Automated Test Generation for Access Control Policies via Change-Impact Analysis

Martin, Evan; Xie, Tao

doi:10.1109/sess.2007.5

Cited by 74 publications

(55 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In addition, other approaches (like for instance [24], [27], [28]), which are more generic than ours could be also taken into consideration and compared to our proposed approach.…”

Section: Discussionmentioning

confidence: 99%

“…The policy target (lines [5][6][7][8][9][10][11][12] says that this policy applies to any subject, any action, any environment and the "books" resource. This policy has a first rule (ruleA) (lines 13-34) with a target (lines [14][15][16][17][18][19][20][21][22][23][24][25][26][27][28][29][30][31][32][33] specifying that this rule applies only to the access requests of a "read" action of "books", and "documents" resources with any environment. The effect of the second rule (ruleB) (lines 35-50) is Permit when the subject is "Julius", the action is "write", the resource and environment are any resource and any environment respectively.…”

Section: Xacml Languagementioning

confidence: 99%

“…Such approaches automatically derive abstract test cases that have to be then refined into concrete XACML requests for being executed on a PDP. A different approach is provided by Cirg [24] that is able to exploit change-impact analysis for test cases generation starting from policy specification.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Coverage-Based Test Cases Selection for XACML Policies

Bertolino

Traon²,

Lonetti

et al. 2014

2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops

View full text Add to dashboard Cite

Abstract-XACML is the de facto standard for implementing access control policies. Testing the correctness of policies is a critical task. The test of XACML policies involves running requests and checking manually the correct response. It is therefore important to reduce the manual test effort by automatically selecting the most important requests to be tested. This paper introduces the XACML smart coverage selection approach, based on a proposed XACML policy coverage criterion. The approach is evaluated using mutation analysis and is compared on the one side with a not-reduced test suite, on the other with random and greedy optimal test selection approaches. We performed the evaluation on a set of six real world policies. The results show that our selection approach can reach good mutation scores, while significantly reducing the number of tests to be run.

show abstract

“…In addition, other approaches (like for instance [24], [27], [28]), which are more generic than ours could be also taken into consideration and compared to our proposed approach.…”

Section: Discussionmentioning

confidence: 99%

Section: Xacml Languagementioning

confidence: 99%

See 1 more Smart Citation

Coverage-Based Test Cases Selection for XACML Policies

Bertolino

Traon²,

Lonetti

et al. 2014

2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops

View full text Add to dashboard Cite

show abstract

“…The algorithm then analyzes the nodes in the set of test sequences until every node that matches CurrentNode in every sequence is replaced with a leaf node by using the following replacement method. (1) If CurrentNode is in a test sequence that has children with an AND relationship, replace CurrentNode with these children in that sequence in the left-to-right order in which they appear in the tree (lines [12][13][14][15][16][17][18][19][20][21][22]. (2) If CurrentNode is in a test sequence that has children with an OR relationship, we create the same number of sequences as children of the CurrentNode and replace CurrentNode in each of these sequences with one of the children of the OR relationship.…”

Section: Test Sequence Generation Algorithmmentioning

confidence: 99%

“…To date, researchers have developed various security testing techniques. These include techniques that generate test cases or identify vulnerabilities focusing on specific attacks, such as SQL injection or cross-site scripting (XSS) [4][5][6][7]; generate test cases using model-based approaches, such as threat modeling or use case modeling [8][9][10][11][12]; and generate test cases from control policy specifications [13,14] (Section 2 provides details).…”

Section: Introductionmentioning

confidence: 99%

A threat model‐based approach to security testing

Marback

et al. 2012

Softw Pract Exp

View full text Add to dashboard Cite

SUMMARYSoftware security issues have been a major concern in the cyberspace community, so a great deal of research on security testing has been performed, and various security testing techniques have been developed. Threat modeling provides a systematic way to identify threats that might compromise security, and it has been a well-accepted practice by the industry, but test case generation from threat models has not been addressed yet. Thus, in this paper, we propose a threat model-based security testing approach that automatically generates security test sequences from threat trees and transforms them into executable tests. The security testing approach we consider consists of three activities in large: building threat models with threat trees; generating security test sequences from threat trees; and creating executable test cases by considering valid and invalid inputs. To support our approach, we implemented security test generation techniques, and we also conducted an empirical study to assess the effectiveness of our approach. The results of our study show that our threat tree-based approach is effective in exposing vulnerabilities.

show abstract

An automated framework for continuous development and testing of access control systems

Daoudagh

Lonetti

Marchetti

2020

J Software Evolu Process

View full text Add to dashboard Cite

Automated testing in DevOps represents a key factor for providing fast release of new software features assuring quality delivery. In this paper, we introduce DOXAT, an automated framework for continuous development and testing of access control mechanisms based on the XACML standard. It leverages mutation analysis for the selection and assessment of the test strategies and provides automated facilities for test oracle definition, test execution, and results analysis, in order to speedup and automate the Plan, Code, Build, and Test phases of DevOps process. We show the usage of the framework during the planning and testing phases of the software development cycle of a PDP example.

show abstract

Automated Test Generation for Access Control Policies via Change-Impact Analysis

Cited by 74 publications

References 16 publications

Coverage-Based Test Cases Selection for XACML Policies

Coverage-Based Test Cases Selection for XACML Policies

A threat model‐based approach to security testing

An automated framework for continuous development and testing of access control systems

Contact Info

Product

Resources

About