Reference : Access Control Enforcement Testing
Scientific congresses, symposiums and conference proceedings : Paper published in a journal
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/26529
Access Control Enforcement Testing
-
El Kateb, Donia [Univ Luxembourg, Interdisciplinary Res Ctr, SnT, Luxembourg, Luxembourg.]
ElRakaiby, Yehia [Univ Luxembourg, Interdisciplinary Res Ctr, SnT, Luxembourg, Luxembourg.]
Mouelhi, Tejeddine [Univ Luxembourg, Interdisciplinary Res Ctr, SnT, Luxembourg, Luxembourg.]
Le Traon, Yves mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
2013
2013 8TH INTERNATIONAL WORKSHOP ON AUTOMATION OF SOFTWARE TEST (AST)
Ieee
64-70
Yes
New York
8th International Workshop on Automation of Software Test (AST)
MAY 18-19, 2013
San Francisco
CA
[en] Access Control Policies ; PEP ; PDP ; Security Test Cases
[en] A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy.
http://hdl.handle.net/10993/26529
978-1-4673-6161-3

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
access control.pdfPublisher postprint782.96 kBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.