Combinatorial Testing of Access Control Policies Bellanov Apilli
JeeHyun Hwang
Tao Xie
[email protected]
[email protected]
[email protected]
Problem Previous access control policy testing techniques Ineffective, failing to cover important rules Costly due to too many possible tests
Mutation Testing Requests
Policy
Responses
Expected Responses
Proposed Solution: Policy Testing Combinatorial Testing of Access Control Policies Minimizes the number of required tests considering t-way interactions of given attribute values Generate single-valued and multi-valued combinatorial test requests and evaluate them against policies to expose faults.
XACML Policy Evaluation Policy Repository
Resource
Resource
Policy Enforcement Point (PEP)
Request
Policy Decision Point (PDP)
Response
XACML [1] is a specification language used to define access control policies.
Single-valued Requests: Contain one value for subject, resource, and action attributes
Mutation Operators
Responses
Mutator
Differ?
Mutant Policy
Mutant Responses
Mutant Killed!
Requests are evaluated against both the original and mutated policies. If the responses differ, the mutant is killed, meaning that the test case detects the fault, which is the absence of the rule.
Evaluation: Mutant-Killing Ratios
Experimental Subjects and Results
Single-valued Request Example Save
Request
View Grade Faculty
References
Faculty Assign View Grades
1
1 1 Multi-valued Request Example
1
1
Request
Save View Assign Grade Faculty
Combinatorial Request Generation Combinatorial Test Generation Test requests are generated by t-way combinations of attribute values considering their interactions. Every combination of t attribute values is covered by at least one test. Combinations are generated using a combinatorial testing tool called FireEye [2]. For multi-valued request generation, each parameter (P1, P2, P3) represents an attribute in a policy. A value of 1/0 indicates its presence/absence within a request.
Requests
A Mutant Policy is a faulty version of the original policy. A fault is introduced by the deletion of a rule one at a time
The PEP forms an XACML request and sends it to the PDP. The PDP checks the request against a policy, returning a response. The PEP either permits or denies the request.
Single and Multi-valued Requests
Multi-valued Requests: Contain multiple values for at least one attribute Represent each attribute value as a Boolean value 1 represents that a request includes the value 0 represents that a request does not includes the value
Policy
Subject Resource Action Faculty Grade Assign Faculty Record view Student Grade view Student Record Assign Single-valued Requests (2 subject, 2 resource, and 2 action values)
Single-valued Requests
P1 P2 P3 0 0 0 0 1 1 1 0 1 1 1 0 Multi-valued Requests considering three attribute values
Combinatorial tests (t = 2)
Multi-valued Requests
[1] OASIS eXtensible Access Control Markup Language (XACML). http://www.oasisopen.org/committees/xacml/2008. [2] Y. Lei, R. Kacker, D. R. Kuhn, V. Okun, and J. Lawrence, "IPOG: A General Strategy for T-Way Software Testing," in the Proc. of the 14th Annual IEEE Intl. Conf. and Workshops on the Engineering of Computer-Based Systems, 2007, pp. 549556.
