Towards a full support of obligations in XACML

in Lecture Notes in Computer Science (2015), 8924

Policy-based systems rely on the separation of concerns, by implementing independently a software system and its associated security policy. XACML (eXtensible Access Control Markup Language) proposes a ... [more ▼]

Policy-based systems rely on the separation of concerns, by implementing independently a software system and its associated security policy. XACML (eXtensible Access Control Markup Language) proposes a conceptual architecture and a policy language to reflect this ideal design of policy-based systems.However, while rights are well-captured by authorizations, duties, also called obligations, are not well managed by XACML architecture. The current version of XACML lacks (1) well-defined syntax to express obligations and (2) an unified model to handle decision making w.r.t. obligation states and the history of obligations fulfillment/ violation. In this work, we propose an extension of XACML reference model that integrates obligation states in the decision making process.We have extended XACML language and architecture for a better obligations support and have shown how obligations are managed in our proposed extended XACML architecture: OB-XACML. © Springer International Publishing Switzerland 2015. [less ▲]

Testing Delegation Policy Enforcement via Mutation Analysis

in 7th International Workshop on Mutation Analysis (2013, March)

Delegation is an important dimension of security that plays a crucial role in the administration mechanism of access control policies. Delegation may be viewed as an exception made to an access control ... [more ▼]

Delegation is an important dimension of security that plays a crucial role in the administration mechanism of access control policies. Delegation may be viewed as an exception made to an access control policy in which a user gets right to act on behalf of other users. This meta-level characteristic together with the complexity of delegation itself make it crucial to ensure the correct enforcement and management of delegation policy in a system via testing. To this end, we adopt mutation analysis for delegation policies. In order to achieve this, a set of mutant operators specially designed for introducing mutants into the key components (features) of delegation is proposed. Our approach consists of analyzing the representation of the key components of delegation, based on which we derive the suggested set of mutant operators. These operators can then be used to introduce mutants into delegation policies and thus, enable mutation testing. A demonstration of the proposed approach on a model-driven adaptive delegation implementation of a library management system is also provided. [less ▲]