Abstract
Security is an important aspect of modern information management systems. The crucial role of security in this systems demands the use of tools and applications that are thoroughly validated and verified. However, the testing phase is an effort consuming activity that requires reliable supporting tools for speeding up this costly stage. Access control systems, based on the integration of new and existing tools are available in the Service Development Environment (SDE). We introduce an Access Control Testing toolchain (ACT) for designing and testing access control policies that includes the following features: (i) the graphical specification of an access control model and its translation into an XACML policy; (ii) the derivation of test cases and their execution against the XACML policy; (iii) the assessment of compliance between the XACML policy execution and the access control model. In addition, we illustrate the use of the ACT toolchain on a case study.
This work has been supported by the EU-NoE project NESSoS, GA 256980.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
SDE: Service Development Environment (2014), http://www.nessos-project.eu/sde
Massacci, F., Zannone, N.: A model-driven approach for the specification and analysis of access control policies. In: Proc. of the OTM Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE, pp. 1087–1103 (2008)
Pretschner, A., Mouelhi, T., Le Traon, Y.: Model-based tests for access control policies. In: Proc. of ICST, pp. 338–347 (2008)
Bertolino, A., Busch, M., Daoudagh, S., Koch, N., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing XACML Policies. In: Proceedings of ICST 2013, Poster (2013)
Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011)
LMU. Web Engineering Group: UWE Website (2014), http://uwe.pst.ifi.lmu.de/
Busch, M., Koch, N., Suppan, S.: Modeling Security Features of Web Applications. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 119–139. Springer, Heidelberg (2014)
Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012)
Sensoria Project: Software Engineering for Service-Oriented Overlay Computers (2011), http://www.sensoria-ist.eu/
ASCENS: Autonomic Service Component Ensembles (2012), http://www.ascens-ist.eu/
Eclipse Foundation: Eclipse Modeling Project (2014), http://eclipse.org/modeling/
No Magic Inc.: Magicdraw (2014), http://www.magicdraw.com/
Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards model-driven development of access control policies for web applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012. ACM Digital Library (2012)
Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML request generation for testing purposes. In: Proceedings of the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), Lille, France, September 1-3, pp. 3–11 (2010)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: The X-CREATE framework: a comparison of XACML policy testing strategies. In: Proceedings of 8th International Conference on Web Information Systems and Technologies (WEBIST), Porto, Portugal, April 18-21 (2012)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Automatic XACML Requests Generation for Policy Testing. In: Proceedings of IEEE Fifth International Conference on Software Testing, Verification and Validation (ICST), pp. 842–849 (2012)
Sun Microsystems: Sun’s XACML Implementation (2006), http://sunxacml.sourceforge.net/
Busch, M., Koch, N.: MagicUWE — A CASE Tool Plugin for Modeling Web Applications. In: Gaedke, M., Grossniklaus, M., Díaz, O. (eds.) ICWE 2009. LNCS, vol. 5648, pp. 505–508. Springer, Heidelberg (2009)
OMG.: XMI 2.1 (2005), http://www.omg.org/spec/XMI/
Eclipse: XPand (2013), http://wiki.eclipse.org/Xpand
Cohen, D.M., Dalal, S.R., Fredman, M.L., Patton, G.C.: The AETG system: An approach to testing based on combinatiorial design. IEEE Trans. on Soft. Eng. 23(7), 437–444 (1997)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Software 7(4), 203–212 (2013)
SDE.: Tutorial (2012), http://sde.pst.ifi.lmu.de/trac/sde/wiki/Tutorial
OMG.: OCL 2.0 (2011), http://www.omg.org/spec/OCL/2.0/
Busch, M.: Secure Web Engineering supported by an Evaluation Framework. In: Modelsward 2014. Scitepress (2014)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)
Slimani, N., Khambhammettu, H., Adi, K., Logrippo, L.: UACML: Unified Access Control Modeling Language. In: NTMS 2011, pp. 1–8 (2011)
Basin, D., Clavel, M., Egea, M., Schläpfer, M.: Automatic Generation of Smart, Security-Aware GUI Models. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 201–217. Springer, Heidelberg (2010)
Jürjens, J.: Secure Systems Development with UML. Springer (2004), Tools: http://carisma.umlsec.de/
Martin, E., Xie, T.: Automated Test Generation for Access Control Policies. In: Supplemental Proc. of 17th International Symposium on Software Reliability Engineering, ISSRE (2006)
Martin, E., Xie, T.: Automated test generation for access control policies via change-impact analysis. In: Proc. of Third International Workshop on Software Engineering for Secure Systems (SESS), pp. 5–12 (2007)
Fisler, K., Krishnamurthi, S., Meyerovich, L., Tschantz, M.: Verification and change-impact analysis of access-control policies. In: Proc. of ICSE, pp. 196–205. ACM, New York (2005)
Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML Request Generation for Testing Purposes. In: Proc. of 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), pp. 3–11 (2010)
Li, N., Hwang, J., Xie, T.: Multiple-implementation testing for XACML implementations. In: Proc. of TAV-WEB, pp. 27–33 (2008)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of PolPA Authorization Systems. In: Proc. of AST, pp. 8–14 (2012)
Traon, Y., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: Proc. of ISSRE, pp. 93–102 (2007)
Mallouli, W., Orset, J.M., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: Proc. of SACMAT, pp. 127–132 (2007)
Li, K., Mounier, L., Groz, R.: Test generation from security policies specified in or-BAC. In: Proc. of COMPSAC, pp. 255–260 (2007)
Eclipse: Acceleo (2014), http://www.eclipse.org/acceleo/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Bertolino, A., Busch, M., Daoudagh, S., Lonetti, F., Marchetti, E. (2014). A Toolchain for Designing and Testing Access Control Policies. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds) Engineering Secure Future Internet Services and Systems. Lecture Notes in Computer Science, vol 8431. Springer, Cham. https://doi.org/10.1007/978-3-319-07452-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-07452-8_11
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-07451-1
Online ISBN: 978-3-319-07452-8
eBook Packages: Computer ScienceComputer Science (R0)