Access control enforcement testing

2013 8th International Workshop on Automation of Software Test (AST) Pub Date : 2013-05-18 DOI:10.1109/IWAST.2013.6595793

Donia El Kateb, Yehia Elrakaiby, T. Mouelhi, Yves Le Traon

{"title":"Access control enforcement testing","authors":"Donia El Kateb, Yehia Elrakaiby, T. Mouelhi, Yves Le Traon","doi":"10.1109/IWAST.2013.6595793","DOIUrl":null,"url":null,"abstract":"A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy.","PeriodicalId":291838,"journal":{"name":"2013 8th International Workshop on Automation of Software Test (AST)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-05-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 8th International Workshop on Automation of Software Test (AST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IWAST.2013.6595793","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy.

查看原文本刊更多论文

访问控制执行测试

基于策略的访问控制体系结构包括策略实施点(pep)， pep是拦截主体访问请求并执行策略决策点(PDP)达成的访问决策的模块，PDP是实现访问决策逻辑的模块。在应用程序中，pep通常是手动实现的，这可能会在策略实施中引入错误并导致安全漏洞。在本文中，我们提出了一种在给定目标应用程序中系统地测试和验证访问控制策略的正确实施的方法。更具体地说，我们依赖于一种双重方法，首先对目标应用程序进行静态分析，以确定可以由策略管理的敏感访问。然后使用突变对应用程序进行动态分析，以验证每个敏感访问是否正确执行了策略。应用程序的动态分析还提供PEP的确切位置，以便修复分析检测到的强制执行错误。该方法已通过一个实现访问控制策略的案例研究得到验证。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2013 8th International Workshop on Automation of Software Test (AST)

自引率

0.00%

发文量