An automatic test case generator for evaluating implementation of access control policies

Document Type: ORIGINAL RESEARCH PAPER

Authors

1 Department of Software Engineering, University of Isfahan, Isfahan, Iran

2 Model-Driven Software Engineering Research Group, Department of Software Engineering, University of Isfahan, Isfahan, Iran

Abstract

One of the main requirements for providing software security is the enforcement of access control policies which aim to protect resources of the system against unauthorized accesses. Any error in the implementation of such policies may lead to undesirable outcomes. For testing the implementation of access control policies, it is preferred to use automated methods which are faster and more reliable. Although several researches are conducted for automated testing of the specification of access control policies at the design phase, there is not enough research on testing their implementation. In addition, since access control is amongst non-functional requirements of the system, it is not easy to test them along with other requirements of the system by usual methods. To address this challenge, in this paper, we propose an automated method for testing the implementation of access control in a system. This method, as a model based technique, is able to extract test cases for evaluating the access control policies of the system under test. To generate test cases automatically, a combination of behavior model of the system and the specification of access control policies are used. The experimental results show that the proposed approach is able to find the failures and cover most of the code that is related to access control policies.

Keywords


 [1] OASIS. extensible access control markup language (xacml) version 3.0. docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html. Accessed 6/22/2013.

[2] Dianxiang Xu, Lijo Thomas, Michael Kent, Tejeddine Mouelhi, and Yves Le Traon. A model-based approach to automated testing of access control policies. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pages 209-218. ACM, 2012.

[3] Hasan Qunoo and Mark Ryan. X-policy: Knowledge-based verification tool for dynamic access control policies. Security & Its Applications, 7(2):89-104, March 2013.

[4] Karthick Jayaraman, Vijay Ganesh, Mahesh Tripunitara, Martin Rinard, and Steve Chapin. Automatic error finding in access-control policies. In 18th ACM conference on Computer and Communications Security, pages 163-174. ACM, 2011.

[5] Graham Hughes and Tevfik Bultan. Automated verification of access control policies using a sat solver. Software Tools for Technology Transfer (STTT), 10(6):503-520, 2008.

[6] Alexander Pretschner Mark Utting and Bruno Legeard. A taxonomy of model-based testing approaches. Software Testing, Verification and Reliability, 22(5):297-312, August 2012.

[7] Microsoft. Microsoft solver foundation. http://flo.livezon.com/2013/02/how-and-why-use-microsoft-solver-foundation-for-net. Accessed 6/5/2016.

[8] Ammar Masood, Arif Ghafoor, and Aditya Mathur. Scalable and effective test generation for access control systems that employ rbac policies. Technical Report SERC-TR-285, Purdue University, 2006.

[9] Ammar Masood, Arif Ghafoor, and Aditya Mathur. Conformance testing of temporal role-based access control systems. IEEE Transactions on Dependable and Secure Computing, 7:144-158, 2010.

[10] Wissam Mallouli, Jean Marie Orset, Ana Cavalli, Nora Cuppens, and Frederic Cuppens. A formal approach for testing security rules. In Proceedings of the 12th ACM symposium on Access control models and technologies, pages 127-132. ACM, 2007.

[11] Tejeddine Mouelhi, Yves Le Traon, and Benoit Baudry. Transforming and selecting functional test cases for security policy testing. In Proceedings of the 2nd international conference on Software Testing, Verification, and Validation (ICST09), pages 171-180. IEEE, 2009.

[12] Jacques Julliand, Pierre Alain Masson, and Regis Tissot. Generating security tests in addition to functional tests. In Proceedings of the 3rd international workshop on Automation of software test, New York, NY, USA, pages 41-44. ACM, 2008.

[13] Anas Abou El Kalam, RE Baida, Philippe Balbiani, Salem Benferhat, Fredric Cuppens, Yves Deswarte, Alexandre Miege, Claire Saurel, and Gilles Trouessin. Organization based access control. In Proceedings of IEEE 4th International Workshop on Policies for Distributed Systems and Networks (POLICY 2003), Lake Como, Italy, pages 120-131. IEEE, 2003.

[14] Yves Le Traon, Tejeddine Mouelhi, and Benoit Baudry. Testing security policies: going beyond functional testing. In The 18th IEEE International Symposium on Software Reliability (ISSRE07), pages 93-102. IEEE, 2007.

[15] Alexander Pretschner, Tejeddine Mouelhi, and Yves Le Traon. Model-based tests for access control policies. In 1st International Conference on Software Testing, Verification, and Validation (ICST 08), pages 338-347. IEEE, 2008.

[16] Keqin Li, Laurent Mounier, and Roland Groz. Test generation from security policies specified in or-bac. In 31st Annual International Computer Software and Applications Conference (COMP-SAC 2007), volume 2, pages 255-260. IEEE, 2007.

[17] Evan Martin and Tao Xie. Automated test generation for access control policies via change-impact analysis. In Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems, pages 5-11. IEEE, 2007.

[18] Antonia Bertolino, Marianne Busch, Said Daoudagh, Francesca Lonetti, and Eda Marchetti. A toolchain for designing and testing access control policies. In Engineering Secure Future Internet Services and Systems, volume 8431, pages 266-286. Springer, 2014.

[19] Hongxin Hu and GailJoon Ahn. Enabling verification and conformance testing for access control model. In Proceedings of the 13th ACM symposium on Access control models and technologies, pages 195-204. ACM, 2008.

[20] Hongxin Hu and GailJoon Ahn. Alloy: a lightweight object modelling notation. 11(2):256-290, April 2002.

[21] Tejeddine Mouelhi, Franck Fleurey, Benoit Baudry, and Yves Le Traon. A model-based framework for security policy specification, deployment and testing. In 11th International Conference on Model Driven Engineering Languages and Systems (MoDELS 08), Toulouse, France, pages 537-552. Springer, 2008.

[22] Evan Martin, Tao Xie, and Ting Yu. Defining and measuring policy coverage in testing access control policies. In Proceedings of the 8th International Conference on Information and Communications Security, pages 139-158. Springer, 2006.

[23] John Joseph Chilenski and Steven P Miller. Applicability of modified condition/decision coverage to software testing. Software Engineering, 9(5):193-200, 1994.

[24] Kelly J Hayhurst, Dan S Veerhusen, John J Chilenski, and Leanna K Rierson. A practical tutorial on modified condition/decision coverage. Technical Report SERC-TR-285, Purdue, 2001.

[25] James A Jones and Mary Jean Harrold. Test-suite reduction and prioritization for modified condition/decision coverage. IEEE Transactions on Software, 29(3):195-209, 2003.

[26] Marzieh Safarzadeh, Behrouz Tork Ladani, and Bahman Zamani. Improvement of modified condition/decision coverage criterion in model based testing technique. In 7th international conference on information and knowledge technologies. Iran 2015. (In Persian).

[27] Gins DOlera. Umu-xacml-editor v1.3.2. http://umu_xacmleditor.sourceforge.net/. Accessed 9/10/2013.

[28] Jan Tretmans and Ed Brinksma. Torx: Automated model-based testing. 1st European Conference on Model-Driven Software Engineering, Nuremberg, Germany, pages 31-43, 2003.

[29] Evan Martin, JeeHyun Hwang, Tao Xie, and Vincent Hu. Assessing quality of policy properties in verification of access control policies. In Proceedings Annual Computer Security Applications Conference (ACSAC), pages 163-172. IEEE, 2008.

[30] Antonia Bertolino, Said Daoudagh, Francesca Lonetti, and Eda Marchetti. Xacmut: Xacml 2.0 mutants generator. In 6th International Conference on Software Testing, Verification and Validation Workshops (ICSTW), pages 28-33. IEEE, 2013.