Automated Test Generation for Access Control Policies via Change-Impact Analysis

Author

Martin, Evan ; Xie, Tao

Author_Institution

North Carolina State Univ., Raleigh

fYear

2007

fDate

20-26 May 2007

Firstpage

5

Lastpage

5

Abstract

Access control policies are increasingly written in specification languages such as XACML. To increase confidence in the correctness of specified policies, policy developers can conduct policy testing with some typical test inputs (in the form of requests) and check test outputs (in the form of responses) against expected ones. Unfortunately, manual test generation is tedious and manually generated tests are often not sufficient to exercise various policy behaviors. In this paper we present a novel framework and its supporting tool called Cirg that generates tests based on change- impact analysis. Our experimental results show that Cirg can effectively generate tests to achieve high structural coverage of policies and outperforms random test generation in terms of structural coverage and fault-detection capability.

Keywords

authorisation; program testing; access control policies; automated test generation; change-impact analysis; fault-detection capability; manual test generation; policy developers; policy testing; random test generation; specification languages; structural coverage; Access control; Automatic testing; Computer errors; Control systems; Resource management; Software engineering; Software systems; Software testing; Specification languages;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Engineering for Secure Systems, 2007. SESS '07: ICSE Workshops 2007. Third International Workshop on

Conference_Location

Minneapolis, MN

Print_ISBN

0-7695-2952-6

Type

conf

DOI

10.1109/SESS.2007.5

Filename

4273331