Evaluating the capability and performance of access control policy verification tools

Access control has been used in many systems such as military systems and business information systems. Access control protects sensitive information based on access control policies. Thus, assuring the correctness of policies is important. For this purpose, many access control policy verification (ACPV) tools have been proposed to check the correctness of policies. Since these tools have been designed by different mechanisms, they have different capabilities and performances. However, there lacks a set of standard approaches for evaluating them. Consequently, it is difficult for users to identify an appropriate tool for verifying their security policies. In this paper, we make an initial step towards building standard approaches for evaluating the capability and performance of ACPV tools. Specifically, we propose a set of reference metrics for analytically evaluating, as well as sets of oracles and test cases for empirically checking the run-time capability and performance of ACPV tools. To demonstrate, we apply these metrics, oracles and test cases on existing ACPV tools.