Title :
Testing and Analysis of Access Control Policies
Author_Institution :
North Carolina State Univ., Raleigh, NC
Abstract :
Policy testing and analysis are important techniques for high assurance of correct specification of access control policies. We propose a set of testing and analysis techniques for access control policies and tools for empirically investigating and evaluating the proposed techniques. We propose a fault model for access control policies and investigate various fault types and their frequencies of occurrence in policy development; we develop a mutation testing framework that implements the fault model; we propose and investigate various coverage criteria for testing access control policies; we develop various test generation techniques and evaluate them using the coverage criteria and mutation testing framework; we develop a policy model to facilitate refactoring, performance optimizations, dependency identification, and other types of static analysis. To make our discussion concrete, we choose to present our techniques in the context of XACML. Note that since XACML is an application- independent, generic access control policy language, our techniques can be equally applied to test policies written in other languages.
Keywords :
authorisation; program diagnostics; program testing; XACML; access control policy testing; fault model; generic access control policy language; mutation testing framework; test generation technique; Access control; Concrete; Fault diagnosis; Frequency; Genetic mutations; Optimization; Performance analysis; Software testing; Specification languages; XML;
Conference_Titel :
Software Engineering - Companion, 2007. ICSE 2007 Companion. 29th International Conference on
Conference_Location :
Minneapolis, MN
Print_ISBN :
0-7695-2892-9
DOI :
10.1109/ICSECOMPANION.2007.73