THE X-CREATE FRAMEWORK - A Comparison of XACML Policy Testing Strategies

Antonia Bertolino, Said Daoudagh, Francesca Lonetti, Eda Marchetti

Abstract

The specification of access control policies with the XACML language could be an error prone process, so a testing is usually the solution for increasing the confidence on the policy itself. In this paper, we compare two methodologies for deriving test cases for policy testing, i.e. XACML requests, that are implemented in the X-CREATE tool. We consider a simple combinatorial strategy and a XML-based approach (XPT) which exploit policy values and the XACML Context Schema. A stopping criterion for the test cases generation is also provided and used for the comparison of the strategies in terms of fault detection effectiveness.

References

  1. Bertolino, A., Lonetti, F., Daoudagh, S., and Marchetti, E. (2012). Automatic XACML requests generation for policy testing. submitted to The Third International Workshop on Security Testing 2012.
  2. Bertolino, A., Lonetti, F., and Marchetti, E. (2010). Systematic XACML Request Generation for Testing Purposes. In Proc. of 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), pages 3 -11.
  3. Cohen, D. M., Dalal, S. R., Fredman, M. L., and Patton, G. C. (1997). The AETG system: An approach to testing based on combinatiorial design. IEEE Trans. on Soft. Eng., 23(7):437-444.
  4. DeMillo, R., Lipton, R., and Sayward, F. (1978). Hints on test data selection: Help for the practicing programmer. Computer, 11(4):34-41.
  5. Fisler, K., Krishnamurthi, S., Meyerovich, L., and Tschantz, M. (2005). Verification and change-impact analysis of access-control policies. In Proc. of ICSE, pages 196-205.
  6. Liu, A. X., Chen, F., Hwang, J., and Xie, T. (2011). Designing fast and scalable xacml policy evaluation engines. IEEE Transactions on Computers, 60(12):1802-1817.
  7. Martin, E. and Xie, T. (2006). Automated test generation for access control policies. In Supplemental Proc. of ISSRE.
  8. Martin, E. and Xie, T. (2007a). Automated test generation for access control policies via change-impact analysis. In Proc. of Third International Workshop on Software Engineering for Secure Systems (SESS), pages 5-12.
  9. Martin, E. and Xie, T. (2007b). A fault model and mutation testing of access control policies. In Proc. of WWW, pages 667-676.
  10. OASIS (1 Feb 2005). eXtensible Access Control Markup Language (XACML) Version 2.0. http://docs.oasisopen.org/xacml/2.0/access control-xacml-2.0-corespec-os.pdf.
  11. Ostrand, T. J. and Balcer, M. J. (1988). The categorypartition method for specifying and generating functional tests. Commun. ACM, 31(6):676-686.
  12. Pretschner, A., Mouelhi, T., and Le Traon, Y. (2008). Model-based tests for access control policies. In Proc. of ICST, pages 338-347.
  13. Sun Microsystems (2006). Sun's XACML Implementation. http://sunxacml.sourceforge.net/.
  14. TAS3 Project (2011). Trusted Architecture for Securely Shared Services. http://www.tas3.eu/.
  15. Traon, Y., Mouelhi, T., and Baudry, B. (2007). Testing security policies: going beyond functional testing. In Proc. of ISSRE, pages 93-102.
Download


Paper Citation


in Harvard Style

Bertolino A., Daoudagh S., Lonetti F. and Marchetti E. (2012). THE X-CREATE FRAMEWORK - A Comparison of XACML Policy Testing Strategies . In Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-989-8565-08-2, pages 155-160. DOI: 10.5220/0003938301550160


in Bibtex Style

@conference{webist12,
author={Antonia Bertolino and Said Daoudagh and Francesca Lonetti and Eda Marchetti},
title={THE X-CREATE FRAMEWORK - A Comparison of XACML Policy Testing Strategies},
booktitle={Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2012},
pages={155-160},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0003938301550160},
isbn={978-989-8565-08-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 8th International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - THE X-CREATE FRAMEWORK - A Comparison of XACML Policy Testing Strategies
SN - 978-989-8565-08-2
AU - Bertolino A.
AU - Daoudagh S.
AU - Lonetti F.
AU - Marchetti E.
PY - 2012
SP - 155
EP - 160
DO - 10.5220/0003938301550160