Abstract
Access control mechanisms aim to assure data protection in modern software systems. Testing of such mechanisms is a key activity to avoid security flaws and violations inside the systems or applications. In this paper, we introduce the general architecture of a new decentralized framework for testing of XACML-based access control engines. The proposed framework is composed of different web services and can be instantiated for different testing purposes: i) generation of test cases based on combinatorial testing strategies; ii) distributed test cases execution; iii) decentralized oracle derivation able to associate the expected authorization decision to a given XACML request. The effectiveness of the framework has been proven into two different experiments. The former addressed the evaluation of the distributed vs non distributed testing solution. The latter focused on the performance comparison of two distributed oracle approaches.
Supported by CyberSec4Europe Grant agreement ID: 830929.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
In this paper, we address testing of both XACML 2.0 and XACML 3.0 based access control engines but our solution can be easily generalized to other access control specification languages.
- 2.
In this case, the test generation time was not affected by communication delay.
- 3.
Note that in this experiment we considered XACML 2.0 based policies and PDP implementations.
- 4.
Sun PDP is available at: http://sunxacml.sourceforge.net.
- 5.
Herasaf PDP is available at: https://bitbucket.org/herasaf/herasaf-xacml-core.
- 6.
Balana PDP is available at: https://github.com/wso2/balana.
References
Aggarwal, M., Sabharwal, S., Dudeja, S.: FTCI: a tool to identify failure triggering combinations for interaction testing. Indian J. Sci. Technol. 9(38), 1–5 (2016)
Barr, E.T., Harman, M., McMinn, P., Shahbaz, M., Yoo, S.: The oracle problem in software testing: a survey. IEEE Trans. Softw. Eng. 41(5), 507–525 (2015)
Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML request generation for testing purposes. In: Processing of 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), pp. 3–11 (2010)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: An automated model-based test oracle for access control systems. In: Proceedings of 13th IEEE/ACM International Workshop on Automation of Software Test, Gothenburg, Sweden, 28–29 May (2018)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Softw. 7(4), 203–212 (2013)
Cohen, D.M., Dalal, S.R., Fredman, M.L., Patton, G.C.: The AETG system: an approach to testing based on combinatiorial design. IEEE Trans. Softw. Eng. 23(7), 437–444 (1997)
Daoudagh, S., Lonetti, F., Marchetti, E.: Assessment of access control systems using mutation testing. In: 1st IEEE/ACM International Workshop on Technical and Legal aspects of data Privacy and Security, TELERISE 2015, Florence, Italy, 18 May, 2015, pp. 8–13 (2015)
Daoudagh, S., Lonetti, F., Marchetti, E.: A decentralized solution for combinatorial testing of access control engine. In: Proceedings of the 5th International Conference on Information Systems Security and Privacy, ICISSP 2019, Prague, Czech Republic, 23–25 February, 2019, pp. 126–135 (2019). https://doi.org/10.5220/0007379401260135
Daoudagh, S., Lonetti, F., Marchetti, E.: XACMET: XACML testing and modeling an automated model-based testing solution for access control systems. Softw. Qual. J. 28(1), 249–282 (2020)
Fedora: Fedora Commons Repository Software. http://fedora-commons.org/
Hu, V.C., Kuhn, D.R., Ferraiolo, D.F., Voas, J.: Attribute-based access control. Computer 48(2), 85–88 (2015)
Jayant, D.B., Swapnaja, A.U., Sulabha, S.A., Dattatray, G.M.: Analysis of DAC MAC RBAC access control based models for security. Int. J. Comput. Appl. 104(5), 6–13 (2014)
Kuhn, D.R., Kacker, R.N., Lei, Y.: Introduction to Combinatorial Testing. CRC Press, New York (2013)
Kuhn, R., Lei, Y., Kacker, R.: Practical combinatorial testing: beyond pairwise. IT Prof. 10(3), 19–23 (2008)
Li, N., Hwang, J., Xie, T.: Multiple-implementation testing for XACML implementations. In: Proceedings of the 2008 Workshop on Testing, Analysis, and Verification of Web Services and Applications, pp. 27–33. ACM (2008)
Martin, E., Xie, T.: Automated test generation for access control policies. In: Supplemental Proceeding of ISSRE (November 2006)
Martin, E., Xie, T., Yu, T.: Defining and measuring policy coverage in testing access control policies. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 139–158. Springer, Heidelberg (2006). https://doi.org/10.1007/11935308_11
Nie, C., Leung, H.: A survey of combinatorial testing. ACM Comput. Surv. (CSUR) 43(2), 11 (2011)
NIST: Automated Combinatorial Testing for Software (2016). https://csrc.nist.gov/projects/automated-combinatorial-testing-for-software/downloadable-tools
NIST: Access Control Policy Test (ACPT) (2018). https://csrc.nist.gov/projects/automated-combinatorial-testing-for-software/downloadable-tools#acpt
OASIS: eXtensible Access Control Markup Language (XACML) Version 3.0 (January 2013). http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
Sabharwal, S., Aggarwal, M.: A novel approach for deriving interactions for combinatorial testing. Eng. Sci. Technol. Int. J. 20(1), 59–71 (2017). https://doi.org/10.1016/j.jestch.2016.05.008. http://www.sciencedirect.com/science/article/pii/S2215098615303323
TAS3 Project: Trusted Architecture for Securely Shared Services. http://www.tas3.eu/
Tsai, W.T., Qi, G.: Integrated fault detection and test algebra for combinatorial testing in TaaS (Testing-as-a-Service). Simul. Model. Pract. Theory 68, 108–124 (2016)
Tsai, W.T., Qi, G., Hu, K.: Autonomous decentralized combinatorial testing. In: IEEE Twelfth International Symposium on Autonomous Decentralized Systems (ISADS), pp. 40–47. IEEE (2015)
Xu, D., Kent, M., Thomas, L., Mouelhi, T., Le Traon, Y.: Automated model-based testing of role-based access control using predicate/transition nets. IEEE Trans. Comput. 64(9), 2490–2505 (2015)
Xu, D., Thomas, L., Kent, M., Mouelhi, T., Le Traon, Y.: A model-based approach to automated testing of access control policies. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp. 209–218. ACM (2012)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Daoudagh, S., Lonetti, F., Marchetti, E. (2020). A General Framework for Decentralized Combinatorial Testing of Access Control Engine: Examples of Application. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2019. Communications in Computer and Information Science, vol 1221. Springer, Cham. https://doi.org/10.1007/978-3-030-49443-8_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-49443-8_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-49442-1
Online ISBN: 978-3-030-49443-8
eBook Packages: Computer ScienceComputer Science (R0)