Access Control Policy Coverage Assessment Through Monitoring

  • Antonello Calabrò
  • Francesca LonettiEmail author
  • Eda Marchetti
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10489)


Testing access control policies relies on their execution on a security engine and the evaluation of the correct responses. Coverage measures can be adopted to know which parts of the policy are most exercised. This paper proposes an access control infrastructure for enabling the coverage criterion selection, the monitoring of the policy execution and the analysis of the policy coverage assessment. The framework is independent from the policy specification language and does not require the instrumentation of the evaluation engine. We show an instantiation of the proposed infrastructure for assessing the XACML policy testing.



This work has been partially supported by the GAUSS national research project (MIUR, PRIN 2015, Contract 2015KWREMX).


  1. 1.
    Bertolino, A., Calabrò, A., Lonetti, F., Di Marco, A., Sabetta, A.: Towards a model-driven infrastructure for runtime monitoring. In: Troubitsyna, E.A. (ed.) SERENE 2011. LNCS, vol. 6968, pp. 130–144. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24124-6_13 CrossRefGoogle Scholar
  2. 2.
    Bertolino, A., Daoudagh, S., El Kateb, D., Henard, C., Le Traon, Y., Lonetti, F., Marchetti, E., Mouelhi, T., Papadakis, M.: Similarity testing for access control. Inf. Softw. Technol. 58, 355–372 (2015)CrossRefGoogle Scholar
  3. 3.
    Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Automatic XACML requests generation for policy testing. In: Proceedings of ICST, pp. 842–849. IEEE (2012)Google Scholar
  4. 4.
    Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Xacmut: Xacml 2.0 mutants generator. In: Proceedings of ICST Workshops, pp. 28–33 (2013)Google Scholar
  5. 5.
    Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of polpa-based usage control systems. Software Qual. J. 22(2), 241–271 (2014)CrossRefGoogle Scholar
  6. 6.
    Bertolino, A., Le Traon, Y., Lonetti, F., Marchetti, E., Mouelhi, T.: Coverage-based test cases selection for xacml policies. In: Proceedings of ICST Workshops, pp. 12–21 (2014)Google Scholar
  7. 7.
    Carvallo, P., Cavalli, A.R., Mallouli, W., Rios, E.: Multi-cloud applications security monitoring. In: Au, M.H.A., Castiglione, A., Choo, K.-K.R., Palmieri, F., Li, K.-C. (eds.) GPC 2017. LNCS, vol. 10232, pp. 748–758. Springer, Cham (2017). doi: 10.1007/978-3-319-57186-7_54 CrossRefGoogle Scholar
  8. 8.
    Daoudagh, S., Lonetti, F., Marchetti, E.: Assessment of access control systems using mutation testing. In: Proceedings of TELERISE, pp. 8–13 (2015)Google Scholar
  9. 9.
    Felderer, M., Büchler, M., Johns, M., Brucker, A.D., Breu, R., Pretschner, A.: Chapter one-security testing: a survey. Adv. Comput. 101, 1–51 (2016)CrossRefGoogle Scholar
  10. 10.
    Hwang, J., Xie, T., El Kateb, D., Mouelhi, T., Le Traon, Y.: Selection of regression system tests for security policy evolution. In: Proceedings of ASE, pp. 266–269 (2012)Google Scholar
  11. 11.
    Martin, E.: Automated test generation for access control policies. In: Proceedings of OOPSLA, pp. 752–753 (2006)Google Scholar
  12. 12.
    Martin, E., Xie, T., Yu, T.: Defining and measuring policy coverage in testing access control policies. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 139–158. Springer, Heidelberg (2006). doi: 10.1007/11935308_11 CrossRefGoogle Scholar
  13. 13.
    Microsystems, S.: Sun’s XACML implementation (2006)Google Scholar
  14. 14.
    Mouelhi, T., El Kateb, D., Le Traon, Y.: Chapter five-inroads in testing access control. Adv. Comput. 99, 195–222 (2015)CrossRefGoogle Scholar
  15. 15.
    OASIS: extensible access control markup language (XACML) version 2.0 (2005)Google Scholar
  16. 16.
    Pretschner, A., Mouelhi, T., Le Traon, Y.: Model-based tests for access control policies. In: Proceedings of ICST, pp. 338–347 (2008)Google Scholar
  17. 17.
    Shahid, M., Ibrahim, S., Mahrin, M.N.: A study on test coverage in software testing. Advanced Informatics School (2011)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Antonello Calabrò
    • 1
  • Francesca Lonetti
    • 1
    Email author
  • Eda Marchetti
    • 1
  1. 1.ISTI-CNRPisaItaly

Personalised recommendations