Transforming and selecting functional test cases for security policy testing

Tejeddine Mouelhi 1, 2 Yves Le Traon 2 Benoit Baudry 1
1 TRISKELL - Reliable and efficient component based software engineering
IRISA - Institut de Recherche en Informatique et Systèmes Aléatoires, Inria Rennes – Bretagne Atlantique
Abstract : In this paper, we consider typical applications in which the business logic is separated from the access control logic, implemented in an independent component, called the Policy Decision Point (PDP). The execution of functions in the business logic should thus include calls to the PDP, which grants or denies the access to the protected resources/functionalities of the system, depending on the way the PDP has been configured. The task of testing the correctness of the implementation of the security policy is tedious and costly. In this paper, we propose a new approach to reuse and automatically adapt existing functional test cases for specifically testing the security mechanisms. It includes a two step dynamic analysis technique based on mutation applied to security policies (RBAC, XACML, OrBAC). The method is applied to Java programs and provides tools for performing the two steps of the dynamic analyses. Three empirical case studies provide fruitful results and a first proof of concepts for this approach, e.g. by comparing its efficiency to an error-prone manual adaptation task.
Type de document :
Communication dans un congrès
ICST, 2009, Denver, CO, United States. 2009
Liste complète des métadonnées

https://hal.inria.fr/inria-00538390
Contributeur : Didier Vojtisek <>
Soumis le : lundi 22 novembre 2010 - 14:02:56
Dernière modification le : lundi 25 juin 2018 - 13:18:57
Document(s) archivé(s) le : mercredi 23 février 2011 - 03:22:46

Fichier

mouelhi09.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : inria-00538390, version 1

Citation

Tejeddine Mouelhi, Yves Le Traon, Benoit Baudry. Transforming and selecting functional test cases for security policy testing. ICST, 2009, Denver, CO, United States. 2009. 〈inria-00538390〉

Partager

Métriques

Consultations de la notice

415

Téléchargements de fichiers

168