Abstract
In modern pervasive applications, it is important to validate Access Control (AC) mechanisms that are usually defined by means of the XACML standard. Mutation analysis has been applied on Access Control Policies (ACPs) for measuring the adequacy of a test suite.
This paper provides an automatic framework for realizing mutations of the code of the Policy Decision Point (PDP) that is a critical component in AC systems. The proposed framework allows the test strategies assessment and the analysis of test data by leveraging mutation-based approaches. We show how to instantiate the proposed framework and provide also some examples of its application.
Supported by CyberSec4Europe Grant agreement ID: 830929.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Fedora commons repository software. http://fedora-commons.org/
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Automatic XACML requests generation for policy testing. In: Proceedings of ICST, pp. 842–849, April 2012
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Modelling and testing of XACML policies. 2012-TR-010 (2012)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti., E.: XACMUT: XACML 2.0 mutants generator. In: Proceedings of the 8th International Workshop on Mutation Analysis, pp. 28–33 (2013)
Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML request generation for testing purposes. In: Proceedings of the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), pp. 3–11 (2010)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: An automated model-based test oracle for access control systems. In: Proceedings of the 13th International Workshop on Automation of Software Test, AST@ICSE 2018, Gothenburg, Sweden, 28–29 May 2018, pp. 2–8 (2018)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of PolPA-based usage control systems. Softw. Qual. J. 22(2), 241–271 (2014)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Softw. 7(4), 203–212 (2013)
Daoudagh, S., Lonetti, F., Marchetti, E.: Assessment of access control systems using mutation testing. In: TELERISE, Florence, Italy, 18 May 2015, pp. 8–13 (2015)
Daoudagh, S., Lonetti, F., Marchetti, E.: XACMET: XACML modeling & testing: an automated model-based testing solution for access control systems. Softw. Qual. J. (2019, accepted)
Golfarelli, M., Rizzi, S.: From star schemas to big data: 20+ years of data warehouse research. In: Flesca, Sergio, Greco, Sergio, Masciari, Elio, Saccà, Domenico (eds.) A Comprehensive Guide Through the Italian Database Research Over the Last 25 Years. SBD, vol. 31, pp. 93–107. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-61893-7_6
Jia, Y., Harman, M.: An analysis and survey of the development of mutation testing. IEEE Trans. Softw. Eng. 37(5), 649–678 (2011)
Le Traon, Y., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: Proceedings of ISSRE, pp. 93–102 (2007)
Li, Y., Li, Y., Wang, L., Chen, G.: Automatic XACML requests generation for testing access control policies. In: SEKE, pp. 217–222 (2014)
Ma, Y.S., Offutt, J., Kwon, Y.R.: MuJava: an automated class mutation system. J. Softw. Test. Verif. Reliab. 15, 97–133 (2005)
Martin, E., Xie, T.: A fault model and mutation testing of access control policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 667–676 (2007)
Martin, E., Xie, T.: Automated test generation for access control policies. In: Supplemental Proceedings of ISSRE, November 2006
Martin, E., Xie, T.: Automated test generation for access control policies via change-impact analysis. In: Proceedings of SESS, pp. 5–11, May 2007
Mouelhi, T., Fleurey, F., Baudry, B.: A generic metamodel for security policies mutation. In: Proceedings of ICSTW, pp. 278–286 (2008)
OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf. Accessed 10 June 2019
Papadakis, M., Kintis, M., Zhang, J., Jia, Y., Traon, Y.L., Harman, M.: Mutation testing advances: an analysis and survey. In: Advances in Computers, vol. 112, pp. 275–378. Elsevier (2019)
Pretschner, A., Mouelhi, T., Le Traon, Y.: Model-based tests for access control policies. In: Proceedings of ICST, pp. 338–347 (2008)
Sun Microsystems: Sun’s XACML implementation (2006). http://sunxacml.sourceforge.net/
TAS3 project: trusted architecture for securely shared services. https://cordis.europa.eu/project/rcn/85331/factsheet/en
Xu, D., Peng, S.: Towards automatic repair of access control policies. In: 14th Annual Conference on Privacy, Security and Trust (PST), pp. 485–492. IEEE (2016)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Daoudagh, S., Lonetti, F., Marchetti, E. (2020). A Framework for the Validation of Access Control Systems. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2019. Lecture Notes in Computer Science(), vol 11967. Springer, Cham. https://doi.org/10.1007/978-3-030-39749-4_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-39749-4_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-39748-7
Online ISBN: 978-3-030-39749-4
eBook Packages: Computer ScienceComputer Science (R0)