research-article

Security policy testing via automated program code generation

Authors:

CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies

Article No.: 13, Pages 1 - 4

https://doi.org/10.1145/1558607.1558623

Published: 13 April 2009 Publication History

Get Access

Abstract

Access control is one of the fundamental security mechanisms for information systems. It determines the availability of resources to principals, operations that can be performed, and under what circumstances. Traditionally the enforcement of access control is often hardcoded in applications or systems; such hardcoding makes it hard to verify the correctness of access control and to accommodate changes of security requirements. Recently, access control policies have been increasingly separated from enforcement mechanisms. An access control policy is explicitly specified using certain policy languages with well-defined syntax and semantics. An application then consults the policy during runtime to determine whether an access request from a principal should be allowed or denied. There are two main advantages of this approach. First, security officers can now perform systematic and formal security analysis on access control policies. Second, by separating policies from enforcement mechanisms, it is possible to change policies without affecting the underlying mechanisms, and vice versa.

References

[1]

]]Sun's XACML implementation. http://sunxacml.sourceforge.net/, 2005.

Google Scholar

[2]

]]Nicodemos Damianou, Naranker Dulay, Emil Lupu, and Morris Sloman. The Ponder policy specification language. In Proc. POLICY, pages 18--38, 2001.

Digital Library

Google Scholar

[3]

]]Richard A. DeMillo, Richard J. Lipton, and Frederick G. Sayward. Hints on test data selection: Help for the practicing programmer. IEEE Computer, 11(4):34--41, April 1978.

Digital Library

Google Scholar

[4]

]]Evan Martin and Tao Xie. Automated test generation for access control policies. In Supplemental Proc. ISSRE, 2006.

Digital Library

Google Scholar

[5]

]]Evan Martin and Tao Xie. A fault model and mutation testing of access control policies. In Proc. WWW, pages 667--676, 2007.

Digital Library

Google Scholar

[6]

]]Evan Martin, Tao Xie, and Ting Yu. Defining and measuring policy coverage in testing access control policies. In Proc. ICICS, pages 139--158, 2006.

Digital Library

Google Scholar

[7]

]]Koushik Sen and Gul Agha. CUTE and jCUTE: Concolic unit testing and explicit path model-checking tools. In Proc. CAV, pages 419--423, 2006.

Digital Library

Google Scholar

[8]

]]OASIS eXtensible Access Control Markup Language (XACML). http://www.oasis-open.org/committees/xacml/, 2005.

Google Scholar

Cited By

View all

Zhang YZhang BWang Z(2017)Research of a Data Flow Test Method for Attribute-Based Access Control Systems2017 International Conference on Network and Information Systems for Computers (ICNISC)10.1109/ICNISC.2017.00043(167-171)Online publication date: Apr-2017
https://doi.org/10.1109/ICNISC.2017.00043
Zhang YZhang B(2017)A new testing method for XACML 3.0 policy based on ABAC and data flow2017 13th IEEE International Conference on Control & Automation (ICCA)10.1109/ICCA.2017.8003052(160-164)Online publication date: Jul-2017
https://doi.org/10.1109/ICCA.2017.8003052
Xie TBishop JTillmann Nde Halleux JNicol D(2015)Gamifying software security education and training via secure coding duels in code huntProceedings of the 2015 Symposium and Bootcamp on the Science of Security10.1145/2746194.2746220(1-2)Online publication date: 21-Apr-2015
https://dl.acm.org/doi/10.1145/2746194.2746220
Show More Cited By

Index Terms

Security policy testing via automated program code generation
1. Security and privacy
  1. Software and application security
    1. Software security engineering
2. Software and its engineering

Recommendations

Policy enforcement via program monitoring
Towards network security policy generation for configuration analysis and testing
SafeConfig '09: Proceedings of the 2nd ACM workshop on Assurable and usable security configuration

Access-control lists are an essential part in the security framework of any system. Researchers are always in need to have a repository of ready made policies for conducting research and development. Such policies, especially firewall policies which are ...
Testing Delegation Policy Enforcement via Mutation Analysis
ICSTW '13: Proceedings of the 2013 IEEE Sixth International Conference on Software Testing, Verification and Validation Workshops

Delegation is an important dimension of security that plays a crucial role in the administration mechanism of access control policies. Delegation may be viewed as an exception made to an access control policy in which a user gets right to act on behalf ...

Comments

Information & Contributors

Information

Published In

CSIIRW '09: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies

April 2009

952 pages

ISBN:9781605585185

DOI:10.1145/1558607

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

Conference

CSIIRW '09

CSIIRW '09: Fifth Cyber Security and Information Intelligence Research Workshop

April 13 - 15, 2009

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
237
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)2

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zhang YZhang BWang Z(2017)Research of a Data Flow Test Method for Attribute-Based Access Control Systems2017 International Conference on Network and Information Systems for Computers (ICNISC)10.1109/ICNISC.2017.00043(167-171)Online publication date: Apr-2017
https://doi.org/10.1109/ICNISC.2017.00043
Zhang YZhang B(2017)A new testing method for XACML 3.0 policy based on ABAC and data flow2017 13th IEEE International Conference on Control & Automation (ICCA)10.1109/ICCA.2017.8003052(160-164)Online publication date: Jul-2017
https://doi.org/10.1109/ICCA.2017.8003052
Xie TBishop JTillmann Nde Halleux JNicol D(2015)Gamifying software security education and training via secure coding duels in code huntProceedings of the 2015 Symposium and Bootcamp on the Science of Security10.1145/2746194.2746220(1-2)Online publication date: 21-Apr-2015
https://dl.acm.org/doi/10.1145/2746194.2746220
Lieberman GMitropoulos F(2013)Securely handling application-to-application connection credentials2013 Proceedings of IEEE Southeastcon10.1109/SECON.2013.6567464(1-7)Online publication date: Apr-2013
https://doi.org/10.1109/SECON.2013.6567464

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Policy enforcement via program monitoring

Towards network security policy generation for configuration analysis and testing

Testing Delegation Policy Enforcement via Mutation Analysis