Continuous Development and Testing of Access and Usage Control

Daoudagh, Said; Lonetti, Francesca; Marchetti, Eda

doi:10.1145/3393822.3432330

Cited by 5 publications

(14 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…3) Enumeration: if the number of distinct values for p recorded in the log is less than a predefined threshold 6 , then the type of p is an enumeration whose elements are the logged values for p.…”

Section: Step 2: Access Logs Miningmentioning

confidence: 99%

“…The scope of these approaches also vary: generating executable test cases (e.g., [57], prioritizing test case execution based on a given test budget constraints (e.g., [54]), localizing faults (e.g., [58]), generating test oracles (e.g., [60,61]); other approaches [62,59] focus on proposing coverage criteria, such as AC rule coverage, rule pair coverage, and modified condition/decision coverage, to measure and ensure the quality of (AC) test suites. Daoudagh et al [6] conducted a systematic literature review on 20 studies that focus on testing of the usage and access control systems inside DevOps processes. The survey reported that many critical AC issues arise from ambiguous or faulty AC specifications.…”

Section: Detection Of Ac Defects and Vulnerabilitiesmentioning

confidence: 99%

“…However, in many scenarios, testers cannot rely on AC policy specifications because they are often missing (e.g., the AC policies have been directly hard-coded in the business logic of the application), poorly documented, or hard to understand (e.g., AC policies are encoded as bit strings in configuration files). A recent literature study by Daoudagh et al [6] reported that many critical AC issues arise from ambiguous or faulty AC specifications.…”

Section: Introductionmentioning

confidence: 99%

“…Since these are standard HTTP messages, they can be captured with any Web proxy tool with similar functionalities 6. This threshold is user-configurable and it defaults to 50 in our implementation.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Automated reverse engineering of role-based access control policies of web applications

Shar

Bianculli

et al. 2022

Journal of Systems and Software

View full text Add to dashboard Cite

Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with respect to policy specifications or intended access rights. However, in practice, AC policy specifications are often missing or poorly documented; in some cases, AC policies are hard-coded in business logic implementations. This leads to difficulties in validating the correctness of policy implementations and detecting AC defects.In this paper, we present a semi-automated framework for reverse-engineering of AC policies from Web applications. Our goal is to learn and recover role-based access control (RBAC) policies from implementations, which are then used to validate implemented policies and detect AC issues. Our framework, built on top of a suite of security tools, automatically explores a given Web application, mines domain input specifications from access logs, and systematically generates and executes more access requests using combinatorial test generation. To learn policies, we apply machine learning on the obtained data to characterize relevant attributes that influence AC. Finally, the inferred policies are presented to the security engineer, for validation with respect to intended access rights and for detecting AC issues. Inconsistent and insufficient policies are highlighted as potential AC issues, being either vulnerabilities or implementation errors.We evaluated our approach on four Web applications (three open-source and a proprietary one built by our industry partner) in terms of the correctness of inferred policies. We also evaluated the usefulness of our approach by investigating whether it facilitates the detection of AC issues. The results show that 97.8% of the inferred policies are correct with respect to the actual AC implementation; the analysis of these policies led to the discovery of 64 AC issues that were reported to the developers.

show abstract

Section: Step 2: Access Logs Miningmentioning

confidence: 99%

Section: Detection Of Ac Defects and Vulnerabilitiesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Automated reverse engineering of role-based access control policies of web applications

Shar

Bianculli

et al. 2022

Journal of Systems and Software

View full text Add to dashboard Cite

show abstract

“…In this section, we summarize the main proposals applicable during the development and testing process in order to clarify the main research directions of this paper. For more details, we refer to Daoudagh et al, 12 which provides a systematic literature review of the solutions applicable during the access and usage control system continuous development and testing. In the following sections, we first summarize the existing solutions on development and testing of access control mechanisms and then the currently available proposals about continuous development and testing process.…”

Section: Continuous Development and Testingmentioning

confidence: 99%

An automated framework for continuous development and testing of access control systems

Daoudagh

Lonetti

Marchetti

2020

J Software Evolu Process

Self Cite

View full text Add to dashboard Cite

Automated testing in DevOps represents a key factor for providing fast release of new software features assuring quality delivery. In this paper, we introduce DOXAT, an automated framework for continuous development and testing of access control mechanisms based on the XACML standard. It leverages mutation analysis for the selection and assessment of the test strategies and provides automated facilities for test oracle definition, test execution, and results analysis, in order to speedup and automate the Plan, Code, Build, and Test phases of DevOps process. We show the usage of the framework during the planning and testing phases of the software development cycle of a PDP example.

show abstract

Software Testing in the DevOps Context: A Systematic Mapping Study

Pando

Dávila²

2022

Program Comput Soft

View full text Add to dashboard Cite

Continuous Development and Testing of Access and Usage Control

Cited by 5 publications

References 30 publications

Automated reverse engineering of role-based access control policies of web applications

Automated reverse engineering of role-based access control policies of web applications

An automated framework for continuous development and testing of access control systems

Software Testing in the DevOps Context: A Systematic Mapping Study

Contact Info

Product

Resources

About