Available on ORBilu since
03 March 2016
Article (Scientific journals)
Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets
Xu, Dianxiang; Kent, Michael; Thomas, Lijo et al.
2015In IEEE Transactions on Computers, 64 (9), p. 2490-2505
Peer reviewed


Full Text
Automated Model-Based Testing.pdf
Publisher postprint (1.07 MB)

All documents in ORBilu are protected by a user license.

Send to


Keywords :
Access controls; security and privacy protection; testing tools; test design
Abstract :
[en] Role-based access control is an important access control method for securing computer systems. A role-based access control policy can be implemented incorrectly due to various reasons, such as programming errors. Defects in the implementation may lead to unauthorized access and security breaches. To reveal access control defects, this paper presents a model-based approach to automated generation of executable access control tests using predicate/transition nets. Role-permission test models are built by integrating declarative access control rules with functional test models or contracts (preconditions and postconditions) of the associated activities (the system functions). The access control tests are generated automatically from the test models to exercise the interactions of access control activities. They are transformed into executable code through a model-implementation mapping that maps the modeling elements to implementation constructs. The approach has been implemented in an industry-adopted test automation framework that supports the generation of test code in a variety of languages. The full model-based testing process has been applied to three systems implemented in Java. The effectiveness is evaluated through mutation analysis of role-based access control rules. The experiments show that the model-based approach is highly effective in detecting the seeded access control defects.
Disciplines :
Electrical & electronics engineering
Computer science
Author, co-author :
Xu, Dianxiang;  Boise State Univ, Dept Comp Sci, Boise, ID 83725 USA.
Kent, Michael;  SDN Commun, Sioux Falls, SD 57104 USA.
Thomas, Lijo;  Cognizant Technol Solut, Teaneck, NJ 07666 USA.
Mouelhi, Tejeddine;  Itrust Consulting, Luxembourg, Luxembourg.
Le Traon, Yves ;  University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
External co-authors :
Language :
Title :
Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets
Publication date :
Journal title :
IEEE Transactions on Computers
Publisher :
Ieee Computer Soc, Los Alamitos, Unknown/unspecified
Volume :
Issue :
Pages :
Peer reviewed :
Peer reviewed
Funders :
US National Science Foundation (NSF) [CNS 1004843, CNS 1123220, CNS 1359590]
Commentary :
This work was supported in part by the US National Science Foundation (NSF) under grants CNS 1004843, CNS 1123220, and CNS 1359590. Dianxiang Xu is the corresponding author.


Number of views
136 (18 by Unilu)
Number of downloads
437 (8 by Unilu)

Scopus citations®
Scopus citations®
without self-citations
WoS citations


Similar publications

Contact ORBilu