (MODELS'08), Toulouse, France. Google ScholarDigital Library
- Jia, Y. and Harman, M. 2010. An analysis and survey of the development of mutation testing. IEEE Trans. on Software Engineering, vol. 37, no. 5, 649--678. Google ScholarDigital Library
- Le Traon, Y., Mouelhi, T., and Baudry, B. 2007. Testing security policies: going beyond functional testing. In Proc. of the IEEE International Symposium on Software Reliability Engineering (ISSRE'07), Sweden. Google ScholarDigital Library
- Mouelhi, T., Le Traon, Y., and Baudry, B. 2009. Transforming and selecting functional test cases for security policy testing. In Proc. of the Second International Conf. on Software Testing Verification and Validation (ICST'09). Denver, USA. Google ScholarDigital Library
- Pretschner, A. Le Traon, Y., and Mouelhi, T. 2008. Model-based tests for access control policies. In Proc. of the First IEEE International Conference on Software, Testing, Verification and Validation (ICST'08). Norway. Google ScholarDigital Library
- Masood, A. Bhatti, R., Ghafoor, A., Mathur, A. 2009. Scalable and effective test generation for role-based access control systems. IEEE Trans. on Software Engineering, vol. 35, no. 5, 654--668. Google ScholarDigital Library
- Masood, A., Ghafoor, A., Mathur, A. 2010. Conformance testing of temporal role-based access control systems. IEEE Trans. on Dependable and Secure Computing, vol. 7, no. 2, 144--158. Google ScholarDigital Library
- Hu, H. and Ahn, G. 2008. Enabling verification and conformance testing for access control model. In Proc. of the 13th ACM Symposium on Access Control Models and Technologies (SACMAT'08), 195--204. Google ScholarDigital Library
- Mallouli, W., Orset, J. M., Cavalli, A., Cuppens, N., Cuppens, F. 2007. A formal approach for testing security rules. In Proc. of the 12th ACM Symposium on Access Control Models and Technologies (SACMAT'07), 127--132. Google ScholarDigital Library
- J. Jürjens, 2008. Model-based security testing using UMLsec. Electronic Notes in Theoretical Computer Science (ENTCS), 220(1): 93--104. Google ScholarDigital Library
- Li, K., Mounier, L., Groz, R. 2007. Test generation from security policies specified in Or-BAC. In Proc. of the 31st Computer Software and Applications Conference (COMPSAC'07), 255--260. Google ScholarDigital Library
- Julliand, J., Masson, P. A., Tissot, R. 2008. Generating security tests in addition to functional tests. In Proc. of the Workshop on Automation of Software Test (AST'08), 41--44. Google ScholarDigital Library
- Martin, E. and Xie, T. 2006. Defining and measuring policy coverage in testing access control policies. In Proc. of the 8th International Conference on Information and Communications Security, 139--158. Google ScholarDigital Library
- Martin, E. and Xie, T. 2007. A fault model and mutation testing of access control policies. In Proc. of WWW'07, 667--676. Google ScholarDigital Library
Recommendations
A fault model and mutation testing of access control policies
WWW '07: Proceedings of the 16th international conference on World Wide WebTo increase confidence in the correctness of specified policies, policy developers can conduct policy testing by supplying typical test inputs (requests) and subsequently checking test outputs (responses) against expected ones. Unfortunately, manual ...
Towards Continuous Access Control Validation and Forensics
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityAccess control is often reported to be "profoundly broken" in real-world practices due to prevalent policy misconfigurations introduced by system administrators (sysadmins). Given the dynamics of resource and data sharing, access control policies need ...
Mutation Analysis of NGAC Policies
SACMAT '21: Proceedings of the 26th ACM Symposium on Access Control Models and TechnologiesThe NGAC (Next Generation Access Control) standard for attribute-based access control (ABAC) allows for run-time changes of the permission and prohibition configurations through administrative obligations triggered by access events. It makes access ...
Comments