Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Bücher
Zeitschriften
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
MTZ-Fachkongress

Antriebe und Energiesysteme von morgen


Austausch von Automobil- und Energiewirtschaft

Am 14./15. Mai geht es in Chemnitz um die Mobilitätswende durch Elektro- und Wasserstofffahrzeuge.
Erweiterte Suche
Anmelden
nach oben
Software Quality Journal
Erschienen in: Software Quality Journal 2/2014

01.06.2014

Testing of PolPA-based usage control systems

verfasst von: Antonia Bertolino, Said Daoudagh, Francesca Lonetti, Eda Marchetti, Fabio Martinelli, Paolo Mori

Erschienen in: Software Quality Journal | Ausgabe 2/2014

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

The implementation of an authorization system is a critical and error-prone activity that requires a careful verification and testing process. As a matter of fact, errors in the authorization system code could grant accesses that should instead be denied, thus jeopardizing the security of the protected system. In this paper, we address the testing of the implementation of the Policy Decision Point (PDP) within the PolPA authorization system that enables history-based and usage-based control of accesses. Accordingly, we propose two testing strategies specifically conceived for validating the history-based access control and the usage control functionalities of the PolPA PDP. The former is based on a fault model able to highlight the problems and vulnerabilities that could occur during the PDP implementation. The latter combines the standard technique for conditions coverage with a methodology for simulating the continuous control of the PDP during the runtime execution. Both strategies are implemented within a testing framework supporting the automatic generation and execution of security test suites. Results produced by the application of this testing framework to a real case study are presented.
Vorheriger Artikel Toward a mature industrial practice of software test automation
Nächster Artikel Tailoring video recording to support efficient GUI testing and debugging

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren
Fußnoten
3
Where the dot represents the seq composition operator.
 
4
Note that the term condition in this section does not refer to the environment conditions specified in the UCON model.
 
5
Indeed in this evaluation we suppose that the correctness of these PDP replies has been validated during a previously executed phase of history-based testing.
 
6
Note that the same error was also detected in a previous experiment described in (Bertolino et al. 2012).
 
Literatur
Bailey, C. (2012). Application of self-adaptive techniques to federated authorization models. In Proceedings of 34th international conference on software engineering (ICSE), (pp. 1495–1498).
Bertolino, A., Daoudagh, S., Lonetti, F., & Marchetti, E. (2012). Automatic XACML requests generation for policy testing. In Proceedings of fourth IEEE international workshop on security testing (associated with ICST 2012), (pp. 842–849).
Bertolino, A., Daoudagh, S., Lonetti, F., & Marchetti., E. (2013). XACMUT: XACML 2.0 mutants generator. In Proceedings of 8th international workshop on mutation analysis (associated with ICST 2013)
Bertolino, A., Daoudagh, S., Lonetti, F., & Marchetti, E., Martinelli, F., Mori, P. (2012). Testing of PolPA authorization systems. In Proceedings of 7th international workshop on automation of software test (associated with ICSE 2012), (pp. 8–14).
Bertolino, A., Lonetti, F., & Marchetti, E. (2010). Systematic XACML request generation for testing purposes. In Proceedings of 36th EUROMICRO conference on software engineering and advanced applications (SEAA), (pp. 3–11).
Büchler, M., Oudinet, J., & Pretschner, A. (2011). Security mutants for property-based testing. In Proceedings of 5th international conference on tests and proofs (TAP), (pp. 69–77).
Castrucci, A., Martinelli, F., Mori, P., & Roperti, F. (2008). Enhancing Java ME security support with resource usage monitoring. In: Proceedings of information and communications security, Lecture Notes in Computer Science, vol. 5308, pp. 256–266.
Colombo, M., Lazouski, A., Martinelli, F., & Mori, P. (2010). A proposal on enhancing XACML with continuous usage control features. In Proceedings of CoreGRID ERCIM working group workshop on grids, P2P and Services Computing, (pp. 133–146). Springer
Colombo, M., Martinelli, F., Mori, P., Martini, B., Gharbaoui, M., & Castoldi, P. (2011). Extending resource access in multi-provider networks using trust management. International Journal of Computer Networks & Communications (IJCNC), 3(3), 133–147.CrossRef
Jia, Y., & Harman, M. (2011) An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering, 37(5), 649 –678.CrossRef
Martin, E., & Xie, T. (2006). Automated test generation for access control policies. In Supplemental Proceedings of 17th international symposium on software reliability engineering (ISSRE).
Martin, E., & Xie, T. (2007a). A fault model and mutation testing of access control policies. In Proceedings of 16th international conference on World Wide Web (WWW), (pp. 667–676).
Martin, E., & Xie, T. (2007b). Automated test generation for access control policies via change-impact analysis. In Proceedings of third international workshop on software engineering for secure systems (SESS), (pp. 5–12).
Martinelli, F., & Mori, P. (2010). On usage control for grid systems. Future Generation Computer Systems, 26(7), 1032–1042.CrossRef
Mathur, A.P. (2008). Foundations of software testing, 1st edn. Pearson Education, Upper Saddle River.
Mouelhi, T., Fleurey, F., & Baudry, B. (2008). A generic metamodel for security policies mutation. In Proceedings of software testing verification and validation workshop (ICSTW), (pp. 278–286).
Nyre, A. A. (2011). Usage control enforcement-a survey. Availability, Reliability and Security for Business, Enterprise and Health Information Systems pp. 38–49.
Petrenko, A. (2001). Fault model-driven test derivation from finite state models: Annotated bibliography. In Proceedings of the 4th summer school on modeling and verification of parallel processes, (pp. 196–205).
Pretschner, A., Mouelhi, T., & Le Traon, Y. (2008). Model-based tests for access control policies. In Proceedings of international conference on software testing, verification, and validation (ICST), (pp. 338–347).
Sandhu, R., & Park, J. (2004). The UCON ABC usage control model. ACM Transactions on Information and System Security, 7(1), 128–174.CrossRef
Shan, L., & Zhu, H. (2007). Generating structurally complex test cases by data mutation: A case study of testing an automated modelling tool. Comp. Jour., 52, 571–588.CrossRef
Zhang, X., Parisi-Presicce, F., & Sandhu, R. (2005). Formal model and policy specification of usage control. ACM Transactions on Information and System Security, 8(4), 351–387.CrossRef
Metadaten
Titel
Testing of PolPA-based usage control systems
verfasst von
Antonia Bertolino
Said Daoudagh
Francesca Lonetti
Eda Marchetti
Fabio Martinelli
Paolo Mori
Publikationsdatum
01.06.2014
Verlag
Springer US
Erschienen in
Software Quality Journal / Ausgabe 2/2014
Print ISSN: 0963-9314
Elektronische ISSN: 1573-1367
DOI
https://doi.org/10.1007/s11219-013-9216-0

Weitere Artikel der Ausgabe 2/2014

Software Quality Journal 2/2014 Zur Ausgabe

EditorialNotes

Toward a mature industrial practice of software test automation

OriginalPaper

Using aspects for testing of embedded software: experiences from two industrial case studies

OriginalPaper

Tailoring video recording to support efficient GUI testing and debugging

OriginalPaper

Similarity-based test case prioritization using ordered sequences of program entities

OriginalPaper

BlackHorse: creating smart test cases from brittle recorded tests

EditorialNotes

In this issue

Premium Partner

    Bildnachweise