Abstract
Nowadays, security policies are the key point of every modern infrastructure. The specification and testing of such policies are the fundamental steps in the development of a secure system. To address both challenges, we propose a framework that automatically generates test sequences to validate the conformance of a security policy. The functional behavior of the system is specified using a formal description technique based on Extended Finite-State Machines (EFSMs), while security requirements are specified using XACML. We develop specific algorithms to integrate the security rules into the functional system specification. In this way, we obtain a complete specification of the secured system. Then, automatic test generation is performed using a dedicated tool called TestGen-IF which was developed in our laboratory. This generation is based on the security properties as test objectives. Finally, a case study is presented to demonstrate the reliability of our framework.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Damianou, N., Dulay, N., Lupu, E.C., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–38. Springer, Heidelberg (2001)
Toumi, K., Cavalli, A., El Maarabani, M.: Role based interoperability security policies in collaborative systems. In: 2012 International Conference on Collaboration Technologies and Systems (CTS), pp. 471–477. IEEE (2012)
Godik, S., Anderson, A., Parducci, B., Humenn, P., Vajjhala, S.: Oasis extensible access control 2 markup language (XACML) 3, Technical report, OASIS, Technical Report (2002)
Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Softw. 7(4), 203–212 (2013)
Felderer, M., Agreiter, B., Zech, P., Breu, R.: A classification for model-based security testing. In: The Third International Conference on Advances in System Testing and Validation Lifecycle, VALID 2011, pp. 109–114 (2011)
Li, K., Mounier, L., Groz, R., Test generation from security policies specified in or-bac. In: 31st Annual International Computer Software and Applications Conference, COMPSAC 2007, vol. 2. IEEE, pp. 255–260 (2007)
Senn, D., Basin, D., Caronni, G.: Firewall conformance testing. In: Khendek, F., Dssouli, R. (eds.) TestCom 2005. LNCS, vol. 3502, pp. 226–241. Springer, Heidelberg (2005)
Mallouli, W., Orset, J.-M., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: Proceedings of the 12th ACM symposium on Access control models and technologies, pp. 127–132. ACM (2007)
El Maarabani, M., Hwang, I., Cavalli, A.: A formal approach for interoperability testing of security rules. In: 2010 Sixth International Conference on Signal-Image Technology and Internet-Based Systems (SITIS), pp. 277–284. IEEE (2010)
Hwang, I., Lallali, M., Cavalli, A., Verchere, D.: Modeling, validation, and verification of PCEP using the IF language. In: Lee, D., Lopes, A., Poetzsch-Heffter, A. (eds.) FMOODS 2009. LNCS, vol. 5522, pp. 122–136. Springer, Heidelberg (2009)
Cavalli, A., Lee, D., Rinderknecht, C., Zaïdi, F.: Hit-or-jump: An algorithm for embedded testing with applications to in services. In: Wu, J., Chanson, S.T., Gao, Q. (eds.) Formal Methods for Protocol Engineering And Distributed Systems, pp. 41–56. Springer, Ney York (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Aouadi, M.H., Toumi, K., Cavalli, A. (2015). A Formal Approach to Automatic Testing of Security Policies Specified in XACML. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-17040-4_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)