Testing access control and obligation policies

Author

Dianxiang Xu ; Sanford, M. ; Zhaoliang Liu ; Emry, M. ; Brockmueller, B. ; Johnson, Stanley ; To, M.

Author_Institution

Dakota State Univ., Madison, SD, USA

fYear

2013

fDate

28-31 Jan. 2013

Firstpage

540

Lastpage

544

Abstract

As access control with obligatory constraints is critical to assuring system accountability, research on the specification and monitoring of obligation policy has gained increasing attention. However, a correctly specified obligation policy may be implemented incorrectly for various reasons, such as programming errors. This paper presents a model-based approach to testing access control and obligation policies. We build test models of access control and obligation policies based on system functions and derive tests from the models for exercising the system implementation. As a black box technique, our approach is independent of how access control and obligation requirements are implemented in the system under test. We demonstrate our approach through the testing of a real-world online banking system, which is being used by many financial organizations. The mutation analysis indicated that our testing approach is very effective.

Keywords

authorisation; bank data processing; program testing; access control; black box technique; financial organizations; model-based approach; mutation analysis; obligation policies; programming errors; real-world online banking system; system accountability; system functions; system under test; Access control; Computational modeling; Firing; Online banking; Programming; Testing; Security; access control; model-based testing; obligation policy; software testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Computing, Networking and Communications (ICNC), 2013 International Conference on

Conference_Location

San Diego, CA

Print_ISBN

978-1-4673-5287-1

Electronic_ISBN

978-1-4673-5286-4

Type

conf

DOI

10.1109/ICCNC.2013.6504143

Filename

6504143