Evan Martin,Tao Xie

2006-01-01

Abstract:To facilitate managing access control in a system, access control policies are increasingly written in specification languages such as XACML. A dedicated software component called a Policy Decision Point (PDP) interprets the specified policies, receives access requests, and returns responses to inform whether access should be permitted or denied. To increase confidence in the correctness of specified policies, policy developers can conduct policy testing by supplying typical test inputs (requests) to the PDP and subsequently checking test outputs (responses) against expected ones. Unfortunately, manual testing is tedious and few tools exist for automated testing of XACML policies.In this paper, we present our work toward a framework for systematic testing of access control policies. The framework includes components for policy coverage definition and measurement, request generation, request evaluation, request set minimization, policy property inference, and mutation testing. This framework allows us to evaluate various criteria for test generation and selection, investigate mutation operators, and determine a relationship between structural coverage and fault-detection capability. We have implemented the framework and applied it to various XACML policies. Our experimental results offer valuable insights into choosing mutation operators in mutation testing and choosing coverage criteria in test generation and selection.

Evan Martin,Tao Xie

DOI: https://doi.org/10.1109/sess.2007.5

2007-01-01

Abstract:Access control policies are increasingly written in specification languages such as XACML. To increase confidence in the correctness of specified policies, policy developers can conduct policy testing with some typical test inputs (in the form of requests) and check test outputs (in the form of responses) against expected ones. Unfortunately, manual test generation is tedious and manually generated tests are often not sufficient to exercise various policy behaviors. In this paper we present a novel framework and its supporting tool called Cirg that generates tests based on change- impact analysis. Our experimental results show that Cirg can effectively generate tests to achieve high structural coverage of policies and outperforms random test generation in terms of structural coverage and fault-detection capability.

Evan Martin,Tao Xie,Ting Yu

DOI: https://doi.org/10.1007/11935308_11

2006-01-01

Abstract:To facilitate managing access control in a system, security officers increasingly write access control policies in specification languages such as XACML, and use a dedicated software component called a Policy Decision Point (PDP). To increase confidence on written policies, certain types of policy testing (often in an ad hoc way) are usually conducted, which probe the PDP with some typical requests and check PDP's responses against expected ones. This paper develops a first step toward systematic policy testing by defining and measuring policy coverage when testing policies. We have developed a coverage-measurement tool to measure policy coverage given a set of XACML policies and a set of requests. We have developed a tool for request generation, which randomly generates requests for a given set of policies, and a tool for request reduction, which greedily selects a nearly minimal set of requests for achieving the same coverage as the originally generated requests. To evaluate coverage-based request reduction and its effect on fault detection, we have conducted an experiment with mutation testing on a set of real policies. Our experimental results show that the coverage-based test reduction can substantially reduce the size of generated requests and incur only relatively low loss on fault detection. We also conduct a study on the policy coverage achieved by manually generated requests.

Nuo Li,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/1390832.1390837

2008-01-01

Abstract:ABSTRACTMany Web applications enhance their security via access-control systems. XACML is a standardized policy language, which has been widely used in access-control systems. In an XACML-based access-control system, policies, requests, and responses are written in XACML. An XACML implementation implements XACML functionalities to validate XACML requests against XACML policies. To ensure the quality of an XACML-based access-control system, we need an effective means to test whether the XACML implementation correctly implements XACML functionalities. The test inputs of an XACML implementation are XACML policies and requests. The test outputs are XACML responses. This paper proposes an approach to detect defects in XACML implementations via observing the behaviors of different XACML implementations for the same test inputs. As XACML has been widely used, we can collect different XACML implementations, and test them with the same XACML polices and requests to observe whether the different implementations produce different responses. Based on the analysis of different responses, we can detect defects in different XACML implementations. We show the feasibility of the proposed approach with a preliminary study on three XACML implementations.

Alex X. Liu,Fei Chen,Hwang, JeeHyun,Tao Xie

DOI: https://doi.org/10.1109/TC.2010.274

IF: 3.183

2011-01-01

IEEE Transactions on Computers

Abstract:Most prior research on policies has focused on correctness. While correctness is an important issue, the adoption of policy-based computing may be limited if the resulting systems are not implemented efficiently and thus perform poorly. To increase the effectiveness and adoption of policy-based computing, in this paper, we propose fast policy evaluation algorithms that can be adapted to support various policy languages. In this paper, we focus on XACML policy evaluation because XACML has become the de facto standard for specifying access control policies, has been widely used on web servers, and is most complex among existing policy languages. We implemented our algorithms in a policy evaluation system called XEngine and conducted side-by-side comparison with Sun Policy Decision Point (PDP), the industrial standard for XACML policy evaluation. The results show that XEngine is orders of magnitude faster than Sun PDP. The performance difference grows almost linearly with the number of rules in an XACML policy. To our best knowledge, there is no prior work on improving XACML policy evaluation performance. This paper represents the first step in exploring this unknown space.

Vincent C. Hu,Evan Martin,JeeHyun Hwang,Tao Xie

DOI: https://doi.org/10.1109/compsac.2007.96

2007-01-01

Abstract:Access control is one of the most fundamental and widely used security mechanisms. Access control mechanisms control which principals such as users or processes have access to which resources in a system. To facilitate managing and maintaining access control, access control policies are increasingly written in specification languages such as XACML. The specification of access control policies itself is often a challenging problem. Furthermore, XACML is intentionally designed to be generic: it provides the freedom in describing access control policies, which are well-known or invented ones. But the flexibility and expressiveness provided by XACML come at the cost of complexity, verbosity, and lack of desirable-property enforcement. Often common properties for specific access control policies may not be satisfied when these policies are specified in XACML, causing the discrepancy between what the policy authors intend to specify and what the actually specified XACML policies reflect. In this position paper, we propose an approach for conducting conformance checking of access control policies specified in XACML based on existing verification and testing tools for XACML policies.

Alex X. Liu,Fei Chen,Jeehyun Hwang,Tao Xie

DOI: https://doi.org/10.1145/1384529.1375488

2008-01-01

Abstract:XACML has, become the de facto standard for specifying access control policies for various applications, especially web services. With the explosive growth of web applications deployed on the Internet, XACML policies grow rapidly in size and complexity. which leads to longer request processing time. This paper concerns the performance of request processing, which is a critical issue and so far has been overlooked by the research community. In this paper, we propose XEngine, a scheme for efficient, XACML policy evaluation. XEngine first, converts a textual XACML policy to a numerical policy. Second, it; converts a numerical policy with complex structures to a numerical policy with a normalized structure. Third, it converts the normalized numerical policy to tree data structures for efficient processing of requests. To evaluate the, performance of XEngine, we conducted extensive experiments on both real-life and synthetic XACML policies. The experimental results show that XEngine is orders of magnitude more efficient than Sun PDP, and the performance difference between XEngine and Sun PDP grows almost linearly with the number of rules in XACML policies. For XACML policies of small sizes (with hundreds of rules), XEngine is one to two orders of magnitude faster than the widely deployed Sun PDP. For XACML policies of large sizes (with thousands of rules), XEngine is three to four orders of magnitude faster than Sun PDP.

Francesca Lonetti,Eda Marchetti

DOI: https://doi.org/10.1049/iet-sen.2017.0351

2018-09-08

Abstract:Currently, eXtensible Access Control Markup Language (XACML) has becoming the standard for implementing access control policies and consequently more attention is dedicated to testing the correctness of XACML policies. In particular, coverage measures can be adopted for assessing test strategy effectiveness in exercising the policy elements. This study introduces a set of XACML coverage criteria and describes the access control infrastructure, based on a monitor engine, enabling the coverage criterion selection and the on-line tracing of the testing activity. Examples of infrastructure usage and of assessment of different test strategies are provided.

Software Engineering

Evan Martin,Tao Xie

DOI: https://doi.org/10.1145/1242572.1242663

2007-01-01

Abstract:To increase confidence in the correctness of specified policies, policy developers can conduct policy testing by supplying typical test inputs (requests) and subsequently checking test outputs (responses) against expected ones. Unfortunately, manual testing is tedious and few tools exist for automated testing of access control policies. We present a fault model for access control policies and a framework to explore it. The framework includes mutation operators used to implement the fault model, mutant generation, equivalent-mutant detection, and mutant-killing determination. This framework allows us to investigate our fault model, evaluate coverage criteria for test generation and selection, and determine a relationship between structural coverage and fault-detection effectiveness. We have implemented the framework and applied it to various policies written in XACML. Our experimental results offer valuable insights into choosing mutation operators in mutation testing and choosing coverage criteria in test generation and selection.

Xusheng Xiao,Amit M. Paradkar,Suresh Thummalapenta,Tao Xie

DOI: https://doi.org/10.1145/2393596.2393608

2012-01-01

Abstract:ABSTRACTAccess Control Policies (ACP) specify which principals such as users have access to which resources. Ensuring the correctness and consistency of ACPs is crucial to prevent security vulnerabilities. However, in practice, ACPs are commonly written in Natural Language (NL) and buried in large documents such as requirements documents, not amenable for automated techniques to check for correctness and consistency. It is tedious to manually extract ACPs from these NL documents and validate NL functional requirements such as use cases against ACPs for detecting inconsistencies. To address these issues, we propose an approach, called Text2Policy, to automatically extract ACPs from NL software documents and resource-access information from NL scenario-based functional requirements. We conducted three evaluations on the collected ACP sentences from publicly available sources along with use cases from both open source and proprietary projects. The results show that Text2Policy effectively identifies ACP sentences with the precision of 88.7% and the recall of 89.4%, extracts ACP rules with the accuracy of 86.3%, and extracts action steps with the accuracy of 81.9%.

JeeHyun Hwang,Evan Martin,Tao Xie,Vincent C Hu

2010-01-01

Abstract:As software systems become more and more complex, and are deployed to manage a large amount of sensitive information and resources, specifying and managing correct access control policies is critical and yet challenging. Policy testing is an important means to increasing confidence in the correctness of specified policies and their implementations for access control. There are two types of policy testing. In the first type, the artifacts under test are policy specifications and the main testing goal is to assure the correctness of the policy specifications. In the second type, the artifacts under test are policy implementations and the main testing goal is to assure the conformance between the policy specifications and implementations. Both types of policy testing supply typical test inputs (requests) to the artifacts under test and subsequently check test outputs (responses) against expected ones. This article presents recent approaches on policy testing in five main categories: fault models, testing criteria, test generation, test oracles, and model-based testing.

Yun-qing Fu,Chun-xiao Ye

DOI: https://doi.org/10.1049/cp:20070238

2007-01-01

Abstract:Access control is widely used in most information systems. XML or other languages are usually adopted to define access control policy. In this paper, we examine an approach to employ user and role's attribute expression as a part of access control policy. In our approach, a XACML-based policy language named A-XACML is defined and used as a simple, flexible way to express and enforce access control policies in a variety of environments. The language and schema support include data types, functions, and combining logic which allow simple and complex rules to be defined. Finally, we illustrate how to define access control policies of product document management (PDM) system by using XACML.

Ting Yu,Dhivya Sivasubramanian,Tao Xie

DOI: https://doi.org/10.1145/1558607.1558623

2009-01-01

Abstract:Access control is one of the fundamental security mechanisms for information systems. It determines the availability of resources to principals, operations that can be performed, and under what circumstances. Traditionally the enforcement of access control is often hardcoded in applications or systems; such hardcoding makes it hard to verify the correctness of access control and to accommodate changes of security requirements. Recently, access control policies have been increasingly separated from enforcement mechanisms. An access control policy is explicitly specified using certain policy languages with well-defined syntax and semantics. An application then consults the policy during runtime to determine whether an access request from a principal should be allowed or denied. There are two main advantages of this approach. First, security officers can now perform systematic and formal security analysis on access control policies. Second, by separating policies from enforcement mechanisms, it is possible to change policies without affecting the underlying mechanisms, and vice versa.

Evan Martin,Tao Xie

DOI: https://doi.org/10.1109/POLICY.2006.19

2006-01-01

Abstract:To ease the burden of implementing and maintaining access-control aspects in a system, a growing trend among developers is to write access-control policies in a specification language such as XACML and integrate the policies with applications through the use of a Policy Decision Point (PDP). To assure that the specified polices reflect the expected ones, recent research has developed policy verification tools; however, their applications in practice are still limited, being constrained by the limited set of supported policy language features and the unavailability of policy properties. This paper presents a data-mining approach to the problem of verifying that expressed access-control policies reflect the true desires of the policy author. We developed a tool to investigate this approach by automatically generating requests, evaluating those requests to get responses, and applying machine learning on the requestresponse pairs to infer policy properties. These inferred properties facilitate the inspection of the policy behavior. We applied our tool on an access-control policy of a central grades repository system for a university. Our results show that machine learning algorithms can provide valuable insight into basic policy properties and help identify specific bug-exposing requests.

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1109/POLICY.2010.22

2010-01-01

Abstract:Access control mechanisms are a widely adopted technology for information security. Since access decisions (i.e., permit or deny) on requests are dependent on access control policies, ensuring the correct modeling and implementation of access control policies is crucial for adopting access control mechanisms. To address this issue, we develop a tool, called ACPT (Access Control Policy Testing), that helps to model and implement policies correctly during policy modeling, implementation, and verification.

JeeHyun Hwang,Tao Xie,Vincent C. Hu

DOI: https://doi.org/10.1109/SSIRI.2009.63

2009-01-01

Abstract:Access control mechanisms control which subjects (such as users or processes) have access to which resources. To facilitate managing access control, policy authors increasingly write access control policies in XACML. Access control policies written in XACML could be amenable to multiple-duty-related security leakage, which grants unauthorized access to a user when the user takes multiple duties (e.g., multiple roles in role-based access control policies). To help policy authors detect multiple-duty-related security leakage, we develop a novel framework that analyzes policies and detects cases that potentially cause the leakage. In such cases, a user taking multiple roles (e.g., both r1 and r2) is given a different access decision from the decision given to a user taking an individual role (e.g., r1 and r2, respectively). We conduct experiments on 11 XACML policies and our empirical results show that our framework effectively pinpoints potential multiple-duty-related security leakage for policy authors to inspect.

Weichao Xu,Huaxin Pei,Jingxuan Yang,Yuchen Shi,Yi Zhang

2024-12-10

Abstract:Recent years have witnessed surprising achievements of decision-making policies across various fields, such as autonomous driving and robotics. Testing for decision-making policies is crucial with the existence of critical scenarios that may threaten their reliability. Numerous research efforts have been dedicated to testing these policies. However, there are still significant challenges, such as low testing efficiency and diversity due to the complexity of the policies and environments under test. Inspired by the remarkable capabilities of large language models (LLMs), in this paper, we propose an LLM-driven online testing framework for efficiently testing decision-making policies. The main idea is to employ an LLM-based test scenario generator to intelligently generate challenging test cases through contemplation and reasoning. Specifically, we first design a "generate-test-feedback" pipeline and apply templated prompt engineering to fully leverage the knowledge and reasoning abilities of LLMs. Then, we introduce a multi-scale scenario generation strategy to address the inherent challenges LLMs face in making fine adjustments, further enhancing testing efficiency. Finally, we evaluate the LLM-driven approach on five widely used benchmarks. The experimental results demonstrate that our method significantly outperforms baseline approaches in uncovering both critical and diverse scenarios.

Machine Learning

Xing Li,Yan Chen,Zhiqiang Lin,Xiao Wang,Jim Hao Chen

2021-01-01

Abstract:Cloud applications today are often composed of many microservices. To prevent a microservice from being abused by other (compromised) microservices, inter-service access control is applied. However, the complexity of fine-grained access control policies, along with the large-scale and dynamic nature of microservices, makes the current manual configurationbased access control unsuitable. This paper presents AUTOARMOR, the first attempt to automate inter-service access control policy generation for microservices, with two fundamental techniques: (1) a static analysis-based request extraction mechanism that automatically obtains the invocation logic among microservices, and (2) a graph-based policy management mechanism that generates corresponding access control policies with on-demand policy update. Our evaluation on popular microservice applications shows that AUTOARMOR is able to generate fine-grained inter-service access control policies and update them timely based on changes in the application, with only a minor runtime overhead. By seamlessly integrating with the lifecycle of microservices, it does not require any changes to existing code and infrastructures.

Sakuna Harinda Jayasundara,Nalin Asanka Gamagedara Arachchilage,Giovanni Russello

2024-09-13

Abstract:Manually generating access control policies from an organization's high-level requirement specifications poses significant challenges. It requires laborious efforts to sift through multiple documents containing such specifications and translate their access requirements into access control policies. Also, the complexities and ambiguities of these specifications often result in errors by system administrators during the translation process, leading to data breaches. However, the automated policy generation frameworks designed to help administrators in this process are unreliable due to limitations, such as the lack of domain adaptation. Therefore, to improve the reliability of access control policy generation, we propose RAGent, a novel retrieval-based access control policy generation framework based on language models. RAGent identifies access requirements from high-level requirement specifications with an average state-of-the-art F1 score of 87.9%. Through retrieval augmented generation, RAGent then translates the identified access requirements into access control policies with an F1 score of 77.9%. Unlike existing frameworks, RAGent generates policies with complex components like purposes and conditions, in addition to subjects, actions, and resources. Moreover, RAGent automatically verifies the generated policies and iteratively refines them through a novel verification-refinement mechanism, further improving the reliability of the process by 3%, reaching the F1 score of 80.6%. We also introduce three annotated datasets for developing access control policy generation frameworks in the future, addressing the data scarcity of the domain.

Cryptography and Security,Artificial Intelligence

Zhitao Wang,Wei Wang,Zirao Li,Long Wang,Can Yi,Xinjie Xu,Luyang Cao,Hanjing Su,Shouzhi Chen,Jun Zhou

2024-01-10

Abstract:In past years, we have been dedicated to automating user acceptance testing (UAT) process of WeChat Pay, one of the most influential mobile payment applications in China. A system titled XUAT has been developed for this purpose. However, there is still a human-labor-intensive stage, i.e, test scripts generation, in the current system. Therefore, in this paper, we concentrate on methods of boosting the automation level of the current system, particularly the stage of test scripts generation. With recent notable successes, large language models (LLMs) demonstrate significant potential in attaining human-like intelligence and there has been a growing research area that employs LLMs as autonomous agents to obtain human-like decision-making capabilities. Inspired by these works, we propose an LLM-powered multi-agent collaborative system, named XUAT-Copilot, for automated UAT. The proposed system mainly consists of three LLM-based agents responsible for action planning, state checking and parameter selecting, respectively, and two additional modules for state sensing and case rewriting. The agents interact with testing device, make human-like decision and generate action command in a collaborative way. The proposed multi-agent system achieves a close effectiveness to human testers in our experimental studies and gains a significant improvement of Pass@1 accuracy compared with single-agent architecture. More importantly, the proposed system has launched in the formal testing environment of WeChat Pay mobile app, which saves a considerable amount of manpower in the daily development work.

Artificial Intelligence