Scalable and effective test generation for role-based access control systems

IEEE Transactions on Software Engineering

Volumn 35, Issue 5, 2009, Pages 654-668

  Masood, Ammar ^a   Bhatti, Rafae ^b   Ghafoor, Arif ^c   Mathur, Aditya P ^d  

^a AIR UNIVERSITY   (Pakistan)

^b ORACLE CORPORATION   (United States)

^c PURDUE UNIVERSITY   (United States)

^d Purdue University   (United States)

Author keywords

Fault model; Finite state models; First order mutants; Malicious faults; Role Based Access Control (RBAC)

Indexed keywords

FAULT MODEL; FINITE-STATE MODELS; FIRST-ORDER; MALICIOUS FAULTS; ROLE-BASED ACCESS CONTROL;

FAULT DETECTION; HEURISTIC METHODS; SECURITY SYSTEMS; TESTING;

ACCESS CONTROL;

EID: 73449142778     PISSN: 00985589     EISSN: None     Source Type: Journal    
DOI: 10.1109/TSE.2009.35     Document Type: Article

References (30)

1. T. Ahmed and A.R. Tripathi, "Static Verification of Security Requirements in Role Based CSCW Systems," Proc. Symp. Access Control Models and Technologies, pp. 196-203, 2003.
2. G-J. Ahn and R. Sandhu, "Role-Based Authorization Constraints Specification," ACM Trans. Information and System Security, vol.3, no.4, pp. 207-226, 2000.
3. A.V. Aho, A.T. Dahbura, D. Lee, and M.U. Uyar, "An Optimization Technique for Protocol Conformance Test Generation Based on UIO Sequences and Rural Chinese Postman Tours," IEEE Trans. Comm., vol.39, no.11, pp. 1604-1615, Nov. 1991.
4. J.H. Andrews, L.C. Briand, and Y. Labiche, "Is Mutation an Appropriate Tool for Testing Experiments?" Proc. Int'l Conf. Software Eng., pp. 402-411, 2005.
5. F. Belli and R. Crisan, "Towards Automation of Checklist- Based Code Reviews," Proc. Int'l Symp. Software Reliability Eng., pp. 24-33, 1996.
6. R. Bhatti, A. Ghafoor, E. Bertino, and J.B.D. Joshi, "X-GTRBAC: An XML-Based Policy Specification Framework and Architecture for Enterprise-Wide Access Control," ACM Trans. Information and System Security, vol.8, no.2, pp. 187-227, 2005.
7. R. Chandramouli and M. Blackburn, "Automated Testing of Security Functions Using a Combined Model & Interface Driven Approach," Proc. 37th Hawaii Int'l Conf. System Sciences, pp. 299- 308, 2004.
8. T.S. Chow, "Testing Software Design Modelled by Finite State Machines," IEEE Trans. Software Eng., vol.4, no.3, pp. 178-187, May 1978.
9. D.M. Cohen, S.R. Dalal, J. Parelius, and G.C. Patton, "The Combinatorial Design Approach to Automatic Test Generation," IEEE Software, vol.13, no.5, pp. 83-89, Sept. 1996.
10. M. Daran and P. Thèvenod-Fosse, "Software Error Analysis: A Real Case Study Involving Real Faults and Mutations," Proc. Int'l Symp. Software Testing and Analysis, pp. 158-171, 1996.
11. R.A. DeMillo, R.J. Lipton, and F.G. Sayward, "Hints on Test Data Selection," Computer, vol.11, no.4, pp. 34-41, Apr. 1978.
12. M. Drouineaud, M. Bortin, P. Torrini, and K. Sohr, "A First Step Towards Formal Verification of Security Policy Properties for RBAC," Proc. Int'l Conf. Quality Software, pp. 60-67, 2004.
13. D. Ferraiolo and R. Kuhn, "Role-Based Access Control," Proc. NIST-NSA Computer Security Conf., pp. 554-563, 1992.
14. D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli, "Proposed NIST Standard for Role-Based Access Control," ACM Trans. Information and System Security, vol.4, no.3, pp. 224-274, 2001.
15. G. Friedman, A. Hartman, K. Nagin, and T. Shiran, "Projected State Machine Coverage for Software Testing," Proc. Int'l Symp. Software Testing and Analysis, pp. 134-143, 2002.
16. S. Fujiwara, G.V. Bochmann, F. Khendek, M. Amalou, and A. Ghedamsi, "Test Selection Based on Finite State Models," IEEE Trans. Software Eng., vol.17, no.6, pp. 591-603, June 1991.
17. F. Hansen and V. Oleshchuk, "Conformance Checking of RBAC Policy and Its Implementation," Proc. Information Security Practice and Experience Conf., R.H. Deng, F. Bao, H-H. Pang, and J. Zhou, eds., 2005.
18. ANSI RBAC Standard, http://ite.gmu.edu/list/journals/tissec/ ANSI+INCITS+359 2004.pdf, 2008.
19. Common Vulnerabilities and Exposures, http://www.cve.mitre.org/, 2009.
20. C.N. Ip and D.L. Dill, "Better Verification through Symmetry," Formal Methods System Design, vol.9, nos. 1/2, pp. 41-75, 1996.
21. J.B.D. Joshi, E. Bertino, U. Latif, and A. Ghafoor, "A Generalized Temporal Role-Based Access Control Model," IEEE Trans. Knowledge and Data Eng., vol.17, no.1, pp. 4-23, Jan. 2005. (Pubitemid 40536468)
22. J.B.D. Joshi, B. Shafiq, A. Ghafoor, and E. Bertino, "Dependencies and Separation of Duty Constraints in GTRBAC," Proc. Symp. Access Control Models and Technologies, pp. 51-64, 2003.
23. E.C. Lupu and M. Sloman, "Conflicts in Policy-Based Distributed Systems Management," IEEE Trans. Software Eng., vol.25, no.6, pp. 852-869, Nov./Dec. 1999.
24. Y-S. Ma, J. Offutt, and Y-R. Kwon, "MuJava: An Automated Class Mutation System," Software Testing, Verification and Reliability, vol.15, no.2, pp. 97-133, 2005.
25. A. Masood, R. Bhatti, A. Ghafoor, and A. Mathur, "Scalable and Effective Test Generation for Role Based Access Control Systems," Technical Report TR 2006-24, Center for Education and Research in Information Assurance and Security (CERIAS), Purdue Univ., 2006.
26. K.K. Sabnani and A.T. Dahbura, "A Protocol Test Generation Procedure," Computer Networks and ISDN Systems, vol.15, pp. 285- 297, 1988.
27. R. Sandhu and P. Samarati, "Access Control: Principles and Practice," IEEE Comm., vol.32, no.9, pp. 40-48, Sept. 1994.
28. R.S. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman, "Role- Based Access Control Models," Computer, vol.29, no.2, pp. 38-47, Feb. 1996.
29. D.P. Sidhu and T.K. Leung, "Formal Methods for Protocol Testing: A Detailed Study," IEEE Trans. Software Eng., vol.15, no.4, pp. 413-426, Apr. 1989.
30. H. Zhu, P.A.V. Hall, and J.H.R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol.29, no.4, pp. 366-427, Dec. 1997.