Model-based Testing of Access Control Systems that Employ RBAC Policies

Get BibTex-formatted data

Download

PDF

Author

Ammar Masood, Rafae Bhatti, Arif Gahfoor, Aditya P. Mathur

Tech report number

CERIAS TR 2005-62

Entry type

techreport

Abstract

Access control is the key security service used for information and system security. The access control mechanisms can be used to enforce various security policies, but the desired access control objectives can only be achieved if the underlying software implementation is correct. It therefore becomes essential to not only verify that the implementation conforms to the given policy but also to confirm the absence of any violations in it. We propose a model-based strategy for testing implementations of access control systems that employ the RBAC policy specification. Our approach is based on the construction of a structural and behavioral model of the corresponding RBAC specification. The model is then used to generate static and dynamic test suites for the corresponding implementation. The code coverage and mutation score were used as metrics to determine the efficacy of the proposed approach in a case study. The results of the case study show that the tests generated using the proposed approach not only provide good control flow coverage of the implementation but are also effective in detecting faults induced via mutation operators.

Download

PDF

Key alpha

Masood

Publication Date

1900-01-01

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ Masood,
	title = "Model-based Testing of Access Control Systems that Employ RBAC Policies",
	author = "Ammar Masood, Rafae Bhatti, Arif Gahfoor, Aditya P. Mathur",
	abstract = "Access control is the key security service used for information and system security. The access control mechanisms can be used to enforce various security policies, but the desired access control objectives can only be achieved if the underlying software implementation is correct. It therefore becomes essential to not only verify that the implementation conforms to the given policy but also to confirm the absence of any violations in it. We propose a model-based strategy for testing implementations of access control systems that employ the RBAC policy specification. Our approach is based on the construction of a structural and behavioral model of the corresponding RBAC specification. The model is then used to generate static and dynamic test suites for the corresponding implementation. The code coverage and mutation score were used as metrics to determine the efficacy of the proposed approach in a case study. The results of the case study show that the tests generated using the proposed approach not only provide good control flow coverage of the implementation but are also effective in detecting faults induced via mutation operators.",
}