A Formal Approach to Automatic Testing of Security Policies Specified in XACML

Aouadi, Mohamed H.E.; Toumi, Khalifa; Cavalli, Ana

doi:10.1007/978-3-319-17040-4_25

Mohamed H.E. Aouadi¹⁷,
Khalifa Toumi¹⁷ &
Ana Cavalli¹⁷

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8930))

Included in the following conference series:

International Symposium on Foundations and Practice of Security

872 Accesses
1 Citations

Abstract

Nowadays, security policies are the key point of every modern infrastructure. The specification and testing of such policies are the fundamental steps in the development of a secure system. To address both challenges, we propose a framework that automatically generates test sequences to validate the conformance of a security policy. The functional behavior of the system is specified using a formal description technique based on Extended Finite-State Machines (EFSMs), while security requirements are specified using XACML. We develop specific algorithms to integrate the security rules into the functional system specification. In this way, we obtain a complete specification of the secured system. Then, automatic test generation is performed using a dedicated tool called TestGen-IF which was developed in our laboratory. This generation is based on the security properties as test objectives. Finally, a case study is presented to demonstrate the reliability of our framework.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)
Chapter Google Scholar
Toumi, K., Cavalli, A., El Maarabani, M.: Role based interoperability security policies in collaborative systems. In: 2012 International Conference on Collaboration Technologies and Systems (CTS), pp. 471–477. IEEE (2012)
Google Scholar
Godik, S., Anderson, A., Parducci, B., Humenn, P., Vajjhala, S.: Oasis extensible access control 2 markup language (XACML) 3, Technical report, OASIS, Technical Report (2002)
Google Scholar
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Softw. 7(4), 203–212 (2013)
Article Google Scholar
Felderer, M., Agreiter, B., Zech, P., Breu, R.: A classification for model-based security testing. In: The Third International Conference on Advances in System Testing and Validation Lifecycle, VALID 2011, pp. 109–114 (2011)
Google Scholar
Li, K., Mounier, L., Groz, R., Test generation from security policies specified in or-bac. In: 31st Annual International Computer Software and Applications Conference, COMPSAC 2007, vol. 2. IEEE, pp. 255–260 (2007)
Google Scholar
Senn, D., Basin, D., Caronni, G.: Firewall conformance testing. In: Khendek, F., Dssouli, R. (eds.) TestCom 2005. LNCS, vol. 3502, pp. 226–241. Springer, Heidelberg (2005)
Chapter Google Scholar
Mallouli, W., Orset, J.-M., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: Proceedings of the 12th ACM symposium on Access control models and technologies, pp. 127–132. ACM (2007)
Google Scholar
El Maarabani, M., Hwang, I., Cavalli, A.: A formal approach for interoperability testing of security rules. In: 2010 Sixth International Conference on Signal-Image Technology and Internet-Based Systems (SITIS), pp. 277–284. IEEE (2010)
Google Scholar
Hwang, I., Lallali, M., Cavalli, A., Verchere, D.: Modeling, validation, and verification of PCEP using the IF language. In: Lee, D., Lopes, A., Poetzsch-Heffter, A. (eds.) FMOODS 2009. LNCS, vol. 5522, pp. 122–136. Springer, Heidelberg (2009)
Chapter Google Scholar
Cavalli, A., Lee, D., Rinderknecht, C., Zaïdi, F.: Hit-or-jump: An algorithm for embedded testing with applications to in services. In: Wu, J., Chanson, S.T., Gao, Q. (eds.) Formal Methods for Protocol Engineering And Distributed Systems, pp. 41–56. Springer, Ney York (1999)
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

Télécom SudParis, 91011, Evry, France
Mohamed H.E. Aouadi, Khalifa Toumi & Ana Cavalli

Authors

Mohamed H.E. Aouadi
View author publications
You can also search for this author in PubMed Google Scholar
Khalifa Toumi
View author publications
You can also search for this author in PubMed Google Scholar
Ana Cavalli
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohamed H.E. Aouadi .

Editor information

Editors and Affiliations

TELECOM Bretagne, Cesson Sévigné, France
Frédéric Cuppens
TELECOM SudParis, Evry, France
Joaquin Garcia-Alfaro
Dalhousie University, Halifax, Nova Scotia, Canada
Nur Zincir Heywood
University of Calgary, Calgary, Canada
Philip W. L. Fong

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Aouadi, M.H., Toumi, K., Cavalli, A. (2015). A Formal Approach to Automatic Testing of Security Policies Specified in XACML. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_25

Download citation

DOI: https://doi.org/10.1007/978-3-319-17040-4_25
Published: 05 April 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics