A formal approach for testing security rules

conference paper
conference paper
Published by Association for Computing Machinery (ACM) in Proceedings of the 12th ACM symposium on Access control models and technologies - SACMAT '07

p. 127-132
https://doi.org/10.1145/1266840.1266860

Abstract

Nowadays, security policies are the key point of every modern infrastructure. The specification and the testing of such policies are the fundamental steps in the development of a secure system since any error in a set of rules is likely to harm the global security. To address both challenges, we propose a framework to specify security policies and test their implementation on a system. Our framework makes it possible to generate in an automatic manner, test sequences, in order to validate the conformance of a security policy. system behavior is specified using a formal description technique based on extended finite state machine (EFSM) [12]. The integration of security rules within the system specification is performed by specific algorithms. Then, the automatic tests generation is performed using a dedicated tool, called SIRIUS, developed in our laboratory. Finally, we briefly present a weblog system as a case study to demonstrate the reliability of our framework.

Keywords

This publication has 4 references indexed in Scilit:

Analysis of Policy Anomalies on Distributed Network Security Setups
Lecture Notes in Computer Science, 2006
Test Generation for Network Security Rules
Lecture Notes in Computer Science, 2006
Firewall Conformance Testing
Lecture Notes in Computer Science, 2005
Principles and methods of testing finite state machines-a survey
Proceedings of the IEEE, 1996

Cited by 34 articles