A toolchain for designing and testing access control policies

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 8431, Issue , 2014, Pages 266-286

  Bertolino, Antonia ^b   Busch, Marianne ^a   Daoudagh, Said ^b   Lonetti, Francesca ^b   Marchetti, Eda ^b  

^a UNIVERSITY OF MUNICH   (Germany)

^b ISTI CNR   (Italy)

Author keywords

[No Author keywords available]

Indexed keywords

COMPLIANCE CONTROL; INFORMATION MANAGEMENT; MOBILE SECURITY;

ACCESS CONTROL MODELS; ACCESS CONTROL POLICIES; INFORMATION MANAGEMENT SYSTEMS; SERVICE DEVELOPMENT; SUPPORTING TOOL; TESTING PHASE; TOOLS AND APPLICATIONS; XACML POLICIES;

ACCESS CONTROL;

EID: 84925010520     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-319-07452-8_11     Document Type: Article

References (40)

1. OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0 (2005), http://docs.oasis-open.org/xacml/2.0/ access control-xacml-2.0-core-spec-os.pdf.
2. SDE: Service Development Environment (2014), http://www.nessos-project.eu/sde.
3. Massacci, F., Zannone, N.: A model-driven approach for the specification and analysis of access control policies. In: Proc. of the OTM Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE, pp. 1087–1103 (2008).
4. Pretschner, A., Mouelhi, T., Le Traon, Y.: Model-based tests for access control policies. In: Proc. of ICST, pp. 338–347 (2008).
5. Bertolino, A., Busch, M., Daoudagh, S., Koch, N., Lonetti, F., Marchetti, E.: A Toolchain for Designing and Testing XACML Policies. In: Proceedings of ICST 2013, Poster (2013).
6. Busch, M., Knapp, A., Koch, N.: Modeling Secure Navigation in Web Information Systems. In: Grabis, J., Kirikova, M. (eds.) BIR 2011. LNBIP, vol. 90, pp. 239–253. Springer, Heidelberg (2011).
7. LMU. Web Engineering Group: UWE Website (2014), http://uwe.pst.ifi.lmu.de/.
8. Busch, M., Koch, N., Suppan, S.: Modeling Security Features of Web Applications. In: Heisel, M., Joosen, W., Lopez, J., Martinelli, F. (eds.) Engineering Secure Future Internet Services. LNCS, vol. 8431, pp. 119–139. Springer, Heidelberg (2014).
9. Busch, M., Koch, N.: NESSoS Deliverable D2.3 – Second Release of the SDE for Security-Related Tools (2012).
10. Sensoria Project: Software Engineering for Service-Oriented Overlay Computers (2011), http://www.sensoria-ist.eu/.
11. ASCENS: Autonomic Service Component Ensembles (2012), http://www.ascens-ist.eu/.
12. Eclipse Foundation: Eclipse Modeling Project (2014), http://eclipse.org/modeling/.
13. No Magic Inc.: Magicdraw (2014), http://www.magicdraw.com/.
14. Busch, M., Koch, N., Masi, M., Pugliese, R., Tiezzi, F.: Towards model-driven development of access control policies for web applications. In: Model-Driven Security Workshop in Conjunction with MoDELS 2012. ACM Digital Library (2012).
15. Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML request generation for testing purposes. In: Proceedings of the 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), Lille, France, September 1-3, pp. 3–11 (2010).
16. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: The X-CREATE framework: a comparison of XACML policy testing strategies. In: Proceedings of 8th International Conference on Web Information Systems and Technologies (WEBIST), Porto, Portugal, April 18-21 (2012).
17. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: Automatic XACML Requests Generation for Policy Testing. In: Proceedings of IEEE Fifth International Conference on Software Testing, Verification and Validation (ICST), pp. 842–849 (2012).
18. Sun Microsystems: Sun’s XACML Implementation (2006), http://sunxacml.sourceforge.net/.
19. Busch, M., Koch, N.: MagicUWE — A CASE Tool Plugin for Modeling Web Applications. In: Gaedke, M., Grossniklaus, M., D´ıaz, O. (eds.) ICWE 2009. LNCS, vol. 5648, pp. 505–508. Springer, Heidelberg (2009).
20. OMG.: XMI 2.1 (2005), http://www.omg.org/spec/XMI/.
21. Eclipse: XPand (2013), http://wiki.eclipse.org/Xpand.
22. Cohen, D.M., Dalal, S.R., Fredman M.L., Patton, G.C.: The AETG system: An approach to testing based on combinatiorial design. IEEE Trans. on Soft. Eng. 23(7), 437–444 (1997).
23. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Schilders, L.: Automated testing of extensible access control markup language-based access control systems. IET Software 7(4), 203–212 (2013).
24. SDE.: Tutorial (2012), http://sde.pst.ifi.lmu.de/trac/sde/wiki/Tutorial.
25. OMG.: OCL 2.0 (2011), http://www.omg.org/spec/OCL/2.0/.
26. Busch, M.: Secure Web Engineering supported by an Evaluation Framework. In: Modelsward 2014. Scitepress (2014).
27. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002).
28. Slimani, N., Khambhammettu, H., Adi, K., Logrippo, L.: UACML: Unified Access Control Modeling Language. In: NTMS 2011, pp. 1–8 (2011).
29. Basin, D., Clavel, M., Egea, M., Schl¨apfer, M.: Automatic Generation of Smart, Security-Aware GUI Models. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 201–217. Springer, Heidelberg (2010).
30. Jürjens, J.: Secure Systems Development with UML. Springer (2004), Tools: http://carisma.umlsec.de/.
31. Martin, E., Xie, T.: Automated Test Generation for Access Control Policies. In: Supplemental Proc. of 17th International Symposium on Software Reliability Engineering, ISSRE (2006).
32. Martin, E., Xie, T.: Automated test generation for access control policies via change-impact analysis. In: Proc. of Third International Workshop on Software Engineering for Secure Systems (SESS), pp. 5–12 (2007).
33. Fisler, K., Krishnamurthi, S., Meyerovich, L., Tschantz, M.: Verification and change-impact analysis of access-control policies. In: Proc. of ICSE, pp. 196–205. ACM, New York (2005).
34. Bertolino, A., Lonetti, F., Marchetti, E.: Systematic XACML Request Generation for Testing Purposes. In: Proc. of 36th EUROMICRO Conference on Software Engineering and Advanced Applications (SEAA), pp. 3–11 (2010).
35. Li, N., Hwang, J., Xie, T.: Multiple-implementation testing for XACML implementations. In: Proc. of TAV-WEB, pp. 27–33 (2008).
36. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: Testing of PolPA Authorization Systems. In: Proc. of AST, pp. 8–14 (2012).
37. Traon, Y., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: Proc. of ISSRE, pp. 93–102 (2007).
38. Mallouli, W., Orset, J.M., Cavalli, A., Cuppens, N., Cuppens, F.: A formal approach for testing security rules. In: Proc. of SACMAT, pp. 127–132 (2007).
39. Li, K., Mounier, L., Groz, R.: Test generation from security policies specified in or-BAC. In: Proc. of COMPSAC, pp. 255–260 (2007).
40. Eclipse: Acceleo (2014), http://www.eclipse.org/acceleo/.