Coverage-Based Test Cases Selection for XACML Policies

Bertolino, Antonia; Traon, Yves Le; Lonetti, Francesca; Marchetti, Eda; Mouelhi, Tejeddine

doi:10.1109/icstw.2014.49

Cited by 13 publications

(9 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Testing the security of the communication channels includes approaches that check the correct validation of SSL/TLS certificates (e.g., Frankencerts [18]) as well as protocol fuzzers such as SNOOZE [10] or SECFUZZ [124]. For testing the correct access control, various model based approaches (e.g., [13,19,85]) haven been applied to case studies of different size. Finally, tools like Nessus [109] that rather easily allow to scan networks for applications with known vulnerabilities and, thus, applications that need to be updated or patched.…”

Section: The Third Tier: Back-end Systemsmentioning

confidence: 99%

Security Testing

Felderer

Büchler

Johns

et al. 2016

Advances in Computers

126

View full text Add to dashboard Cite

ReuseThis article is distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivs (CC BY-NC-ND) licence. This licence only allows you to download this work and share it with others as long as you credit the authors, but you can't change the article in any way or use it commercially. More information and the full terms of the licence here: https://creativecommons.org/licenses/ Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing eprints@whiterose.ac.uk including the URL of the record and the reason for the withdrawal request. Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application.

show abstract

Section: The Third Tier: Back-end Systemsmentioning

confidence: 99%

Security Testing

Felderer

Büchler

Johns

et al. 2016

Advances in Computers

126

View full text Add to dashboard Cite

show abstract

“…In literature there are few works facing coverage assessment of XACML policies. Seminal works are presented in [17] and [6]. In the former, the authors provide a first coverage criterion for XACML policies defining three structural coverage metrics targeting XACML policies, rules and conditions respectively.…”

Section: Related Workmentioning

confidence: 99%

“…This section provides a set of XACML coverage criteria useful for assessing the effectiveness of a generic XACML based testing strategy. Revising and extending the definition provided in [5], we first provide some generic definitions concerning the policy (Definitions 1 and 2) and request elements (Definition 4) and then we define the XACML coverage criteria (Definitions 5, 7, 9, 11).Definition 1 (Target Tuple): Given a Rule R , a Policy P , a PolicySet PS , with R

\in

P and P

\in

PS , and given the set of XACML elements, called XE = { xe: xe is PS or P or R }, the Target Tuple of an xe

\in

XE , called

T T_{x e}

, is a 4‐tuple ( S , Res , A , E ), where S ( Res , A , E ) is a finite set of subjects (resources, actions, environments) in the XACML target of xe .…”

Section: Coverage Criteriamentioning

confidence: 99%

“…Intuitively, the main goal is to derive an acyclic graph, defining a partial order on policy elements. Several proposals are available such as [5, 8] for XACML policy specification. Once extracted, the traces are provided to the Monitor infrastructure . Policy evaluation engine is in charge of the execution of the policy and the derivation of the associated response.…”

Section: Coverage Testing Frameworkmentioning

confidence: 99%

“…Specifically, the authors introduced the concept of reachability‐based and firing‐based fault localisation techniques. In this paper, we extend the criteria proposed in [5] differentiating the concept of Rule Target matching, so to better analyse the evaluation of policy rules.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

On‐line tracing of XACML‐based policy coverage criteria

Lonetti

Marchetti

2018

IET softw.

Self Cite

View full text Add to dashboard Cite

Currently, XACML has becoming the standard for implementing access control policies and consequently more attention is dedicated to testing the correctness of XACML policies. In particular, coverage measures can be adopted for assessing test strategy effectiveness in exercising the policy elements. This paper introduces a set of XACML coverage criteria and describes the access control infrastructure, based on a monitor engine, enabling the coverage criterion selection and the on-line tracing of the testing activity. Examples of infrastructure usage and of assessment of different test strategies are provided.

show abstract

Validation of Access Control Systems

Bertolino

Lonetti

et al. 2014

Engineering Secure Future Internet Services and Systems

View full text Add to dashboard Cite

Coverage-Based Test Cases Selection for XACML Policies

Cited by 13 publications

References 24 publications

Security Testing

Security Testing

On‐line tracing of XACML‐based policy coverage criteria

Validation of Access Control Systems

Contact Info

Product

Resources

About