Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Availability, Reliability, and Security

CD-ARES 2012: Multidisciplinary Research and Practice for Information Systems pp 146–160Cite as

  1. Home
  2. Multidisciplinary Research and Practice for Information Systems
  3. Conference paper
A Formal Equivalence Classes Based Method for Security Policy Conformance Checking

A Formal Equivalence Classes Based Method for Security Policy Conformance Checking

  • Eckehard Hermann21,
  • Udo Litschauer21 &
  • Jürgen Fuß21 
  • Conference paper
  • 1989 Accesses

Part of the Lecture Notes in Computer Science book series (LNISA,volume 7465)

Abstract

Different security policy models have been developed and published in the past. Proven security policy models, if correctly implemented, guarantee the protection of data objects from unauthorized access or usage or prevent an illegal information flow. To verify that a security policy model has been correctly implemented, it is important to define and execute an exhaustive list of test cases, which verify that the formal security policy neither has been over-constrained nor under-constrained. In this paper we present a method for defining an exhaustive list of test cases, based on formally described equivalence classes that are derived from the formal security policy description.

Keywords

  • security models
  • test generation
  • access control
  • conformance testing

Download conference paper PDF

References

  1. Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems, Princeton, p. 437 (1971)

    Google Scholar 

  2. Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: IEEE Symposium on Security and Privacy, Oakland, pp. 206–214 (1989)

    Google Scholar 

  3. Lin, T.Y.: Chinese Wall Security Policy-An Aggressive Model. In: Proceedings of the Fifth Aerospace Computer Security Application Conference, December 4-8, pp. 286–293 (1989)

    Google Scholar 

  4. Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical Report MTR-2547, Vol. I. MITRE Corporation, Bedford (1973)

    Google Scholar 

  5. Clark, D., Wilson, D.: A Comparison of Commercial and Military Security Policies. In: IEEE Symposium on Security and Privacy, pp. 184–194 (1987)

    Google Scholar 

  6. Hermann, E.: The Limes Security Model for Information Flow Control. In: FARES Workshop of the Sixth International Conference on Availability, Reliability and Security (ARES 2011), Vienna, Austria, August 22-26 (2011)

    Google Scholar 

  7. Hu, H., Ahn, G.-J.: Enabling Verification and Conformance Testing for Access Control Model. In: SACMAT 2008, Estes Park, Colorado, USA, June 11-13 (2008)

    Google Scholar 

  8. Murnane, T., Reed, K.: On the Effectiveness of Mutation Analysis as a Black Box Testing Technique. In: 13th Australian Software Engineering Conference (ASWEC 2001), Canberra, Australia, August 27-28 (2001)

    Google Scholar 

  9. Grimm, R.: A Formal IT-Security Model for a Weak Fair-Exchange Cooperation with Non-Repudiation Proofs. In: International Conference on Emerging Security Information, Systems and Technologies, Athens, June 18-23 (2009)

    Google Scholar 

  10. Godefroid, P., Levin, M.Y., Molnar, D.: Automated Whitebox Fuzz Testing. In: Network and IT Security Conference, San Diego, CA, February 8-11 (2008)

    Google Scholar 

  11. Myers, G.: The Art of Software Testing. Wiley-Interscience Publication (1979)

    Google Scholar 

  12. Hu, V.C., Martin, E., Hwang, J., Xie, T.: Conformance Checking of Access Control Policies Specified in XACML. In: 31st Annual International Computer Software and Applications Conference, Beijing (2007)

    Google Scholar 

  13. Martin, E., Xie, T.: A fault model and mutation testing of access control policies. In: 16th International Conference on World Wide Web (May 2007)

    Google Scholar 

  14. Martin, E., Xie, T.: Automated test generation for access control policies. In: 17th IEEE International Conference on Software Reliability Engineering (November 2006)

    Google Scholar 

  15. Martin, E., Xie, T., Yu, T.: Defining and Measuring Policy Coverage in Testing Access Control Policies. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 139–158. Springer, Heidelberg (2006)

    CrossRef  Google Scholar 

  16. De Angelis, G., Kirkham, T., Winfield, S.: Access Policy Compliance Testing in a User Centric Trust Service Infrastructure. In: QASBA 2011, Lugano, Switzerland, September 14 (2011)

    Google Scholar 

  17. Traon, Y.L., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: 18th IEEE International Symposium on Software Reliability (ISSRE 2007), Sweden, November 5-9 (2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Secure Information Systems, University of Applied Sciences Upper Austria, Austria

    Eckehard Hermann, Udo Litschauer & Jürgen Fuß

Authors
  1. Eckehard Hermann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Udo Litschauer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jürgen Fuß
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of IT, Engineering and Environment, University of South Australia, Mawson Lakes Campus, 5001, Adelaide, SA, Australia

    Gerald Quirchmayr

  2. Department of Information Technologies, University of Economics, W. Churchill Sq. 4, 130 67, Prague 3, Czech Republic

    Josef Basl

  3. School of Information Science, Korean Bible University, 16 Danghyun 2-gil, Nowon-gu, 139-791, Seoul, Korea

    Ilsun You

  4. Information Technology and Decision Sciences, Old Dominion University, 2076 Constant Hall, 23529, Norfolk, VA, USA

    Lida Xu

  5. Institute of Software Technology and Interactive Systems, Vienna University of Technology and SBA Research, Favoritenstrsse 9-11, 1040, Vienna, Austria

    Edgar Weippl

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

Hermann, E., Litschauer, U., Fuß, J. (2012). A Formal Equivalence Classes Based Method for Security Policy Conformance Checking. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds) Multidisciplinary Research and Practice for Information Systems. CD-ARES 2012. Lecture Notes in Computer Science, vol 7465. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32498-7_12

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-32498-7_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-32497-0

  • Online ISBN: 978-3-642-32498-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature