Access Control Enforcement Testing

El Kateb, Donia; Elrakaiby, Yehia; Mouelhi, Tejeddine; Le Traon, Yves

Reference : Access Control Enforcement Testing


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/15844

Title :	Access Control Enforcement Testing
Language :	English
Author, co-author :	El Kateb, Donia [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > > ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
	Elrakaiby, Yehia [> >]
	Mouelhi, Tejeddine [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Le Traon, Yves [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Publication date :	May-2012
Main document title :	8th International Workshop on Automation of Software Test (AST), 2013
Pages :	64-70
Peer reviewed :	Yes
On invitation :	No
Audience :	International
Event name :	8th International Workshop on Automation of Software Test (AST), 2013
Event date :	from 18-05-2013 to 19-05-2013
Event place (city) :	San Francisco
Event country :	USA
Keywords :	[en] authorisation ; program diagnostics ; program testing
Abstract :	[en] A policy-based access control architecture com- prises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy.
Permalink :	http://hdl.handle.net/10993/15844

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Open access	ast-2013-localisation-pep-final.pdf		Publisher postprint	772.05 kB	View/Open

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices