Context: Access control is among the most important security mechanisms, and XACML is the de facto standard for specifying, storing and deploying access control policies. Since it is critical that enforced policies are correct, policy testing must be performed in an effective way to identify potential security flaws and bugs. In practice, exhaustive testing is impossible due to budget constraints. Therefore the tests need to be prioritized so that resources are focused on their most relevant subset. Objective: This paper tackles the issue of access control test prioritization. It proposes a new approach for access control test prioritization that relies on similarity. Method: The approach has been applied to several policies and the results have been compared to random prioritization (as a baseline). To assess the different prioritization criteria, we use mutation analysis and compute the mutation scores reached by each criterion. This helps assessing the rate of fault detection. Results: The empirical results indicate that our proposed approach is effective and its rate of fault detection is higher than that of random prioritization. Conclusion: We conclude that prioritization of access control test cases can be usefully based on similarity criteria.
Similarity testing for access control
Bertolino A;Daoudagh S;Lonetti F;Marchetti E;
2015
Abstract
Context: Access control is among the most important security mechanisms, and XACML is the de facto standard for specifying, storing and deploying access control policies. Since it is critical that enforced policies are correct, policy testing must be performed in an effective way to identify potential security flaws and bugs. In practice, exhaustive testing is impossible due to budget constraints. Therefore the tests need to be prioritized so that resources are focused on their most relevant subset. Objective: This paper tackles the issue of access control test prioritization. It proposes a new approach for access control test prioritization that relies on similarity. Method: The approach has been applied to several policies and the results have been compared to random prioritization (as a baseline). To assess the different prioritization criteria, we use mutation analysis and compute the mutation scores reached by each criterion. This helps assessing the rate of fault detection. Results: The empirical results indicate that our proposed approach is effective and its rate of fault detection is higher than that of random prioritization. Conclusion: We conclude that prioritization of access control test cases can be usefully based on similarity criteria.| File | Dimensione | Formato | |
|---|---|---|---|
|
prod_354112-doc_165152.pdf
accesso aperto
Descrizione: Similarity testing for access control
Tipologia:
Documento in Post-print
Licenza:
Nessuna licenza dichiarata (non attribuibile a prodotti successivi al 2023)
Dimensione
572.55 kB
Formato
Adobe PDF
|
572.55 kB | Adobe PDF | Visualizza/Apri |
|
prod_354112-doc_114643.pdf
solo utenti autorizzati
Descrizione: Similarity testing for access control
Tipologia:
Versione Editoriale (PDF)
Licenza:
NON PUBBLICO - Accesso privato/ristretto
Dimensione
2.62 MB
Formato
Adobe PDF
|
2.62 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
