Testing Security Rules with Decomposable Activities

Lee, Jeong-Oog; Won, Daehee; Sung, Sangkyung; Kang, Tae Sam; Lee, Young Jae

doi:10.1109/hase.2007.41

Cited by 4 publications

(3 citation statements)

References 14 publications

(13 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The second type of works focuses on defining a dedicated language for obligations modeling such as xSPL [23], Obligations Specification Language (OSL) [24], Rei [25], and Ponder Specification Language [26]. Obligations are modeled for several purposes such as static analysis [5,22,27], platform for the enforcement of obligations policies with underlying system [21,23], state-based modeling for verification [28], and software testing [29,30]. There are also works on using UML to model access control infrastructure that does not include the modeling of obligations [31,32] Some contributions in the literature have focused on the model-based testing of obligations.…”

Section: Related Workmentioning

confidence: 99%

“…There are also works on using UML to model access control infrastructure that does not include the modeling of obligations [31,32] Some contributions in the literature have focused on the model-based testing of obligations. They model obligations using different formalisms such as Extended Finite State Machines (EFSM) [29] and Petri Nets (PrT) [30]. In the work of Mallouli and Cavalli [29], EFSMs are used to model access rules and obligations with the objective to identify test objectives.…”

Section: Related Workmentioning

confidence: 99%

“…They model obligations using different formalisms such as Extended Finite State Machines (EFSM) [29] and Petri Nets (PrT) [30]. In the work of Mallouli and Cavalli [29], EFSMs are used to model access rules and obligations with the objective to identify test objectives. However, they do not specify constraints on obligations, in particular timing constraints.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Model-Based Testing of Obligations

Rubab

Ali

Briand

et al. 2014

2014 14th International Conference on Quality Software

View full text Add to dashboard Cite

Abstract-Obligations are mandatory actions that users must perform, addressing access control requirements. To ensure that such obligations are implemented correctly, an automated and systematic testing approach is often recommended. One such approach is Model-Based Testing (MBT) that allows defining costeffective testing strategies to support rigorous testing via automation. In this paper, we present MBT for obligations by extending the Unified Modeling Language (UML) via a profile called the Obligations Profile. Based on the profile, we define a modeling methodology utilizing the concepts of Obligations Class Diagrams (OCDs) and Obligations State Machines (OSMs), which are standard UML Class Diagrams and UML State Machines with stereotypes from the Obligations Profile. Our methodology, using OCDs and OSMs, is automatically enforced by the validation of constraints defined in the profile. To assess the completeness and applicability of the profile and methodology, we modeled 47 obligations from four different systems. The results of our case study show that we successfully modeled all the obligations and used 75% of the stereotypes that we defined in the profile.In addition, using OCDs and OSMs, we automatically generate executable test cases using a standard state machine structural coverage criterion and common test data generation strategies. The effectiveness of generated test cases is assessed using mutation analysis on two systems, using mutation operators specifically designed for obligation faults. Test case execution killed 75% of the mutants and a careful analysis further suggests that more sophisticated testing strategies must be defined to further improve testing effectiveness.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Model-Based Testing of Obligations

Rubab

Ali

Briand

et al. 2014

2014 14th International Conference on Quality Software

View full text Add to dashboard Cite

show abstract

Model-based security testing: a taxonomy and systematic classification

Felderer

Zech

Breu

et al. 2015

Softw. Test. Verif. Reliab.

View full text Add to dashboard Cite

Model-based security testing relies on models to test whether a software system meets its security requirements. It is an active research field of high relevance for industrial applications, with many approaches and notable results published in recent years. This article provides a taxonomy for model-based security testing approaches. It comprises filter criteria (i.e. model of system security, security model of the environment and explicit test selection criteria) as well as evidence criteria (i.e. maturity of evaluated system, evidence measures and evidence level). The taxonomy is based on a comprehensive analysis of existing classification schemes for model-based testing and security testing. To demonstrate its adequacy, 119 publications on model-based security testing are systematically extracted from the five most relevant digital libraries by three researchers and classified according to the defined filter and evidence criteria. On the basis of the classified publications, the article provides an overview of the state of the art in model-based security testing and discusses promising research directions with regard to security properties, coverage criteria and the feasibility and return on investment of model-based security testing. 120 M. FELDERER ET AL. 9126 [4] defining security as a functional quality characteristic. However, it seems desirable that security testing directly targets the previous security properties, as opposed to taking the detour of functional tests of security mechanisms. This view is supported by the ISO/IEC 25010 [2] standard that revises ISO/IEC 9126 and introduces security as a new quality characteristic that is not included in the characteristic functionality any more.Because the former kind of (non-functional) security properties describes all executions of a system, this kind of security testing is intrinsically hard. Because testing cannot show the absence of faults, an immediately useful perspective directly considers the violation of these properties. This has resulted in the development of specific testing techniques such as penetration testing that simulates attacks to exploit vulnerabilities. Penetration tests are difficult to craft because tests often do not directly cause observable security exploits, and because the testers must think like an attacker [5], which requires specific expertise. During penetration testing, testers build a mental model of security properties, security mechanisms and possible attacks against the system and its environment. It seems intuitive that security testing can benefit from specifying these security test models in an explicit and processable way. Security test models provide guidance for the systematic and effective specification and documentation of security test objectives and security test cases, as well as for their automated generation and evaluation.The variant of testing that relies on explicit models that encode information on the system under test and/or its environment is called model-based testing (MBT) [6,7]. Especially in ...

show abstract

Realization of Yacht Monitoring System

Yao

et al. 2009

2009 First International Workshop on Education Technology and Computer Science

View full text Add to dashboard Cite

Yacht amusement industry has gradually become a fashion industry in the amusement places in coastal or other waters. Along with the industry's development, security issues also need to address. In this paper, the yacht intelligent monitoring system has been proposed. And it is constituted of the hardware system including an MMA7260 acceleration sensor, a GPS module, a battery capacity monitor and two wireless transmission modules and the visual monitoring software system set in the monitoring room, with the MC9S12 single-chip as MCU.

show abstract

Testing Security Rules with Decomposable Activities

Cited by 4 publications

References 14 publications

Model-Based Testing of Obligations

Model-Based Testing of Obligations

Model-based security testing: a taxonomy and systematic classification

Realization of Yacht Monitoring System

Contact Info

Product

Resources

About