Access control; Model-based testing; Mutation analysis; Petri nets; Software testing
Résumé :
[en] Access control policies in software systems can be implemented incorrectly for various reasons. This paper presents a model-based approach for automated testing of access control implementation. To feed the model-based testing process, test models are constructed by integrating declarative access control rules and contracts (preconditions and post-conditions) of the associated activities. The access control tests are generated from the test models to exercise the interactions of access control activities. Test executability is obtained through a mapping of the modeling elements to implementation constructs. The approach has been implemented in an industry-adopted test automation framework that supports the generation of test code in a variety of languages, such as Java, C, C++, C#, and HTML/Selenium IDE. The full model-based testing process has been applied to two systems implemented in Java. The effectiveness is evaluated in terms of access-control fault detection rate using mutation analysis of access control implementation. The experiments show that the model-based tests killed 99.7% of the mutants and the remaining mutants caused no policy violations.
Disciplines :
Sciences informatiques
Identifiants :
UNILU:UL-CONFERENCE-2012-121
Auteur, co-auteur :
Xu, Dianxiang; National Center for the Protection of the Financial Infrastructure, Dakota State University Madison, USA
THOMAS, Lijo ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Kent, Michael
MOUELHI, Tejeddine ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
LE TRAON, Yves ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Co-auteurs externes :
yes
Langue du document :
Anglais
Titre :
A Model-Based Approach to Automated Testing of Access Control Policies
Date de publication/diffusion :
2012
Nom de la manifestation :
17th ACM Symposium on Access Control Models and Technologies (SACMAT 2012)
Lieu de la manifestation :
Newark, Etats-Unis - New Jersey
Date de la manifestation :
20-22 June 2012
Manifestation à portée :
International
Titre du périodique :
Proceedings of the 17th ACM Symposium on Access Control Models and Technologies