skip to main content
10.1145/3194733.3194743acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

An automated model-based test oracle for access control systems

Published: 28 May 2018 Publication History

Abstract

In the context of XACML-based access control systems, an intensive testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. Unfortunately, it requires a huge effort for manual inspection of results: thus automated verdict derivation is a key aspect for improving the cost-effectiveness of testing. To this purpose, we introduce XACMET, a novel approach for automated model-based oracle definition. XACMET defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation. The expected verdict of a specific request execution can thus be automatically derived by executing the corresponding path in such graph. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.

References

[1]
Earl T Barr, Mark Harman, Phil McMinn, Muzammil Shahbaz, and Shin Yoo. 2015. The oracle problem in software testing: A survey. IEEE transactions on software engineering 41, 5 (2015), 507--525.
[2]
Antonia Bertolino, Said Daoudagh, Francesca Lonetti, Eda Marchetti, Fabio Martinelli, and Paolo Mori. 2014. Testing of PolPA-based usage control systems. Software Quality Journal 22, 2 (2014), 241--271.
[3]
Antonia Bertolino, Said Daoudagh, Francesca Lonetti, Eda Marchetti, and Louis Schilders. 2013. Automated testing of eXtensible Access Control Markup Language-based access control systems. IET Software 7, 4 (2013), 203--212.
[4]
Antonello Calabrò, Francesca Lonetti, and Eda Marchetti. 2017. Access Control Policy Coverage Assessment Through Monitoring. In Proc. of TELERISE. 373--383.
[5]
Said Daoudagh. 2017. A Data Warehouse and a Framework for the Validation and Testing of Access Control Systems. Master's thesis. University of Pisa, Italy.
[6]
Said Daoudagh, Donia El Kateb, Francesca Lonetti, Eda Marchetti, and Tejeddine Mouelhi. 2015. A toolchain for model-based design and testing of access control systems. In Proc. of MODELSWARD. IEEE, 411--418.
[7]
K. Fisler, S. Krishnamurthi, L.A. Meyerovich, and M.C. Tschantz. 2005. Verification and change-impact analysis of access-control policies. In Proc. of ICSE. 196--205.
[8]
JeeHyun Hwang, Evan Martin, Tao Xie, and Vincent C. Hu. 2011. Policy-Based Testing. In Encyclopedia of Software Engineering. Taylor & Francis, 673--683.
[9]
JeeHyun Hwang, Tao Xie, Vincent Hu, and Mine Altunay. 2010. ACPT: A tool for modeling and verifying access control policies. In Proc. of International Symposium on Policies for Distributed Systems and Networks (POLICY). 40--43.
[10]
Ang Li, Qinghua Li, Vincent C Hu, and Jia Di. 2015. Evaluating the capability and performance of access control policy verification tools. In Proc. of MILCOM. 366--371.
[11]
Nuo Li, JeeHyun Hwang, and Tao Xie. 2008. Multiple-implementation testing for XACML implementations. In Proc. of TAV-WEB. 27--33.
[12]
Evan Martin and Tao Xie. 2006. Automated Test Generation for Access Control Policies. In Supplemental Proc. of ISSRE.
[13]
Evan Martin and Tao Xie. 2007. A Fault Model and Mutation Testing of Access Control Policies. In Proc. of WWW. 667--676.
[14]
Evan Martin, Tao Xie, and Ting Yu. 2006. Defining and Measuring Policy Coverage in Testing Access Control Policies. In Proc. of ICICS. 139--158.
[15]
OASIS. 2005. eXtensible Access Control Markup Language (XACML) Version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf. (February 2005).
[16]
OASIS. 2005. XACML 2.0 Conformance Tests v0.4. https://www.oasis-open.org/committees/document.php?document_id=14846. (February 2005).
[17]
Santiago Pina Ros, Mario Lischka, and Félix Gómez Mármol. 2012. Graph-based XACML evaluation. In Proc. of the 17th ACM symposium on Access Control Models and Technologies. 83--92.
[18]
A. Pretschner, T. Mouelhi, and Y. Le Traon. 2008. Model-based tests for access control policies. In Proc. of ICST. 338--347.
[19]
Fatih Turkmen, Jerry den Hartog, Silvio Ranise, and Nicola Zannone. 2015. Analysis of XACML policies with SMT. In Proc. of International Conference on Principles of Security and Trust. Springer, 115--134.
[20]
Dianxiang Xu, Michael Kent, Lijo Thomas, Tejeddine Mouelhi, and Yves Le Traon. 2015. Automated model-based testing of role-based access control using predicate/transition nets. IEEE Trans. Comput. 64, 9 (2015), 2490--2505.
[21]
Dianxiang Xu and Yunpeng Zhang. 2014. Specification and analysis of attribute-based access control policies: An overview. In Proc. of Eighth International Conference on Software Security and Reliability-Companion (SERE-C). IEEE, 41--49.
[22]
Nan Zhang, Mark Ryan, and Dimitar Guelev. 2005. Evaluating Access Control Policies Through Model Checking. In Information Security. Lecture Notes in Computer Science, Vol. 3650. 446--460.

Cited By

View all
  • (2020)Continuous Development and Testing of Access and Usage ControlProceedings of the 2020 European Symposium on Software Engineering10.1145/3393822.3432330(51-59)Online publication date: 6-Nov-2020
  • (2020)XACMET: XACML Testing & ModelingSoftware Quality Journal10.1007/s11219-019-09470-5Online publication date: 16-Apr-2020
  • (2020)A General Framework for Decentralized Combinatorial Testing of Access Control Engine: Examples of ApplicationInformation Systems Security and Privacy10.1007/978-3-030-49443-8_10(207-229)Online publication date: 28-Jun-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
AST '18: Proceedings of the 13th International Workshop on Automation of Software Test
May 2018
85 pages
ISBN:9781450357432
DOI:10.1145/3194733
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 May 2018

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. XACML
  2. oracle derivation
  3. testing

Qualifiers

  • Research-article

Conference

ICSE '18
Sponsor:

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)6
  • Downloads (Last 6 weeks)1
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2020)Continuous Development and Testing of Access and Usage ControlProceedings of the 2020 European Symposium on Software Engineering10.1145/3393822.3432330(51-59)Online publication date: 6-Nov-2020
  • (2020)XACMET: XACML Testing & ModelingSoftware Quality Journal10.1007/s11219-019-09470-5Online publication date: 16-Apr-2020
  • (2020)A General Framework for Decentralized Combinatorial Testing of Access Control Engine: Examples of ApplicationInformation Systems Security and Privacy10.1007/978-3-030-49443-8_10(207-229)Online publication date: 28-Jun-2020
  • (2020)A Framework for the Validation of Access Control SystemsEmerging Technologies for Authorization and Authentication10.1007/978-3-030-39749-4_3(35-51)Online publication date: 25-Jan-2020
  • (2020)An automated framework for continuous development and testing of access control systemsJournal of Software: Evolution and Process10.1002/smr.230635:3Online publication date: 27-Aug-2020

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media