Automated Model-Based Testing of Role-Based Access Control Using Predicate/Transition Nets
- 26 November 2014
- journal article
- Published by Institute of Electrical and Electronics Engineers (IEEE) in International Conference on Acoustics, Speech, and Signal Processing (ICASSP)
- Vol. 64 (9), 2490-2505
- https://doi.org/10.1109/tc.2014.2375189
Abstract
Role-based access control is an important access control method for securing computer systems. A role-based access control policy can be implemented incorrectly due to various reasons, such as programming errors. Defects in the implementation may lead to unauthorized access and security breaches. To reveal access control defects, this paper presents a model-based approach to automated generation of executable access control tests using predicate/transition nets. Role-permission test models are built by integrating declarative access control rules with functional test models or contracts (preconditions and postconditions) of the associated activities (the system functions). The access control tests are generated automatically from the test models to exercise the interactions of access control activities. They are transformed into executable code through a model-implementation mapping that maps the modeling elements to implementation constructs. The approach has been implemented in an industry-adopted test automation framework that supports the generation of test code in a variety of languages. The full model-based testing process has been applied to three systems implemented in Java. The effectiveness is evaluated through mutation analysis of role-based access control rules. The experiments show that the model-based approach is highly effective in detecting the seeded access control defects.Keywords
Funding Information
- NSF (CNS 1004843, CNS 1123220, CNS 1359590)
This publication has 21 references indexed in Scilit:
- Automated Security Test Generation with Formal Threat ModelsIEEE Transactions on Dependable and Secure Computing, 2012
- Scalable and Effective Test Generation for Role-Based Access Control SystemsIEEE Transactions on Software Engineering, 2009
- Conformance Testing of Temporal Role-Based Access Control SystemsIEEE Transactions on Dependable and Secure Computing, 2008
- A formal approach for testing security rulesPublished by Association for Computing Machinery (ACM) ,2007
- Automated Test Generation for Access Control Policies via Change-Impact AnalysisPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2007
- Threat-driven modeling and verification of secure software using aspect-oriented Petri netsIEEE Transactions on Software Engineering, 2006
- The UCON ABC usage control modelACM Transactions on Information and System Security, 2004
- A formal architectural model for logical agent mobilityIEEE Transactions on Software Engineering, 2003
- Dynamic access control through Petri net workflowsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002
- Automatic Code Generation Method Based on Coloured Petri Net Models Applied on an Access Control SystemLecture Notes in Computer Science, 2000