Skip to main content

A Framework for the Validation of Access Control Systems

  • Conference paper
  • First Online:
Emerging Technologies for Authorization and Authentication (ETAA 2019)

Abstract

In modern pervasive applications, it is important to validate Access Control (AC) mechanisms that are usually defined by means of the XACML standard. Mutation analysis has been applied on Access Control Policies (ACPs) for measuring the adequacy of a test suite.

This paper provides an automatic framework for realizing mutations of the code of the Policy Decision Point (PDP) that is a critical component in AC systems. The proposed framework allows the test strategies assessment and the analysis of test data by leveraging mutation-based approaches. We show how to instantiate the proposed framework and provide also some examples of its application.

Supported by CyberSec4Europe Grant agreement ID: 830929.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Fedora commons repository software. http://fedora-commons.org/

  2. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Automatic XACML requests generation for policy testing. In: Proceedings of ICST, pp. 842–849, April 2012

    Google Scholar 

  3. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Modelling and testing of XACML policies. 2012-TR-010 (2012)

    Google Scholar 

  4. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti., E.: XACMUT: XACML 2.0 mutants generator. In: Proceedings of the 8th International Workshop on Mutation Analysis, pp. 28–33 (2013)

    Google Scholar 

  5. Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML request generation for testing purposes. In: Proceedings of the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), pp. 3–11 (2010)

    Google Scholar 

  6. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: An automated model-based test oracle for access control systems. In: Proceedings of the 13th International Workshop on Automation of Software Test, AST@ICSE 2018, Gothenburg, Sweden, 28–29 May 2018, pp. 2–8 (2018)

    Google Scholar 

  7. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of PolPA-based usage control systems. Softw. Qual. J. 22(2), 241–271 (2014)

    Article  Google Scholar 

  8. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Softw. 7(4), 203–212 (2013)

    Article  Google Scholar 

  9. Daoudagh, S., Lonetti, F., Marchetti, E.: Assessment of access control systems using mutation testing. In: TELERISE, Florence, Italy, 18 May 2015, pp. 8–13 (2015)

    Google Scholar 

  10. Daoudagh, S., Lonetti, F., Marchetti, E.: XACMET: XACML modeling & testing: an automated model-based testing solution for access control systems. Softw. Qual. J. (2019, accepted)

    Google Scholar 

  11. Golfarelli, M., Rizzi, S.: From star schemas to big data: 20+ years of data warehouse research. In: Flesca, Sergio, Greco, Sergio, Masciari, Elio, Saccà, Domenico (eds.) A Comprehensive Guide Through the Italian Database Research Over the Last 25 Years. SBD, vol. 31, pp. 93–107. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-61893-7_6

    Chapter  Google Scholar 

  12. Jia, Y., Harman, M.: An analysis and survey of the development of mutation testing. IEEE Trans. Softw. Eng. 37(5), 649–678 (2011)

    Article  Google Scholar 

  13. Le Traon, Y., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: Proceedings of ISSRE, pp. 93–102 (2007)

    Google Scholar 

  14. Li, Y., Li, Y., Wang, L., Chen, G.: Automatic XACML requests generation for testing access control policies. In: SEKE, pp. 217–222 (2014)

    Google Scholar 

  15. Ma, Y.S., Offutt, J., Kwon, Y.R.: MuJava: an automated class mutation system. J. Softw. Test. Verif. Reliab. 15, 97–133 (2005)

    Article  Google Scholar 

  16. Martin, E., Xie, T.: A fault model and mutation testing of access control policies. In: Proceedings of the 16th International Conference on World Wide Web, pp. 667–676 (2007)

    Google Scholar 

  17. Martin, E., Xie, T.: Automated test generation for access control policies. In: Supplemental Proceedings of ISSRE, November 2006

    Google Scholar 

  18. Martin, E., Xie, T.: Automated test generation for access control policies via change-impact analysis. In: Proceedings of SESS, pp. 5–11, May 2007

    Google Scholar 

  19. Mouelhi, T., Fleurey, F., Baudry, B.: A generic metamodel for security policies mutation. In: Proceedings of ICSTW, pp. 278–286 (2008)

    Google Scholar 

  20. OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf. Accessed 10 June 2019

  21. Papadakis, M., Kintis, M., Zhang, J., Jia, Y., Traon, Y.L., Harman, M.: Mutation testing advances: an analysis and survey. In: Advances in Computers, vol. 112, pp. 275–378. Elsevier (2019)

    Google Scholar 

  22. Pretschner, A., Mouelhi, T., Le Traon, Y.: Model-based tests for access control policies. In: Proceedings of ICST, pp. 338–347 (2008)

    Google Scholar 

  23. Sun Microsystems: Sun’s XACML implementation (2006). http://sunxacml.sourceforge.net/

  24. TAS3 project: trusted architecture for securely shared services. https://cordis.europa.eu/project/rcn/85331/factsheet/en

  25. Xu, D., Peng, S.: Towards automatic repair of access control policies. In: 14th Annual Conference on Privacy, Security and Trust (PST), pp. 485–492. IEEE (2016)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Said Daoudagh .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Daoudagh, S., Lonetti, F., Marchetti, E. (2020). A Framework for the Validation of Access Control Systems. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2019. Lecture Notes in Computer Science(), vol 11967. Springer, Cham. https://doi.org/10.1007/978-3-030-39749-4_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-39749-4_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-39748-7

  • Online ISBN: 978-3-030-39749-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics