Automated test generation for access control policies

Martin, Evan

doi:10.1145/1176617.1176708

Cited by 48 publications

(60 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…2) X-CREATE tool: Among the available tools for test cases generation we refer in this paper to X-CREATE 3 [15], [3], [16] showed that the fault detection effectiveness of X-CREATE test suites is similar or higher than that of comparable tools (like for instance Targen [2]). …”

Section: B Experiments Setupmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

“…The Targen tool [2] generates test inputs using combinatorial coverage of the truth values of independent clauses of XACML policy values. This approach has been proven to be more effective than random generation strategy in terms of structural coverage of the policy and fault detection capability [2]. The already mentioned X-CREATE tool [15], [3], [16] provides different strategies based on combinatorial approaches of the subject, resource, action and environment values taken from the XACML policy for deriving the access requests.…”

Section: Related Workmentioning

confidence: 99%

“…It is hence important to perform a careful testing activity both of the policy and its implementation. However, most of the test cases generation approaches available in literature for XACML policies are based on combinatorial methodologies [2], [3], thus the generated number of test cases can rapidly grow to cope with the policy complexity. Executing a huge number of test cases can drastically increase the cost of the testing phase, mainly due to the effort required to check the test results and decide whether they are correct or not.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Coverage-Based Test Cases Selection for XACML Policies

Bertolino

Traon²,

Lonetti

et al. 2014

2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops

View full text Add to dashboard Cite

Abstract-XACML is the de facto standard for implementing access control policies. Testing the correctness of policies is a critical task. The test of XACML policies involves running requests and checking manually the correct response. It is therefore important to reduce the manual test effort by automatically selecting the most important requests to be tested. This paper introduces the XACML smart coverage selection approach, based on a proposed XACML policy coverage criterion. The approach is evaluated using mutation analysis and is compared on the one side with a not-reduced test suite, on the other with random and greedy optimal test selection approaches. We performed the evaluation on a set of six real world policies. The results show that our selection approach can reach good mutation scores, while significantly reducing the number of tests to be run.

show abstract

Section: B Experiments Setupmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Coverage-Based Test Cases Selection for XACML Policies

Bertolino

Traon²,

Lonetti

et al. 2014

2014 IEEE Seventh International Conference on Software Testing, Verification and Validation Workshops

View full text Add to dashboard Cite

show abstract

“…The work is based on a fault model [13], a structural coverage measurement tool for defining policy coverage metrics [15] and a test generator [14], developed by two of the authors in their former work. In [16] De Angelis et al discuss access policy testing as a vital function of the trust network, in which users and service providers interact.…”

Section: Testingmentioning

confidence: 99%

A Formal Equivalence Classes Based Method for Security Policy Conformance Checking

Hermann

Litschauer

Fuß

2012

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Different security policy models have been developed and published in the past. Proven security policy models, if correctly implemented, guarantee the protection of data objects from unauthorized access or usage or prevent an illegal information flow. To verify that a security policy model has been correctly implemented, it is important to define and execute an exhaustive list of test cases, which verify that the formal security policy neither has been over-constrained nor underconstrained. In this paper we present a method for defining an exhaustive list of test cases, based on formally described equivalence classes that are derived from the formal security policy description.

show abstract

An automated framework for continuous development and testing of access control systems

Daoudagh

Lonetti

Marchetti

2020

J Software Evolu Process

View full text Add to dashboard Cite

Automated testing in DevOps represents a key factor for providing fast release of new software features assuring quality delivery. In this paper, we introduce DOXAT, an automated framework for continuous development and testing of access control mechanisms based on the XACML standard. It leverages mutation analysis for the selection and assessment of the test strategies and provides automated facilities for test oracle definition, test execution, and results analysis, in order to speedup and automate the Plan, Code, Build, and Test phases of DevOps process. We show the usage of the framework during the planning and testing phases of the software development cycle of a PDP example.

show abstract

Automated test generation for access control policies

Cited by 48 publications

References 8 publications

Coverage-Based Test Cases Selection for XACML Policies

Coverage-Based Test Cases Selection for XACML Policies

A Formal Equivalence Classes Based Method for Security Policy Conformance Checking

An automated framework for continuous development and testing of access control systems

Contact Info

Product

Resources

About