skip to main content
10.1145/2851613.2851829acmconferencesArticle/Chapter ViewAbstractPublication PagessacConference Proceedingsconference-collections
research-article

Testing access control policies against intended access rights

Published: 04 April 2016 Publication History

Abstract

Access Control Policies are used to specify who can access which resource under which conditions, and ensuring their correctness is vital to prevent security breaches. As access control policies can be complex and error-prone, we propose an original framework that supports the validation of the implemented policies (specified in the standard XACML notation) against the intended rights, which can be informally expressed, e.g. in tabular form. The framework relies on well-known software testing technology, such as mutation and combinatorial techniques. The paper presents the implemented environment and an application example.

References

[1]
A. Bertolino, S. Daoudagh, F. Lonetti, and E. Marchetti. XACMUT: XACML 2.0 Mutants Generator. In Proc. of 8th International Workshop on Mutation Analysis, pages 28--33, 2013.
[2]
A. Bertolino, S. Daoudagh, F. Lonetti, E. Marchetti, and L. Schilders. Automated testing of eXtensible Access Control Markup Language-based access control systems. IET Software, 7(4):203--212, 2013.
[3]
J. Campos and R. Abreu. Leveraging a constraint solver for minimizing test suites. In Proc. of QSIC, pages 253--259, 2013.
[4]
K. Fisler, S. Krishnamurthi, L. Meyerovich, and M. Tschantz. Verification and change-impact analysis of access-control policies. In Proc. of ICSE, pages 196--205, 2005.
[5]
V. Hu, E. Martin, J. Hwang, and T. Xie. Conformance Checking of Access Control Policies Specified in XACML. In Proc. of COMPSAC, volume 2, pages 275--280, 2007.
[6]
G. Hughes and T. Bultan. Automated verification of access control policies using a SAT solver. Int. J. Softw. Tools Technol. Transf., 10:503--520, 2008.
[7]
J. Hwang, T. Xie, V. Hu, and M. Altunay. ACPT: A Tool for Modeling and Verifying Access Control Policies. In International Symposium on Policies for Distributed Systems and Networks, pages 40--43, 2010.
[8]
Y. Jia and M. Harman. An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering, 37(5):649--678, 2011.
[9]
E. Martin. Automated test generation for access control policies. In Proc. of 21st SIGPLAN Symposium on Object-oriented programming systems, languages, and applications, pages 752--753, 2006.
[10]
E. Martin and T. Xie. Automated test generation for access control policies via change-impact analysis. In Proc. of SESS, pages 5--12, 2007.
[11]
E. Martin and T. Xie. A fault model and mutation testing of access control policies. In Proc. of WWW, pages 667--676, 2007.
[12]
T. Mouelhi, F. Fleurey, and B. Baudry. A generic metamodel for security policies mutation. In Proc. of ICST Workshop, pages 278--286, 2008.
[13]
C. Nie and H. Leung. A survey of combinatorial testing. ACM Comput. Surv., 43(2):1--29, 2011.
[14]
NIST. ACCESS CONTROL POLICY TOOL (ACPT). http://csrc.nist.gov/groups/SNS/acpt/, February 2015.
[15]
OASIS. eXtensible Access Control Markup Language (XACML). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf, January 2013.
[16]
M. Sutton, A. Greene, and P. Amini. Fuzzing: brute force vulnerability discovery. Pearson Education, 2007.
[17]
Syncro Soft. oXygen XML editor, 2015.
[18]
D. Xu, L. Thomas, M. Kent, T. Mouelhi, and Y. Le Traon. A Model-based Approach to Automated Testing of Access Control Policies. In Proc. of the 17th SACMAT, pages 209--218, 2012.
[19]
N. Zhang, M. Ryan, and D. Guelev. Evaluating access control policies through model checking. In Information Security, volume 3650 of LNCS, pages 446--460. 2005.

Cited By

View all
  • (2020)Continuous Development and Testing of Access and Usage ControlProceedings of the 2020 European Symposium on Software Engineering10.1145/3393822.3432330(51-59)Online publication date: 6-Nov-2020
  • (2020)An automated framework for continuous development and testing of access control systemsJournal of Software: Evolution and Process10.1002/smr.230635:3Online publication date: 27-Aug-2020
  • (2018)Boosting a Low-Cost Smart Home Environment with Usage and Access Control RulesSensors10.3390/s1806188618:6(1886)Online publication date: 8-Jun-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SAC '16: Proceedings of the 31st Annual ACM Symposium on Applied Computing
April 2016
2360 pages
ISBN:9781450337397
DOI:10.1145/2851613
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 April 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. XACML language
  2. access control rights
  3. software testing

Qualifiers

  • Research-article

Conference

SAC 2016
Sponsor:
SAC 2016: Symposium on Applied Computing
April 4 - 8, 2016
Pisa, Italy

Acceptance Rates

SAC '16 Paper Acceptance Rate 252 of 1,047 submissions, 24%;
Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25
The 40th ACM/SIGAPP Symposium on Applied Computing
March 31 - April 4, 2025
Catania , Italy

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)0
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2020)Continuous Development and Testing of Access and Usage ControlProceedings of the 2020 European Symposium on Software Engineering10.1145/3393822.3432330(51-59)Online publication date: 6-Nov-2020
  • (2020)An automated framework for continuous development and testing of access control systemsJournal of Software: Evolution and Process10.1002/smr.230635:3Online publication date: 27-Aug-2020
  • (2018)Boosting a Low-Cost Smart Home Environment with Usage and Access Control RulesSensors10.3390/s1806188618:6(1886)Online publication date: 8-Jun-2018
  • (2018)Generating Test Cases from Role-Based Access Control Policies using Cause-Effect GraphJournal of Software10.17706/jsw.13.9.497-50513:9(497-505)Online publication date: Sep-2018
  • (2018)Model-driven run-time enforcement of complex role-based access control policiesProceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering10.1145/3238147.3238167(248-258)Online publication date: 3-Sep-2018

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media