Yongchao Li,You Li,Linzhang Wang,Guanling Chen

2014-01-01

Abstract:XACML has become increasingly popular for specifying access control policies in mission critical domains to protect sensitive resources. However, manually crafted XACML policies may contain errors which can only be identified with manual policies review. Recent progress in policy testing still requires tedious and inefficient manual efforts to compose access requests. In this paper, we propose an automatic XACML requests generation for testing access control policies by employing symbolic execution techniques. Firstly, the access control policy under test is converted into semantically equivalent C Code Representation (CCR). Secondly, the CCR is symbolically executed to generate test inputs. Finally, the test inputs are used to compose access control requests, which can be automatically evaluated with existing tools. We also implemented a prototype tool called XPTester (Xacml Policy Tester) and conducted extensive experiments upon real-world policies to demonstrate the scalability, efficiency and effectiveness. Keywords—Access control policy; XACML; test generation; symbolic execution

Evan Martin,Tao Xie

2006-01-01

Abstract:To facilitate managing access control in a system, access control policies are increasingly written in specification languages such as XACML. A dedicated software component called a Policy Decision Point (PDP) interprets the specified policies, receives access requests, and returns responses to inform whether access should be permitted or denied. To increase confidence in the correctness of specified policies, policy developers can conduct policy testing by supplying typical test inputs (requests) to the PDP and subsequently checking test outputs (responses) against expected ones. Unfortunately, manual testing is tedious and few tools exist for automated testing of XACML policies.In this paper, we present our work toward a framework for systematic testing of access control policies. The framework includes components for policy coverage definition and measurement, request generation, request evaluation, request set minimization, policy property inference, and mutation testing. This framework allows us to evaluate various criteria for test generation and selection, investigate mutation operators, and determine a relationship between structural coverage and fault-detection capability. We have implemented the framework and applied it to various XACML policies. Our experimental results offer valuable insights into choosing mutation operators in mutation testing and choosing coverage criteria in test generation and selection.

Evan Martin,Tao Xie,Ting Yu

DOI: https://doi.org/10.1007/11935308_11

2006-01-01

Abstract:To facilitate managing access control in a system, security officers increasingly write access control policies in specification languages such as XACML, and use a dedicated software component called a Policy Decision Point (PDP). To increase confidence on written policies, certain types of policy testing (often in an ad hoc way) are usually conducted, which probe the PDP with some typical requests and check PDP's responses against expected ones. This paper develops a first step toward systematic policy testing by defining and measuring policy coverage when testing policies. We have developed a coverage-measurement tool to measure policy coverage given a set of XACML policies and a set of requests. We have developed a tool for request generation, which randomly generates requests for a given set of policies, and a tool for request reduction, which greedily selects a nearly minimal set of requests for achieving the same coverage as the originally generated requests. To evaluate coverage-based request reduction and its effect on fault detection, we have conducted an experiment with mutation testing on a set of real policies. Our experimental results show that the coverage-based test reduction can substantially reduce the size of generated requests and incur only relatively low loss on fault detection. We also conduct a study on the policy coverage achieved by manually generated requests.

Ting Yu,Dhivya Sivasubramanian,Tao Xie

DOI: https://doi.org/10.1145/1558607.1558623

2009-01-01

Abstract:Access control is one of the fundamental security mechanisms for information systems. It determines the availability of resources to principals, operations that can be performed, and under what circumstances. Traditionally the enforcement of access control is often hardcoded in applications or systems; such hardcoding makes it hard to verify the correctness of access control and to accommodate changes of security requirements. Recently, access control policies have been increasingly separated from enforcement mechanisms. An access control policy is explicitly specified using certain policy languages with well-defined syntax and semantics. An application then consults the policy during runtime to determine whether an access request from a principal should be allowed or denied. There are two main advantages of this approach. First, security officers can now perform systematic and formal security analysis on access control policies. Second, by separating policies from enforcement mechanisms, it is possible to change policies without affecting the underlying mechanisms, and vice versa.

Evan Martin,Tao Xie

DOI: https://doi.org/10.1145/1242572.1242663

2007-01-01

Abstract:To increase confidence in the correctness of specified policies, policy developers can conduct policy testing by supplying typical test inputs (requests) and subsequently checking test outputs (responses) against expected ones. Unfortunately, manual testing is tedious and few tools exist for automated testing of access control policies. We present a fault model for access control policies and a framework to explore it. The framework includes mutation operators used to implement the fault model, mutant generation, equivalent-mutant detection, and mutant-killing determination. This framework allows us to investigate our fault model, evaluate coverage criteria for test generation and selection, and determine a relationship between structural coverage and fault-detection effectiveness. We have implemented the framework and applied it to various policies written in XACML. Our experimental results offer valuable insights into choosing mutation operators in mutation testing and choosing coverage criteria in test generation and selection.

JeeHyun Hwang,Evan Martin,Tao Xie,Vincent C Hu

2010-01-01

Abstract:As software systems become more and more complex, and are deployed to manage a large amount of sensitive information and resources, specifying and managing correct access control policies is critical and yet challenging. Policy testing is an important means to increasing confidence in the correctness of specified policies and their implementations for access control. There are two types of policy testing. In the first type, the artifacts under test are policy specifications and the main testing goal is to assure the correctness of the policy specifications. In the second type, the artifacts under test are policy implementations and the main testing goal is to assure the conformance between the policy specifications and implementations. Both types of policy testing supply typical test inputs (requests) to the artifacts under test and subsequently check test outputs (responses) against expected ones. This article presents recent approaches on policy testing in five main categories: fault models, testing criteria, test generation, test oracles, and model-based testing.

Francesca Lonetti,Eda Marchetti

DOI: https://doi.org/10.1049/iet-sen.2017.0351

2018-09-08

Abstract:Currently, eXtensible Access Control Markup Language (XACML) has becoming the standard for implementing access control policies and consequently more attention is dedicated to testing the correctness of XACML policies. In particular, coverage measures can be adopted for assessing test strategy effectiveness in exercising the policy elements. This study introduces a set of XACML coverage criteria and describes the access control infrastructure, based on a monitor engine, enabling the coverage criterion selection and the on-line tracing of the testing activity. Examples of infrastructure usage and of assessment of different test strategies are provided.

Software Engineering

Sakuna Harinda Jayasundara,Nalin Asanka Gamagedara Arachchilage,Giovanni Russello

2024-09-13

Abstract:Manually generating access control policies from an organization's high-level requirement specifications poses significant challenges. It requires laborious efforts to sift through multiple documents containing such specifications and translate their access requirements into access control policies. Also, the complexities and ambiguities of these specifications often result in errors by system administrators during the translation process, leading to data breaches. However, the automated policy generation frameworks designed to help administrators in this process are unreliable due to limitations, such as the lack of domain adaptation. Therefore, to improve the reliability of access control policy generation, we propose RAGent, a novel retrieval-based access control policy generation framework based on language models. RAGent identifies access requirements from high-level requirement specifications with an average state-of-the-art F1 score of 87.9%. Through retrieval augmented generation, RAGent then translates the identified access requirements into access control policies with an F1 score of 77.9%. Unlike existing frameworks, RAGent generates policies with complex components like purposes and conditions, in addition to subjects, actions, and resources. Moreover, RAGent automatically verifies the generated policies and iteratively refines them through a novel verification-refinement mechanism, further improving the reliability of the process by 3%, reaching the F1 score of 80.6%. We also introduce three annotated datasets for developing access control policy generation frameworks in the future, addressing the data scarcity of the domain.

Cryptography and Security,Artificial Intelligence

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1109/POLICY.2010.22

2010-01-01

Abstract:Access control mechanisms are a widely adopted technology for information security. Since access decisions (i.e., permit or deny) on requests are dependent on access control policies, ensuring the correct modeling and implementation of access control policies is crucial for adopting access control mechanisms. To address this issue, we develop a tool, called ACPT (Access Control Policy Testing), that helps to model and implement policies correctly during policy modeling, implementation, and verification.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1007/978-3-642-02617-1_8

2009-01-01

Abstract:To provide a selective regression test method for the access control systems which employ role based access control (RBAC) policy. Access control regression test is always tedious and error-prone for financial systems involving complicated constraints, like separation of duty and cardinality constraints. We give the formal definition of RBAC policy change then we propose a test selection framework via policy change and change propagation analysis. Our method provides the confidence that it's only necessary to exercise the selected test cases to guarantee the access control of the system is not broken for the new release. We also describe SACRT, an access control regression test tool which realizes our framework. According to our practical application experience in the realistic financial systems, SACRT demonstrates the effectiveness in reducing the size of the access control regression test suite.

Vincent C. Hu,Evan Martin,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1109/compsac.2007.96

2007-01-01

Abstract:Access control is one of the most fundamental and widely used security mechanisms. Access control mechanisms control which principals such as users or processes have access to which resources in a system. To facilitate managing and maintaining access control, access control policies are increasingly written in specification languages such as XACML. The specification of access control policies itself is often a challenging problem. Furthermore, XACML is intentionally designed to be generic: it provides the freedom in describing access control policies, which are well-known or invented ones. But the flexibility and expressiveness provided by XACML come at the cost of complexity, verbosity, and lack of desirable-property enforcement. Often common properties for specific access control policies may not be satisfied when these policies are specified in XACML, causing the discrepancy between what the policy authors intend to specify and what the actually specified XACML policies reflect. In this position paper, we propose an approach for conducting conformance checking of access control policies specified in XACML based on existing verification and testing tools for XACML policies.

Weichao Xu,Huaxin Pei,Jingxuan Yang,Yuchen Shi,Yi Zhang

2024-12-10

Abstract:Recent years have witnessed surprising achievements of decision-making policies across various fields, such as autonomous driving and robotics. Testing for decision-making policies is crucial with the existence of critical scenarios that may threaten their reliability. Numerous research efforts have been dedicated to testing these policies. However, there are still significant challenges, such as low testing efficiency and diversity due to the complexity of the policies and environments under test. Inspired by the remarkable capabilities of large language models (LLMs), in this paper, we propose an LLM-driven online testing framework for efficiently testing decision-making policies. The main idea is to employ an LLM-based test scenario generator to intelligently generate challenging test cases through contemplation and reasoning. Specifically, we first design a "generate-test-feedback" pipeline and apply templated prompt engineering to fully leverage the knowledge and reasoning abilities of LLMs. Then, we introduce a multi-scale scenario generation strategy to address the inherent challenges LLMs face in making fine adjustments, further enhancing testing efficiency. Finally, we evaluate the LLM-driven approach on five widely used benchmarks. The experimental results demonstrate that our method significantly outperforms baseline approaches in uncovering both critical and diverse scenarios.

Machine Learning

Xusheng Xiao,Amit M. Paradkar,Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1145/2393596.2393608

2012-01-01

Abstract:ABSTRACTAccess Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

Evan Martin,Tao Xie

DOI: https://doi.org/10.1109/POLICY.2006.19

2006-01-01

Abstract:To ease the burden of implementing and maintaining access-control aspects in a system, a growing trend among developers is to write access-control policies in a specification language such as XACML and integrate the policies with applications through the use of a Policy Decision Point (PDP). To assure that the specified polices reflect the expected ones, recent research has developed policy verification tools; however, their applications in practice are still limited, being constrained by the limited set of supported policy language features and the unavailability of policy properties. This paper presents a data-mining approach to the problem of verifying that expressed access-control policies reflect the true desires of the policy author. We developed a tool to investigate this approach by automatically generating requests, evaluating those requests to get responses, and applying machine learning on the requestresponse pairs to infer policy properties. These inferred properties facilitate the inspection of the policy behavior. We applied our tool on an access-control policy of a central grades repository system for a university. Our results show that machine learning algorithms can provide valuable insight into basic policy properties and help identify specific bug-exposing requests.

Dianxiang Xu,Weifeng Xu,Michael Kent,Lijo Thomas,Linzhang Wang

DOI: https://doi.org/10.1109/tr.2014.2354172

IF: 5.883

2014-01-01

IEEE Transactions on Reliability

Abstract:The world's increased dependence on software-enabled systems has raised major concerns about software reliability and security. New cost-effective tools for software quality assurance are needed. This paper presents an automated test generation technique, called Model-based Integration and System Test Automation (MISTA), for integrated functional and security testing of software systems. Given a Model-Implementation Description (MID) specification, MISTA generates test code that can be executed immediately with the implementation under test. The MID specification uses a high-level Petri net to capture both control- and data-related requirements for functional testing, access control testing, or penetration testing with threat models. After generating test cases from the test model according to a given criterion, MISTA converts the test cases into executable test code by mapping model-level elements into implementation-level constructs. MISTA has implemented test generators for various test coverage criteria of test models, code generators for various programming and scripting languages, and test execution environments such as Java, C, C++, C#, HTML-Selenium IDE, and Robot Framework. MISTA has been applied to the functional and security testing of various real-world software systems. Our experiments have demonstrated that MISTA can be highly effective in fault detection.

Michele Barletta,Silvio Ranise,Luca Viganò

DOI: https://doi.org/10.48550/arXiv.1206.3180

2012-06-14

Logic in Computer Science

Abstract:The advance of web services technologies promises to have far-reaching effects on the Internet and enterprise networks allowing for greater accessibility of data. The security challenges presented by the web services approach are formidable. In particular, access control solutions should be revised to address new challenges, such as the need of using certificates for the identification of users and their attributes, human intervention in the creation or selection of the certificates, and (chains of) certificates for trust management. With all these features, it is not surprising that analyzing policies to guarantee that a sensitive resource can be accessed only by authorized users becomes very difficult. In this paper, we present an automated technique to analyze scenario-based specifications of access control policies in open and distributed systems. We illustrate our ideas on a case study arising in the e-government area.

Shreyas Ramakrishna,Charles Hartsell,Abhishek Dubey,Partha Pal,Gabor Karsai

DOI: https://doi.org/10.48550/arXiv.2003.05388

2020-03-12

Abstract:Safety Case has become an integral component for safety-certification in various Cyber Physical System domains including automotive, aviation, medical devices, and military. The certification processes for these systems are stringent and require robust safety assurance arguments and substantial evidence backing. Despite the strict requirements, current practices still rely on manual methods that are brittle, do not have a systematic approach or thorough consideration of sound arguments. In addition, stringent certification requirements and ever-increasing system complexity make ad-hoc, manual assurance case generation (ACG) inefficient, time consuming, and expensive. To improve the current state of practice, we introduce a structured ACG tool which uses system design artifacts, accumulated evidence, and developer expertise to construct a safety case and evaluate it in an automated manner. We also illustrate the applicability of the ACG tool on a remote-control car testbed case study.

Robotics,Software Engineering

Rahul Pandita,Tao Xie,Nikolai Tillmann,Jonathan de Halleux

DOI: https://doi.org/10.1109/ICSM.2010.5609565

2010-01-01

Abstract:Test coverage criteria including boundary-value and logical coverage such as Modified Condition/Decision Coverage (MC/DC) have been increasingly used in safety-critical or mission-critical domains, complementing those more popularly used structural coverage criteria such as block or branch coverage. However, existing automated test-generation approaches often target at block or branch coverage for test generation and selection, and therefore do not support testing against boundary-value coverage or logical coverage. To address this issue, we propose a general approach that uses instrumentation to guide existing test-generation approaches to generate test inputs that achieve boundary-value and logical coverage for the program under test. Our preliminary evaluation shows that our approach effectively helps an approach based on Dynamic Symbolic Execution (DSE) to improve boundary-value and logical coverage of generated test inputs. The evaluation results show 30.5% maximum (23% average) increase in boundary-value coverage and 26% maximum (21.5% average) increase in logical coverage of the subject programs under test using our approach over without using our approach. In addition, our approach improves the fault-detection capability of generated test inputs by 12.5% maximum (11% average) compared to the test inputs generated without using our approach.

Nuo Li,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/1390832.1390837

2008-01-01

Abstract:ABSTRACTMany Web applications enhance their security via access-control systems. XACML is a standardized policy language, which has been widely used in access-control systems. In an XACML-based access-control system, policies, requests, and responses are written in XACML. An XACML implementation implements XACML functionalities to validate XACML requests against XACML policies. To ensure the quality of an XACML-based access-control system, we need an effective means to test whether the XACML implementation correctly implements XACML functionalities. The test inputs of an XACML implementation are XACML policies and requests. The test outputs are XACML responses. This paper proposes an approach to detect defects in XACML implementations via observing the behaviors of different XACML implementations for the same test inputs. As XACML has been widely used, we can collect different XACML implementations, and test them with the same XACML polices and requests to observe whether the different implementations produce different responses. Based on the analysis of different responses, we can detect defects in different XACML implementations. We show the feasibility of the proposed approach with a preliminary study on three XACML implementations.

Xin Li,Hua Vy Le Thanh

DOI: https://doi.org/10.48550/arXiv.1307.2964

2013-10-13

Abstract:The stack-based access control mechanism plays a fundamental role in the security architecture of Java and Microsoft CLR (common language runtime). It is enforced at runtime by inspecting methods in the current call stack for granted permissions before the program performs safety-critical operations. Although stack inspection is well studied, there is relatively little work on automated generation of access control policies, and most existing work on inferring security policies assume the permissions to be checked at stack inspection points are known beforehand. Practiced approaches to generating access control policies are still manually done by developers based on domain-specific knowledges and trial-and-error testing. In this paper, we present a systematic approach to automated generation of access control policies for Java programs that necessarily ensure the program to pass stack inspection. The techniques are abstract interpretation based context-sensitive static program analyses. Our analysis models the program by combining a context-sensitive call graph with a dependency graph. We are hereby able to precisely identify permission requirements at stack inspection points, which are usually ignored in previous study.

Cryptography and Security,Programming Languages