Title :
Access control enforcement testing
Author :
El Kateb, Donia ; El Rakaiby, Yehia ; Mouelhi, Tejeddine ; Le Traon, Yves
Author_Institution :
Reliability & Trust Interdiscipl. Res. Center, SnT, Luxembourg
Abstract :
A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy.
Keywords :
authorisation; program diagnostics; program testing; PDP; PEP; access control enforcement testing; access decision logic; dynamic analysis; policy decision point; policy enforcement points; policy-based access control architecture; security vulnerabilities; static analysis; subjects access requests; Access control; Analytical models; Context; Software systems; Testing; Unified modeling language; Access Control Policies; PDP; PEP; Security Test Cases;
Conference_Titel :
Automation of Software Test (AST), 2013 8th International Workshop on
Conference_Location :
San Francisco, CA
DOI :
10.1109/IWAST.2013.6595793
