Testing of PolPA authorization systems

Bertolino, Antonia; Daoudagh, Said; Lonetti, Francesca; Marchetti, Eda; Martinelli, M.; Mori, Paolo

doi:10.1109/iwast.2012.6228997

Cited by 11 publications

(8 citation statements)

References 18 publications

(27 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Model-based testing approaches are capable of generating test cases based on interaction protocol specifications [16], [17] and thus can potentially generate test cases for complex attack scenarios [18]. Model-based security testing is a relatively new research field [46], where some approaches have been proposed for security vulnerability testing (e.g., [50], [51], [52], [53], [54], [55], [56], [57], [58], [59]). For instance, Marback et al [53] propose a model-based security testing approach that automatically generates security test sequences from threat trees.…”

Section: Related Workmentioning

confidence: 99%

“…Jürjens [54] relies on some security extensions of UML, i.e., UMLsec [64], [65], [66], to generate security vulnerability test cases from detailed UML statecharts capturing control and data-flow. Bertolino et al [50] present a model-based approach for the automatic generation of test cases for security policies specified in a process algebra language. All these approaches require detailed formal models, which limits their adoption in industrial settings.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A Natural Language Programming Approach for Requirements-Based Security Testing

Pastore

Göknil

et al. 2018

2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

To facilitate communication among stakeholders, software security requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ensure security) and negative requirements (i.e., undesirable behavior undermining security). In this paper, we tackle the problem of automatically generating executable security test cases from security requirements in natural language (NL). More precisely, since existing approaches for the generation of test cases from NL requirements verify only positive requirements, we focus on the problem of generating test cases from negative requirements. We propose, apply and assess Misuse Case Programming (MCP), an approach that automatically generates security test cases from misuse case specifications (i.e., use case specifications capturing the behavior of malicious users). MCP relies on natural language processing techniques to extract the concepts (e.g., inputs and activities) appearing in requirements specifications and generates executable test cases by matching the extracted concepts to the members of a provided test driver API. MCP has been evaluated in an industrial case study, which provides initial evidence of the feasibility and benefits of the approach.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

A Natural Language Programming Approach for Requirements-Based Security Testing

Pastore

Göknil

et al. 2018

2018 IEEE 29th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

show abstract

“…Moreover, they describe a prototype implementation for GRID computational services, and they show how the proposed language can be used to define a security policy that regulates the network usage to protect the local computational service from the applications executed on behalf of remote GRID users. The Usage Control authorization system prototype has been validated through a proper testing process described in [46].…”

Section: Usage Control Modelmentioning

confidence: 99%

Stateful Data Usage Control for Android Mobile Devices

Lazouski

Martinelli

Mori

et al. 2016

Int. J. Inf. Secur.

Self Cite

View full text Add to dashboard Cite

Modern mobile devices allow their users to download data from the network, such as documents or photos, to store local copies and to use them. Many real scenarios would benefit from this capability of mobile devices to easily and quickly share data among a set of users but, in case of critical data, the usage of these copies must be regulated by proper security policies. To this aim, we propose a framework for regulating the usage of data when they have been downloaded on mobile devices, i.e., they have been copied outside the producer's domain. Our framework regulates the usage of the local copy by enforcing the Usage Control policy which has been embedded in the data by the producer. Such policy is written in UXACML, an extension of the XACML language for expressing Usage Control model based policies, whose main feature is to include predicates which must be satisfied for the whole execution of the access to the data. Hence, the proposed framework goes beyond the traditional access control capabilities, being able to interrupt an ongoing access to the data as soon as the policy is no longer satisfied. This paper details the proposed approach, defines the architecture and the workflow of the main functionalities of the proposed framework, describes the implementation of a working prototype for Android devices, presents the related performance figures, and discusses the security of the prototype.

show abstract

“…[36], the authors have proposed a model-based testing approach to test PolPA authorizations systems. PolPA authorizations systems are based on a process-algebraic language to specify policies according to UCON [17].…”

Section: Access Control Test Generationmentioning

confidence: 99%