{"title":"Model-Based Testing of Obligatory ABAC Systems","authors":"Samer Y. Khamaiseh, Patrick Chapman, Dianxiang Xu","doi":"10.1109/QRS.2018.00054","DOIUrl":null,"url":null,"abstract":"Attribute-based access control (ABAC) with obligations is a new technique for achieving fine-grained access control and accountability. An obligatory ABAC system can be implemented incorrectly for various reasons, such as programming errors and incorrect access control and obligation specification. To reveal these implementation defects, this paper presents an approach to model-based testing of obligatory ABAC systems. In this approach, we first build a test model by specifying a functional model and an obligatory ABAC policy. The policy represents access control and obligation constraints on the functional model. Then we weave the policy with the functional model into an integrated model that represents both functions under test and access control and obligation constraints on them. Test cases can then be generated from the integrated model. Our approach is built upon MISTA, an open source test code generator that supports a variety of programming languages and test frameworks. To validate our approach, this paper presents a first case study on the development and testing of an open-source obligatory ABAC system. We evaluated the effectiveness of the approach by mutation analysis of the ABAC and obligation rules and the policy enforcement code in the implementation. The result shows that our approach is capable of finding the majority of injected faults.","PeriodicalId":114973,"journal":{"name":"2018 IEEE International Conference on Software Quality, Reliability and Security (QRS)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE International Conference on Software Quality, Reliability and Security (QRS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/QRS.2018.00054","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 9
Abstract
Attribute-based access control (ABAC) with obligations is a new technique for achieving fine-grained access control and accountability. An obligatory ABAC system can be implemented incorrectly for various reasons, such as programming errors and incorrect access control and obligation specification. To reveal these implementation defects, this paper presents an approach to model-based testing of obligatory ABAC systems. In this approach, we first build a test model by specifying a functional model and an obligatory ABAC policy. The policy represents access control and obligation constraints on the functional model. Then we weave the policy with the functional model into an integrated model that represents both functions under test and access control and obligation constraints on them. Test cases can then be generated from the integrated model. Our approach is built upon MISTA, an open source test code generator that supports a variety of programming languages and test frameworks. To validate our approach, this paper presents a first case study on the development and testing of an open-source obligatory ABAC system. We evaluated the effectiveness of the approach by mutation analysis of the ABAC and obligation rules and the policy enforcement code in the implementation. The result shows that our approach is capable of finding the majority of injected faults.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
