A formal approach for testing security rules

Mallouli, Wissam; Orset, Jean‐Marie; Cavalli, Ana; Cuppens, Nora; Cuppens, Frédéric

doi:10.1145/1266840.1266860

Cited by 38 publications

(19 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…It generalizes our previous work that covers testing rules with atomic activities [16] by considering decomposed ones through the conception of new integration algorithms.…”

Section: Related Workmentioning

confidence: 74%

Testing Security Rules with Decomposable Activities

Lee

Won

Sung

et al. 2007

10th IEEE High Assurance Systems Engineering Symposium (HASE'07)

Self Cite

View full text Add to dashboard Cite

Abstract-Checking that a security policy has been correctly deployed over a network is a key issue for system administrators. Specification and testing of such policies constitute fundamental steps in the development of a secure system. To address both challenges, we propose a framework to describe how modalities such as permissions, prohibitions and obligations -involving decomposable activities-can be integrated in a functional EFSM specification of a system to obtain a new specification of the system that takes into account the security policy. Then, we propose a method to automatically derive test sequences to test the implementation, using a dedicated tool developed in our laboratory. Finally, we apply our framework to a Weblog system case study to demonstrate its reliability.

show abstract

“…It generalizes our previous work that covers testing rules with atomic activities [16] by considering decomposed ones through the conception of new integration algorithms.…”

Section: Related Workmentioning

confidence: 74%

Testing Security Rules with Decomposable Activities

Lee

Won

Sung

et al. 2007

10th IEEE High Assurance Systems Engineering Symposium (HASE'07)

Self Cite

View full text Add to dashboard Cite

show abstract

“…In [11], Xie et al proposed a new tool Cirg that automatically generates test for XACML policies using Change-Impact Analysis. Several researchers generate tests from access control policies using various forms of state machines [12], [23]. In addition, Several studies propose the use of fault-injection or mutation targeting different aspects of security testing.…”

Section: B Mutation Resultsmentioning

confidence: 99%

Testing Obligation Policy Enforcement Using Mutation Analysis

Elrakaiby

Mouelhi

Traon

2012

2012 IEEE Fifth International Conference on Software Testing, Verification and Validation

View full text Add to dashboard Cite

Abstract-The support of obligations with access control policies allows the expression of more sophisticated requirements such as usage control, availability and privacy. In order to enable the use of these policies, it is crucial to ensure their correct enforcement and management in the system. For this reason, this paper introduces a set of mutation operators for obligation policies. The paper first identifies key elements in obligation policy management, then presents mutation operators which injects minimal errors which affect these aspects. Test cases are qualified w.r.t. their ability in detecting problems, simulated by mutation, in the interactions between policy management and the application code. The use of policy mutants as substitutes for real flaws enables a first investigation of testing obligation policies in a system. We validate our work by providing an implementation of the mutation process: the experiments conducted on a Java program provide insights for improving test selection.

show abstract

“…The next step is to apply this configuration to our ViewModel. To this end, the JSON-encoded result of the View Service is parsed, and each entry in the result is applied to the local viewModel variable (lines [12][13][14][15].…”

Section: Client-side Updates Of the Viewmodelmentioning

confidence: 99%

“…In [1], Belchior and colleagues model RBAC policies using RDF triples and N3Logic rules. Mallouli et al [13] use extended finite state machines (EFSM) to model systems with OrBAC [11] (Organization Based Access Control) security policies. However, none of these approaches addresses the enforcement of access control policies and entailment constraints in dynamic real-time Web applications.…”

Section: Related Workmentioning

confidence: 99%

Supporting Customized Views for Enforcing Access Control Constraints in Real-Time Collaborative Web Applications

Gaubatz

Hummer

Zdun

et al. 2013

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Real-time collaborative Web applications allow multiple users to concurrently work on a shared document. In addition to popular use cases, such as collaborative text editing, they can also be used for formbased business applications that often require forms to be filled out by different stakeholders. In this context, different users typically need to fill in different parts of a form. Role-based access control and entailment constraints provide means for defining such restrictions. Major challenges in the context of integrating collaborative Web applications with access control restrictions are how to support changes of the configuration of access constrained UI elements at runtime, realizing acceptable performance and update behaviour, and an easy integration with existing Web applications. In this paper, we address these challenges through a novel approach supporting constrained and customized UI views that support runtime changes and integrate well with existing Web applications. Using a prototypical implementation, we show that the approach provides acceptable update behaviour and requires only a small performance overhead for the access control tasks with linear scalability.

show abstract

A formal approach for testing security rules

Cited by 38 publications

References 10 publications

Testing Security Rules with Decomposable Activities

Testing Security Rules with Decomposable Activities

Testing Obligation Policy Enforcement Using Mutation Analysis

Supporting Customized Views for Enforcing Access Control Constraints in Real-Time Collaborative Web Applications

Contact Info

Product

Resources

About