Reference : Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets
Scientific journals : Article
Engineering, computing & technology : Computer science
Engineering, computing & technology : Electrical & electronics engineering
Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets
Xu, Dianxiang [Boise State Univ, Dept Comp Sci, Boise, ID 83725 USA.]
Kent, Michael [SDN Commun, Sioux Falls, SD 57104 USA.]
Thomas, Lijo [Cognizant Technol Solut, Teaneck, NJ 07666 USA.]
Mouelhi, Tejeddine [Itrust Consulting, Luxembourg, Luxembourg.]
Le Traon, Yves mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)]
IEEE Transactions on Computers
Ieee Computer Soc
Yes (verified by ORBilu)
Los Alamitos
[en] Access controls ; security and privacy protection ; testing tools ; test design
[en] Role-based access control is an important access control method for securing computer systems. A role-based access control policy can be implemented incorrectly due to various reasons, such as programming errors. Defects in the implementation may lead to unauthorized access and security breaches. To reveal access control defects, this paper presents a model-based approach to automated generation of executable access control tests using predicate/transition nets. Role-permission test models are built by integrating declarative access control rules with functional test models or contracts (preconditions and postconditions) of the associated activities (the system functions). The access control tests are generated automatically from the test models to exercise the interactions of access control activities. They are transformed into executable code through a model-implementation mapping that maps the modeling elements to implementation constructs. The approach has been implemented in an industry-adopted test automation framework that supports the generation of test code in a variety of languages. The full model-based testing process has been applied to three systems implemented in Java. The effectiveness is evaluated through mutation analysis of role-based access control rules. The experiments show that the model-based approach is highly effective in detecting the seeded access control defects.
US National Science Foundation (NSF) [CNS 1004843, CNS 1123220, CNS 1359590]
This work was supported in part by the US National Science Foundation (NSF) under grants CNS 1004843, CNS 1123220, and CNS 1359590. Dianxiang Xu is the corresponding author.

File(s) associated to this reference

Fulltext file(s):

Open access
Automated Model-Based Testing.pdfPublisher postprint1.05 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.