ABSTRACT
We present a generic modular policy modelling framework and instantiate it with a substantial case study for model-based testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the NHS in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features.
We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationships. The model is given in Higher-order Logic (HOL) and processed together with suitable test specifications in the TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.
- American National Standard for Information Technology -- Role Based Access Control. INCITS 359--2004.Google Scholar
- R. Anderson. Database State. Joseph Rowntree Reform Trust Ltd, 2009. ISBN 9780954890247 (pbk.).Google Scholar
- C. A. Ardagna, S. D. C. di Vimercati, S. Foresti, T. W. Grandison, S. Jajodia, and P. Samarati. Access control for smarter healthcare using policy spaces. Computers & Security, 2010.Google ScholarDigital Library
- S. Barker. The next 700 access control models or a unifying meta-model? In SACMAT, pages 187--196. ACM Press, 2009. Google ScholarDigital Library
- M. Y. Becker. A formal security policy for an NHS electronic health record service. Technical Report UCAM-CL-TR-628, University of Cambridge, 2005.Google Scholar
- M. Y. Becker. Information governance in NHS's NPfIT: A case for policy specification. International Journal of Medical Informatics, 2007.Google ScholarCross Ref
- M. Y. Becker. and P. Sewell. Cassandra: flexible trust management, applied to electronic health records. In CSF, pages 139--154. IEEE Computer Society, 2004. Google ScholarDigital Library
- D. E. Bell and L. J. LaPadula. Secure computer systems: A mathematical model, volume II. In Journal of Computer Security 4, pages 229--263, 1996.Google Scholar
- S. Brennan. The NHS IT project: the biggest computer programme in the world - ever! Radcliffe Publishing, 2005.Google Scholar
- A. Browne. Lives ruined as NHS leaks patients' notes. The Observer, June 25th, 2000.Google Scholar
- A. D. Brucker and B. Wolff. Symbolic test case generation for primitive recursive functions. In J. Grabowski and B. Nielsen, editors, FATES, number 3395 in LNCS, pages 16--32. Springer, 2004. Google ScholarDigital Library
- A. D. Brucker and B. Wolff. Test-sequence generation with TestGen -- with an application to firewall testing. In B. Meyer and Y. Gurevich, editors, TAP, number 4454 in LNCS, pages 149--168. Springer, 2007. Google ScholarDigital Library
- A. D. Brucker, L. Brügger, P. Kearney, and B. Wolff. Verified firewall policy transformations for test-case generation. In ICST, pages 345--354. IEEE Computer Society, 2010. Google ScholarDigital Library
- A. D. Brucker, L. Brügger, M. P. Krieger, and B. Wolff. TestGen 1.5.0 user guide. Technical Report 670, ETH Zurich, 2010.Google Scholar
- A. Church. A formulation of the simple theory of types. Journal of Symbolic Logic, 5 (2): 56--68, 1940.Google ScholarCross Ref
- Department of Health. Confidentiality. Code of Practice, 2003.Google Scholar
- Department of Health. The Care Record Guarantee. Our Guarantee for NHS Care Records in England, 2009.Google Scholar
- Department of Health. Information Governance (IG) Concepts, 2010. http://www.connectingforhealth.nhs.uk/systemsandservices/infogov.Google Scholar
- D. Eyers, J. Bacon, and K. Moody. OASIS role-based access control for electronic health records. In IEEE Software, volume 153, pages 16--23. IEE, 2006.Google ScholarCross Ref
- H. Hu and G.-J. Ahn. Enabling verification and conformance testing for access control model. In SACMAT, pages 195--204. ACM Press, 2008. Google ScholarDigital Library
- V. Hu, E. Martin, J. Hwang, and T. Xie. Conformance checking of access control policies specified in XACML. In COMPSAC, volume 2, pages 275--280, 2007. Google ScholarDigital Library
- V. Hu, D. Kuhn, and T. Xie. Property verification for generic access control models. In EUC, volume 2, pages 243--250, 2008. Google ScholarDigital Library
- A. A. E. Kalam, S. Benferhat, A. Miège, R. E. Baida, F. Cuppens, C. Saurel, P. Balbiani, Y. Deswarte, and G. Trouessin. Organization based access control. In POLICY, pages 120--131. IEEE Computer Society, 2003. Google ScholarDigital Library
- J. Longstaff, M. Lockyer, and M. Thick. A model of accountability, confidentiality and override for healthcare and other applications. In Role-based access control, pages 71--76. ACM Press, 2000. Google ScholarDigital Library
- E. Martin and T. Xie. Automated test generation for access control policies via change-impact analysis. In SESS, pages 5--5, 2007. Google ScholarDigital Library
- T. Nipkow, L. C. Paulson, and M. Wenzel. Isabelle/HOL--A Proof Assistant for Higher-Order Logic, volume 2283 of phLNCS. Springer, 2002. Google ScholarDigital Library
- OASIS. extensible access control markup language (XACML), version 2.0, 2005.Google Scholar
- S. L. Peyton Jones and P. Wadler. Imperative functional programming. In POPL, pages 71--84. ACM Press, 1993. Google ScholarDigital Library
- A. Pretschner, T. Mouelhi, and Y. Le Traon. Model-based tests for access control policies. In ICST, pages 338--347. IEEE Computer Society, 2008. Google ScholarDigital Library
- R. Sandhu, V. Bhamidipati, and Q. Munawer. The ARBAC97 model for role-based administration of roles. ACM TISSEC, 2 (1): 105--135, 1999. Google ScholarDigital Library
- J. M. Spivey. The Z Notation: A Reference Manual. Prentice Hall, Inc., 2nd edition, 1992. Google ScholarDigital Library
- The Caldicott Committee. Report on the Review of Patient-Identifiable Information, 1997.Google Scholar
- Y. L. Traon, T. Mouelhi, and B. Baudry. Testing security policies: Going beyond functional testing. In ISSRE, pages 93--102, 2007. Google ScholarDigital Library
Index Terms
- An approach to modular and testable security models of real-world health-care applications
Recommendations
Web applications testing techniques: a systematic mapping study
Due to the importance of web application testing techniques for detecting faults and assessing quality attributes, many research papers were published in this field. For this reason, it became essential to analyse, classify and summarise the research in ...
Knowledge-based security testing of web applications by logic programming
This article introduces a new method for knowledge-based security testing by logic programming and the related tool implementation for model-based non-functional security testing of web applications. Our method helps to overcome the current prevalent ...
Formal firewall conformance testing: an application of test and proof techniques
Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf products, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. ...
Comments