TAROT2013 Testing School - Antonia Bertolino presentation

11-07-2013
1
9th International Summer School on
Training And Research On Testing
9-13 July, 2013 - Volterra, Italy
Theme 3: Security Testing
XML-based approaches for security testing
Antonia Bertolino, ISTI-CNR
antonia.bertolino@isti.cnr.it
1
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Acknowledgements
All presented approaches and tools are the result of
research work in collaboration with:
Said Daoudagh, Francesca Lonetti, Eda Marchetti
(plus also concerning TAXI with Cesare Bartolini, JingHua
Gao and Andrea Polini,
and concerning Polpa testing with Fabio Martinelli,
Paolo Mori)
and have been partially developed within the European
Projects:
TAS3 (completed) and NESSOS (ongoing)
2

11-07-2013
2
Agenda
! Introduction to:
! Security mechanisms and access control systems
! Security testing
! XACML
! XML-based testing and TAXI tool
! XACML combinatorial testing and X-CREATE tool
! XACML mutations and XACMUT tool
! Usage-control systems and testing of Polpa
! Conclusions and hints for further research
3
Software is everywhere
Software is routinely used in many
disparate aspects of everyday life
More and more the different
software-intensive devices that we
use communicate among themselves
In many cases software applications
are critical either money-wise or
health-wise
The evident consequence is that
malfunctions of software heavily
impact our wellness and welfare
4

11-07-2013
3
Software malfunctions
• Your web browser crashes
while you are reading news
• Your web mail account is
stolen
• The computerized device
releases a radiations
overdose (*)
" This is annoying
" This could be serious
" This is very serious
can be very different
(*) Leveson, N.G.; Turner, C.S., "An investigation of the Therac-25
accidents," Computer , vol.26, no.7, pp.18,41, July 1993
5
Software puts us at risk
Two somehow contrasting wishes:
• Being connected everytime and everywhere
• Preserving our own privacy and data integrity
However, for business and society connectivity is no longer an
option. The point is to balance potential risks with benefits.
Networks must be enabled to support security services that
provide adequate protection to users and companies in a
relatively open environment
6

11-07-2013
4
Rising vulnerability of evolving technology
Catherine Paquet, Network Security Concepts and Policies, Cisco Press, 2013
7
Three related sw quality concerns
Dependability
Safety
Security
8

11-07-2013
5
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and
secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
9
Definitions
the ability to
deliver service that
can justifiably be
trusted
10

11-07-2013
6
Definitions
the absence of catastrophic
consequences on the user(s)
and the environment
11
Definitions
the absence of
unauthorized
access to, or handling
of, system state
12

11-07-2013
7
Composite definition of security
13
Security engineering
• Systems engineering must
be unified with security
engineering:
• Currently(*) security
modeling remains largely
independent of system
models.
• Typically, system
requirements and design are
done first, and security is
added as an afterthought.
(*) Premkumar T. Devanbu and Stuart Stubblebine. Software engineering
for security: a roadmap. In FOSE 2000 @ICSE '00. ACM, 227-239.
14

11-07-2013
8
Information Assurance: an overarching approach
! Information must be protected throughout
its lifetime, while at rest and while passing
through different processing systems
! The strength of any system is no
greater than its weakest link
! Each component of the information
processing system must have its own
protection mechanisms
! The building up, layering on and
overlapping of security measures is called
defense in depth:
! a design principle to ensure resilience against
different forms of attack, and to reduce the
probability of a single-point of failure
The Onion Model
of Defense_In_Depth
15
Why ensuring security is difficult
Security engineers (and especially testers)
must take into account not only legitimate
users and clients, but also potential (malicious)
adversaries
Therefore to design a secure system we should
provide defenses against all plausible threats:
a secure system does only what it is supposed
to do and nothing else.
16

11-07-2013
9
Risk-oriented approach
• Information Security is about minimizing risk to
an acceptable level while maintaining the
Confidentiality, Integrity, and Availability of the
systems and data.
• All systems have some level of risk.
• A completely secure, zero risk, system is one
that has zero functionality.
17
Towards a Security-centered Development Process
! A security development lifecycle (SDL) is a
software development lifecycle placing special
emphasis on security in each phase
! Several SDLs have been proposed, of which
Microsoft SDL is the best established in industry
18

11-07-2013
10
There exist many different types of security testing.
For example, Microsoft SDL includes three practices:
" Dynamic Analysis: performs run-time verification of software
functionality using tools that monitor application behavior for
memory corruption, user privilege issues, and other
" Fuzz Testing: induces program failure by deliberately introducing
malformed or random data to an application so to reveal
potential security issues prior to release
" Attack Surface Review: Reviewing attack surface before and after
the installation of product(s) and displays the changes to key
elements of the attack surface
Security testing
19
Scope of security testing
Software
security
Security
software
" testing security mechanisms
to ensure that their
functionality is properly
implemented
" performing risk-based
security testing driven
by understanding and
simulating the attacker’s
approach
To keep in mind: “software security is not security software” (*)
Security features such as cryptography, strong authentication, and access
control play critical roles in software security, however security itself is an
emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and
Privacy 2, 5 (September 2004), 81-85.
20

11-07-2013
11
Approaches for testing “software security”
Mostly negative testing, aiming at detecting
whether the application does something it should
not do. It includes:
• Fuzzing, either random or systematic (e.g.,
model-based fuzz testing)
• Vulnerability injection, e.g. SQL injection
• Risk-based testing
• Security test patterns (e.g., DIAMONDS
project)
• ….
21
Software
security
Security
software
implemented
approach
It relies on expertise and
knowledge of the system:
requires that you think
about your project and
possible misuses or attack
22

11-07-2013
12
Software
security
Security
software
implemented
approach
23
CIA
24

11-07-2013
13
CIA
25
Data classification
Assets (data, programs,
resources,…) have
different security levels,
e.g.
! Unclassified
! Restricted
! Confidential
! ….
Correspondingly differing
roles for people or
applications are introduced
defining who can access
what level, e.g.
! Owner
! Administrator
! User
! ….
26

11-07-2013
14
Access control
! Once a system involves security-classified data, we need to
ensure that only the intended people can access them and
that these intended users are only given the level of access
required to accomplish their tasks.
27
An access control system provides a decision (ok, ko)
to an authorization request, typically based on
predefined policies
request response
Access
Control
policy
Access control mechanisms
Identification Authentication Authorization
28

11-07-2013
15
the activity of a subject supplying information to
identify itself to an authentication service. Examples:
username, account number, ID card, …
29
a means to verify the authenticity of the identity declared during
Identification. Three ways (of increasing cost):
- What subject knows: passwords, PINs, passcodes, etc.
- What subject has: covers keys, tokens, smartcards, etc.
- What subject is: biometric data, e.g., fingerprints, voice recognition, etc.
Authentication can be one-factor or two/three-factor (strong)
30

11-07-2013
16
the process of assigning to authenticated subjects a
set of permissions that defines what they can and
cannot do. These permissions are generally defined
by security policies
31
Defining security rules (or policies)
A security policy is a specific statement
of what is and is not allowed
32

11-07-2013
17
Security policies
From Wikipedia:
Security policy is a definition of what it means to be secure for a system,
organization or other entity. For an organization, it addresses the constraints
on behavior of its members as well as constraints imposed on adversaries by
mechanisms such as doors, locks, keys and walls. For systems, the security
policy addresses constraints on functions and flow among them, constraints
on access by external systems and adversaries including programs and access
to data by people.
• Access control
• Computer security policy
• Environmental design
• Information Protection Policy
• Information security policy
• National security policy, Military strategy
• Network security policy
• Virtual security policy
• …
33
The eXtensible Access Control Markup Language
34
! XACML is the OASIS standard
for specifying Access Control
Policy
! The latest version is XACML 3.0
that has been released in
January 2013
-- Before, XACML 2.0 was released on
Feb. 2005 (this is the version
implemented in our tool)
-- XACML 1.0 had been released in Feb.
2003
! Organizations sponsoring OASIS and contributing to the
XACML standard include: CA Technologies, Cisco Systems,
Connectis, Dell, EMC, IBM, Microsoft, Oracle, Primeton Technologies, Inc.,
Red Hat, SailPoint Technologies, The Boeing Company, Veterans Health
Administration, ViewDS, etc..
www.oasis-open.org

11-07-2013
18
35
XACML
! XACML is a general-purpose language for access control
policies. It provides an XML-based syntax for managing
access to resources
! XML is a natural choice as the basis for the common
security-policy language, due to the ease with which its
syntax and semantics can be extended and the widespread
support that it enjoys from all the main platform and tool
vendors
! It is generic (can be used by many different kinds of
applications and platforms), distributed (a policy can refers to
other sub-policies, and XACML knows how to correctly
combine the results from these different policies into one
decision) and powerful (supports a wide variety of data
types, functions, and rules about combining the results of
different policies)
36
XACML languages
Policy Language
Used to describe access control requirements. Who is
allowed to do what?
Request/Response Language
The request is a query about permissions associated
with x.
The response is permit, deny, indeterminate, or not
applicable.

11-07-2013
19
XACML architecture
XACML also proposes a standard reference architecture
37
XACML architecture
performs access control, by making
decision requests and enforcing
authorization decisions. Basically
the entity that sends the XACML
request to the Policy Decision Point
(PDP) and receives an
authorization decision.
38

11-07-2013
20
XACML architecture
evaluates applicable policy and
returns an authorization decision
39
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO” 40
XACML Flow
" A Subject who wishes to access
an Object (Resource) must do so
through the PEP
" The PEP forms the XACML
request and sends it to the PDP
" The PDP checks the request
against the Policy and returns a
XACML response
" The PEP either Permits or Denies
access to the resource.
Policy Enforcement Point
(PEP)
Can I access
Resource?
Policy Decision Point
(PDP)
Permit/Deny
The relevant XACML
policy needs to be
selected and its rules
evaluated
Requests and responses also
specified in XACML

11-07-2013
21
XACML Structure
41
The nice picture is taken from: Yoon Jae Kim, Access Control Service Oriented Architecture Security, on
line at http://www.cs.wustl.edu/~jain/cse571-09/ftp/soa/
XACML policy example
<Policy
RuleCombiningAlgId="first-applicable" PolicyId="policyExample">
<Target>
<Resource>
<AttributeValue >http://library.com/record/</AttributeValue>
</Resource>
</Target>
<Rule RuleId="rule1" Effect="Permit">
<Condition>
<Apply FunctionId="function:string-is-in">
<Apply FunctionId="function:string-one-and-only">
<ActionAttributeDesignator AttributeId="action:id" DataType="string"/>
</Apply>
<Apply FunctionId="function:string-bag">
<AttributeValue DataType="string"> write</AttributeValue>
<AttributeValue DataType="string"> read</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="rule2" Effect="Deny"></Rule>
</Policy>
Target
Rule2
Rule1
Condition
42

11-07-2013
22
We need to verify the access control system
XACML properties of interoperability, extensibility,
distribution are paid in terms of complexity and verbosity
Policies can be deceiving and need to be
carefully checked
43
Policy testing
Provide test strategies for test suite generation so
to simulate correct or improper usage of data
and resources by execution of test suites
Data
Resources
Test suite 1
User1
X
X
Test suite 2
User2
X
X
X
Policies
specification
44

11-07-2013
23
Testing Purpose
Testing the policy specification
PDP
Policies
Test Suite
SUT
Oracle
reply
request
request
request
request
verdict
45
Testing Purpose
Testing the policy implementation (PDP)
PDP
Policies
Test Suite
SUT
Oracle
reply
request
request
request
request
verdict
46

11-07-2013
24
XACML testing
Different types of approaches have been
proposed, including:
" Structural Coverage of XACML elements
" Combinatorial (Targen, X-Create)
" Category-partition (X-Create)
" Change-impact based
" Model-based
" …..
47
Targen
Targen(*) is a seminal tool on XACML testing that is
the closest competitor to X-CREATE
Targen applies a combinatorial approach on the attribute
values and for each target included in the policy under
test it derives as many requests as many are all the
possible combinations of values of the attributes found in
the subject, resource, and action sections
(*) E. Martin and T. Xie, “Automated test generation for access control policies,”
in Supplemental Proc. of ISSRE, November 2006.
48

11-07-2013
25
Our approach
X-CREATE
XaCml REquests derivAtion for TEsting
X-CREATE tool supports several
different tests derivation strategies
based on a combinatorial approach
It can be downloaded from our laboratory page at:
http://labsewiki.isti.cnr.it/labsedc/tools/xcreate/public/main
49
Our approach
X-CREATE
XaCml REquests derivAtion for TEsting
Original idea:
We exploit the XML nature
of XACML and adapt our
previous tool TAXI for
XML test generation
…so, let’s now open a
brief parenthesis about
TAXI …
50

11-07-2013
26
• A tool for systematic document
generation from XML Schema
• It can be downloaded from our
laboratory page at:
5
1
http://labsewiki.isti.cnr.it/labsedc/tools/taxi/public/main
TAXI
The eXtensible Markup Language(XML)
<?xml version="1.0"
encoding="ISO88591"?>
<card>
<name>John Doe</name>
<title>CEO, Widget Inc.</title>
<email>john.doe@widget.com</email>
<phone>(202) 4561414</phone>
</card>
# The eXtensible Markup Language (XML) is a Markup
Language which is a standard format to store
information and data.
# XML documents are tree structured documents in
which data are formatted/organised using tags
52

11-07-2013
27
XML & XML Schema
# XML Schema provides a means for defining the structure and
content of XML documents
# In the open networked world, XML Schema support interoperability
between independently developed applications
Chinese
Italian
53
Automatic XML-Based Testing and
Benchmarking
54

11-07-2013
28
Automatic XML-Based Testing and
Benchmarking
55
Our systematic approach
The approach has been inspired at-large by the well-known
semi-automatedCategory Partition methodology for systematic
test generation …
..or, you can think of it as grammar-based generation, on the XSD
syntax, although we have also introduced practical rules
56

11-07-2013
29
Mapping CP to XPT
CP (*) XPT
Analyze Specifications
Identify Functional Units
Partition Categories
Selecte Choices
Determine Constraints
$% Preprocessor
$% Identify Sub-Schema Sets
$% Identify Types
$% Partition Values and Structures
$% Determine “valid/invalid” constraints
Generate Intermediate Instances
Generate Final Instances
Generate Test Specification $%
Generate Test Cases $%
(*) Thomas J. Ostrand and Marc J. Balcer. The category-partition method for specifying and
generating functional tests. Communications of ACM,31(6),1988.
57
Identification of Sub-Schema Sets
<choice> elements partition the XML Schema into distinct
sets corresponding to the CP functional units
XML Schema
choice A
B
1
2
choice
XML Schema
sequence A
1sequence
XML Schema
sequence A
2sequence
XML Schema
sequence B
1sequence
XML Schema
sequence B
2sequence
preprocessorAnalyze
Specifications
Mapping from CP to XPT
Identify
Functional Units
Identify Sub-
Schema Sets
Partition
Categories
Identify Types
Selecte Choices
Partition
Values and
Structures
Determine
Constraints
Determine
“valid/invalid”
Constraints
Generate Test
Specification
Generate
Intermediate
Instances
Generate Test
Specification
Generate
Final Instances
58

11-07-2013
30
Intermediate Instances
" Generate intermediate instance by combining the values of
“minOccurs” and “maxOccurs”.
" Apply the conventional Boundary Condition test approach to
reduce the combinations
sub-Schema
minOccurs=0
maxOccurs=3
minOccurs=2
maxOccurs=4
A
B
Intermediate Instance
B occurs=2
A occurs=0 A occurs=3
B occurs=2
A occurs=0
B occurs=4
A occurs=3
B occurs=4
preprocessorAnalyze
Specifications
Identify
Functional Units
Identify Sub-
Schema Sets
Partition
Categories
Identify Types
Selecte Choices
Partition
Values and
Structures
Determine
Constraints
Determine
“valid/invalid”
Constraints
Generate Test
Specification
Generate
Intermediate
Instances
Generate Test
Specification
Generate
Final Instances
Mapping from CP to XPT
59
Potential Applications
! For validating database management systems:
- automatically generate valid XML instances for populating database
- evaluate the performance and the quality of the associated management
systems
! For testing the inter-operability between applications and for enabling
the correct interactions among the interfaces used by remote
components in distributed systems.
- automatic and controlled generation of valid and invalid instances enables
the automated testing of I/O behavior
! For verifying the proper communication protocols between web-
services.
- SOAP-based interaction between services exploiting the corresponding
XML Schemas…
! …
• For validating database management systems:
Further Reading:
Bertolino, Antonia, Jinghua Gao, Eda Marchetti, and Andrea Polini. "Automatic test data generation for
XML schema-based partition testing." In Proc. of the Second International ICSE Workshop on
Automation of Software Test, p. 4. IEEE Computer Society, 2007.
Bartolini, Cesare, Antonia Bertolino, Eda Marchetti, and Andrea Polini. "WS-TAXI: A WSDL-based
testing tool for web services." In Proc. ICST'09, pp. 326-335. IEEE, 2009.60

11-07-2013
31
X-CREATE Testing Framework
Request
structure
Policies
specification
Instantiated
Request
Implements several testing strategies:
• Preliminary XPT (XML Partition Testing)
• Incremental XPT
• Simple Combinatorial
• Multiple Combinatorial
• Hierarchical Simple
• Hierarchical Incremental
61
Preliminary XPT Main Idea
Inspired by TAXI:
Derive (once and for all) a universally valid generic test suite of
conforming requests by applying:
• A variant of the Category Partition methodology
• The Boundary Conditions methodology
Each request in this generic test suite is a general structure of a
valid XACML request instance.
XACML
Context
Schema
Request
structure
Conforming
test suite
62

11-07-2013
32
XPT implementation
The tool consists of three main components:
& an intermediate-request generator, which is based
on the XPT approach for intermediate instances
(request structures) generation
& a policy analyzer which selects the input values
from the policy specification, and
& a values manager, which distributes the input
values to the request structures.
63
64
A Sketch of the
XACML Context Schema

11-07-2013
33
65
X
{1,...,k/2,...,k}
X
{0,...,k/2,...,k}
X
{1,...,k/2,...,k}
1. Fix ! to K
2. Apply XPT
strategy to
the obtained
scheme
We thus automatically obtain a set of different
Request Structures
Example of request structure
<Request>
<Subject> </Subject>
<Subject> </Subject>
<Resource> </Resource>
<Action> </Action>
</Request>

11-07-2013
34
118098!!!!! Too Much!!!
10 elements with unbounded occurrence and 1
having [0,1] cardinality -> 310 * 21 = 118098
request structures (still to be filled with values…)
We need to apply some approach to select those
request structures that could maximize the fault
detection capability
Note: the full set of request structures needs to be derived once and
for all
Only the selection of the subset is redone each time
Policy Under-Test Analyzer
Take values from the policy under test for elements
and attributes.
Four values sets are defined:
• SubjectSet
• ResourceSet
• ActionSet
• EnvironmentSet
For robustness and negative testing random values
for elements and attributes are added
68

11-07-2013
35
Example of results from the policy analyser
69
Request Values Manager
Responsible for the final requests generation.
Two possible approaches using either standard
structures or combinatorial structures
1. Pure combinatorial approach using all the
values in the 4 sets
2. Hierarchical combination (to focus the request
generation on a specific part of a policy)

11-07-2013
36
How many combinations?
Avoiding duplication derive all combinations of
subject “entities”, resource “entities”, action
“entities” and environment “entities” by applying:
• the pair-wise combination (PW)
• the three-wise combination (TW)
• apply the four-wise combination (FW)
Note: The number of combinations strictly depends
on the policy considered
71
Examples
Example of request
<Request>
<Subject>Mario Rossi</Subject>
<Resource>personal id</Resource>
<Action>read</Action>
</Request>
Example of request
<Request>
<Subject>s2</Subject>
<Resource>personal id</Resource>
<Action>a2</Action>
</Request>
Example of request
<Request>
<Subject>Mario Rossi</Subject>
<Subject>s2</Subject>
<Resource>p2</Resource>
<Action>read</Action>
<Enviroment>e2</Enviroment>
</Request>
72

11-07-2013
37
X-CREATE v.s. Targen
We considered the available policies used also for Targen
presentation
We applied mutation to the policies to introduce faults
We used the same mutation operators for XACML policies indicated
in Targen experiment
We used the sets of mutants obtained for answering the
two Research Questions:
TSEff: Is the test suite derived by X-CREATE more
effective than that derived by Targen?
TSIncr: Is X-CREATE provided capability to vary test
request number and structure useful to increase
effectiveness?
Some Results
We generated the same
number of requests generated
by the Targen tool for each
policy, so to get a fair
comparison
We only derived the data
for PolicyExample, the
other are from the Targen
evaluation

11-07-2013
38
Well done!! …but can we do better?
• New methodology for request structures
generation (Incremental XPT)
• New specific test strategy providing a
stopping criterion (Simple Combinatorial)
75
Incremental XPT
one value for the
<AttributeValue>
zero to minOccurs and
maxOccurs of the
ResourceContent
element and those of
the contained <Any>
element because not
used in test values
generation
We end up with
36 = 729 request stuctures
76
We introduce a modified (reduced) schema as follows:

11-07-2013
39
Simple Combinatorial
Idea: derive as many requests as the possible
combinations of the values of the subjects, resources,
actions and environment of the XACML policy.
• The derived requests are first those obtained using all
combinations of the Pairwise set, then of the 3wise
set and finally those of the 4wise set.
• The maximum number of requests derived by this
strategy is equal to the cardinality of the 4wise set.
The resulting number of combinations could
be also be used as a stopping criterion for the test
case generation in XPT
77
Evaluation of the test strategies effectiveness:
' Define a set of XACML policies
' Apply mutation to each policy to introduce faults
' Execute each set of test cases on the policy and
its mutants
' Establish the winner in each match
Incremental XPT vs. Simple Combinatorial
78

11-07-2013
40
XPT v.s. Simple Combinatorial
The same number of requests for each policy
the effectiveness of the Incremental XPT is generally higher than
that of the Simple Combinatorial strategy
In two cases the fault detection of the Simple Combinatorial is
higher than that of Incremental XPT
Simple combinatorial Incremental XPT
79
Deeper Analysis
Incremental XPT is the winner when the access
decision of the policy rules depends concurrently
on the values of more than one subject or
resource or action or environment entity
Simple Combinatorial is the winner when the
policies are simple and the satisfiability of the
policy rules depends on the combinations of a
single subject, resource, action and environment
entity
80

11-07-2013
41
How to evaluate XACML testing approaches?
The mutation approach typically used in software
testing has been adapted to XACML policy
testing
81
XACMUT: XACML 2.0 Mutants Generator
It can be downloaded from our laboratory page at:
http://labsewiki.isti.cnr.it/labsedc/tools/xacmut/public/main
Our tool
82

11-07-2013
42
XACMUT
" !"!#$%!&'!()%*+&,!&-$.*%&.#!*//.$##0,1!#-$2032!'*)4%#!&'!%5$!6"789!:;<!
*22$##!2&,%.&4!-&402=!!
" !6"78>?!@6"7(4!8>?*+&,AB!
" 1$,$.*%$#!%5$!#$%!&'!()%*,%#!
" -.&C0/$#!'*2040+$#!%&!.),!*!10C$,!%$#%!#)0%$!&,!%5$!()%*,%#!#$%!
" 2&(-)%$#!%5$!%$#%!#)0%$!$D$2+C$,$##!0,!%$.(#!&'!()%*+&,!#2&.$!
83
Previous work
E.&-&#*4F*!
E.$40(0,*.=!#$%!&'!()%*+&,!&-$.*%&.#!'&.!6"789!-&4020$#;!!
G&%!0,24)/$/B!
" *44!%5$!0(-&.%*,%!2.0+2*40+$#!&'!%5$!6"789!-&402=!#-$2032*+&,! !
" (&#%!&'!%5$!*C*04*H4$!6"789!'),2+&,#!!
E.&-&#*4:**!!
" I$%!&'!()%*+&,!&-$.*%&.#!H*#$/!&,!($%*(&/$4!
" #0()4*%$!%5$!'*)4%#!0,!%5$!#$2).0%=!(&/$4#!0,/$-$,/$,%4=!'.&(!%5$!.&4$JH*#$/!
'&.(*40#(!@KJL"7!M!N.L"7!M!OA!
E$2)40*.0%=B!?5$!()%*+&,!&-$.*%&.#!2*,,&%!H$!/0.$2%4=!*--40$/!%&!6"789!!
!*E. Martin and T. Xie, “A fault model and mutation testing of access control policies,” in Proc. of WWW, May
2007, pp. 667–676
**T. Mouelhi, F. Fleurey, and B. Baudry, “A generic metamodel for security policies mutation,” in Proc. of
ICSTW, 2008, pp. 278–286
84

11-07-2013
43
Mutation operators of Proposal1
E&402=!I$%!?*.1$%!?.)$!@EI??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=I$%!
$,#).0,1!%5*%!%5$!E&402=I$%!0#!*--40$/!%&!*44!.$P)$#%#!
E&402=!I$%!?*.1$%!Q*4#$!@EI?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=I$%!#)25!
%5*%!%5$!E&402=I$%!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
E&402=!?*.1$%!?.)$!@E??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!
%5$!E&402=!0#!*--40$/!%&!*44!.$P)$#%#!
E&402=!?*.1$%!Q*4#$!@E?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!
%5$!E&402=!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
K)4$!?*.1$%!?.)$!@K??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!.)4$!$,#).0,1!%5*%!%5$!
K)4$!0#!*--40$/!%&!*44!.$P)$#%#!
K)4$!?*.1$%!Q*4#$!@K?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!.)4$!#)25!%5*%!%5$!
K)4$!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
85
Mutation operators of Proposal1(cont.)
" K)4$!7&,/0+&,!?.)$!@K7?A!J!.$(&C$#!%5$!2&,/0+&,!&'!$*25!K)4$!$,#).0,1!
%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!?.)$!
" K)4$!7&,/0+&,!Q*4#$!@K7QA!J!(*,0-)4*%$#!%5$!7&,/0+&,!C*4)$#!&.!%5$!
7&,/0+&,!'),2+&,#!$,#).0,1!%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!Q*4#$!
" 75*,1$!E&402=!7&(H0,0,1!"41&.0%5(!@7E7A!J!.$-4*2$#!%5$!$S0#+,1!-&402=!
2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!-&402=!2&(H0,0,1!*41&.0%5(;!!?5$!#$%!&'!
2&,#0/$.$/!-&402=!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%
&'"(()!"*+,0(*/%1--2)3142"+,&#2$%&#",1--2)3142"U!
" 75*,1$!K)4$!7&(H0,0,1!"41&.0%5(!@7K7A!J!.$-4*2$#!%5$!$S0#+,1!.)4$!
2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!.)4$!2&(H0,0,1!*41&.0%5(;!?5$!#$%!&'!
2&,#0/$.$/!.)4$!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%
&'"(()!"*+,0(*/%1--2)3142"U!
" 75*,1$!K)4$!VD$2%!@7KVA!J!25*,1$#!%5$!.)4$!$D$2%!H=!.$-4*20,1!E$.(0%!R0%5!
W$,=!&.!W$,=!R0%5!E$.(0%!
86

11-07-2013
44
E&402=!?*.1$%!?.)$!@E??A!$S*(-4$
<Policy
RuleCombiningAlgId="first-applicable"
PolicyId="policyExample">
<Target>
<Resource>
<AttributeValue>http://library.com/record/</AttributeValue>
</Resource>
</Target>
<Condition>
<ActionAttributeDesignator AttributeId="action:id"
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy
<Target></Target>
<Condition>
DataType="string"/>
</Apply>
<AttributeValue DataType="string">write</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
8)%*%$/!-&402=!X&4/!-&402=!
A request with http://library.com/record resource
will be applicable
A request with any resource will be applicable
87
E&402=!?*.1$%!Q*4#$!@E?QA!$S*(-4$!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy
<Target>
<Resource>
<AttributeValue>RandomValue##+]][[*##_####987654
32_RandomValue456Mutant_xyz
</AttributeValue>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
8)%*%$/!-&402=!X&4/!-&402=!
No request will be applicable
88

11-07-2013
45
Mutation operators of Proposal2
" KE?!J!.$-4*2$#!*!.)4$!-*.*($%$.!5*C0,1!*!%=-$!R0%5!*,&%5$.!-*.*($%$.!&'!*!
/0D$.$,%!.)4$!5*C0,1!%5$!#*($!%=-$;!Y,!6"789!4*,1)*1$!%5$!.)4$!-*.*($%$.#!
2&..$#-&,/!%&!#)HZ$2%#M!.$#&).2$#M!*2+&,#!*,/!$,C0.&,($,%#!
" EEK!J!25&&#$#!&,$!.)4$!'.&(!%5$!#$%!&'!.)4$#M!*,/!%5$,!.$-4*2$#!%5$!#%*%)#!R0%5!
%5$!&--&#0%$!&,$!!
" 0%!2&0,20/$#!R0%5!7KV!&-$.*%&.!&'!E.&-&#*4F!
" "GK!J!*//#!*!,$R!.)4$!2&,%*0,0,1!*!,$R!2&(H0,*+&,!&'!-*.*($%$.#!%5*%!0#!,&%!
#-$203$/!0,!%5$!$S0#+,1!.)4$#!&'!%5$!-&402=!!
" KVK!J!25&&#$#!&,$!.)4$!*,/!.$(&C$#!0%!!
" EEW!J!.$-4*2$#!*!-*.*($%$.!R0%5!&,$!&'!0%#!/$#2$,/0,1!-*.*($%$.#!
" 0%!0#!,&%!*--402*H4$!%&!6"789!:;<!4*,1)*1$!!!!
" %5$!.&4$#!*,/!.$#&).2$#!50$.*.25=!0#!&,4=!2&,#0/$.$/!0,!-&4020$#!2&(-40*,%!%&!7&.$!*,/!
[0$.*.2502*4!KL"7!-.&34$!*,/!%&![0$.*.2502*4!.$#&).2$!-.&34$!&'!6"789!:;<!
" $!!*/*-%!KE?M!EEKM!"GK!*,/!KVK!5015!4$C$4!&-$.*%&.#!%&!6"789!
4*,1)*1$!
89
K$(&C$!K)4$!@KVKA!$S*(-4$!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
<AttributeValue DataType="string">read</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy
<Target>
<Resource>
</Resource>
</Target>
</Policy>
8)%*%$/!-&402=!X&4/!-&402=!
A request with http://library.com/record
resource will be denied
90

11-07-2013
46
75*,1$!K)4$!VD$2%!@7KVA!$S*(-4$!
8)%*%$/!-&402=!X&4/!-&402=!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="rule2" Effect="Permit"></Rule>
</Policy>
A request with http://library.com/record resource will be allowed
91
Our new Mutation operators
" K$(&C$>,0P)$,$##Q),2+&,!@K>QA!J!.$(&C$#!%5$!/$-"%&#"%1#!%&#2$!!@/$-"!.$'$.#!
%&!*!-.0(0+C$!%=-$B!#%.0,1M!0,%$1$.M!/&)H4$M!$%2;A!'),2+&,!'.&(!%5$!.)4$!2&,/0+&,M!
'&.20,1!%5$!'),2+&,!$C*4)*+&,!%&!?.)$!*,/!Q*4#$!
" "//>,0P)$,$##Q),2+&,!@">QA!J!*//#!%5$!/$-"%&#"%1#!%&#2$!'),2+&,!.$'$..0,1!%&!
$*25!56()47/"8"*)9#1/&(!&.!56()47/":"2"3/&(!$4$($,%#!&'!%5$!.)4$!7&,/0+&,M!
'&.20,1!%5$!'),2+&,!$C*4)*+&,!%&!?.)$!*,/!Q*4#$!
" 75*,1$JGJNQJQ),2+&,!@7GNQA!J!25*,1$#!%5$!;!-*.*($%$.!&'!%5$!;%<=!'),2+&,;!
?5$!*.1)($,%!;!#-$203$#!%5$!(0,0()(!,)(H$.!&'!%5$!H&&4$*,!*.1)($,%#!@8A!
%5*%!()#%!H$!$C*4)*%$/!%&!?.)$!'&.!%5$!$S-.$##0&,!%&!H$!2&,#0/$.$/!?.)$;!$!#$%!
;!%&!<M!8JF!*,/!8]F!
" 75*,1$9&102*4Q),2+&,!@79QA!J!.$-4*2$#!*!4&102*4!'),2+&,!@5;8+,<>+,;%<=A!R0%5!
*,&%5$.!&,$;!$!#$%!%5$!;!*.1)($,%!&'!;%<=!'),2+&,!$P)*4!%&!<!'&.20,1!%5$!
'),2+&,!$C*4)*+&,!*4R*=#!%&!?.)$!
" "//G&%Q),2+&,!@"GQA!J!*//#!%5$!;&/!'),2+&,!*#!3.#%!'),2+&,!&'!$*25!7&,/0+&,!
$4$($,%!
92

11-07-2013
47
Our new Mutation operators (cont.)
" K$(&C$G&%Q),2+&,!@KGQA!J!/$4$%$#!%5$!;&/!'),2+&,!/$3,$/!0,!%5$!2&,/0+&,!
" 75*,1$7&(-*.0#&,Q),2+&,!@77QA!J!.$-4*2$#!*!2&(-*.0#&,!'),2+&,!@/$-"%
"?712+,/$-"%9("1/"(%/@1#+,/$-"%9("1/"(%/@1#%&(%"?712+,/$-"%2"**%/@1#+,/$-"%
2"**%/@1#%&(%,,"?712A!R0%5!*,&%5$.!&,$!
" Q0.#%E$.(0%K)4$!@QEKA!J!(&C$#!0,!$*25!-&402=!%5$!.)4$#!5*C0,1!*!E$.(0%!$D$2%!
H$'&.$!%5&#$!&,$#!5*C0,1!*!W$,=!$D$2%
" Q0.#%W$,=K)4$!@QWKA!J!(&C$#!0,!$*25!-&402=!%5$!.)4$#!5*C0,1!*!W$,=!$D$2%!
H$'&.$!%5&#$!&,$#!5*C0,1!*!E$.(0%!$D$2%!!
93
"//G&%Q),2+&,!@"GQA!$S*(-4$!
X&4/!-&402=!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
8)%*%$/!-&402=!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
<Apply FunctionId="function:not">
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
A request with read or write will be allowed A request with read or write will be denied
94

11-07-2013
48
Q0.#%W$,=K)4$!@QWKA!$S*(-4$!
X&4/!-&402=!@$C*4)*%$!.)4$F!*,/!%5$,!.)4$:A!!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
8)%*%$/!-&402=!@$C*4)*%$!.)4$:!*,/!%5$,!.)4$FA!!
<Policy
<Target>
<Resource>
</Resource>
</Target>
<Condition>
DataType="string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
A request with read or write will be allowed
A request with read or write will be denied
since the first rule will be applied
95
XACMUT
Mutation operators for XACML policies
Proposal1
PSTT
PSTF
PTT
PTF
RTT
RTF RCT
RCF
CPC
CRC
CRE
New operators
RUF AUF CNOF
CLF ANF
CCF
FPR FDR
Proposal2
PPD
RPT
ANR
RER
96

11-07-2013
49
XACMUT Main Interface
97
Experimental Setting
#M %E #M %E #M %E #M %E
Policy #Rule #Cond #Sub #Res #Act #Funct #TS Proposal1 Proposal2 New
Operators
Total
demo-5 3 2 2 3 2 4 39 18 67 43 21 37 86 98 54
demo-11 3 2 2 3 1 5 35 16 63 29 21 32 84 77 56
demo-26 2 1 1 3 1 4 32 13 31 28 14 31 77 72 44
student1 2 0 5 2 2 2 85 12 75 336 58 85 98 433 67
student2 2 0 11 2 2 2 24 23 70 6 50 29 67 58 67
create-doc 3 2 1 2 1 3 8 14 86 3 67 19 74 36 78
read-doc 4 3 2 4 1 3 7 17 53 4 0 26 54 47 49
delete-doc 3 2 1 3 1 3 6 14 57 3 0 21 57 38 53
university1 3 0 24 3 3 2 203 18 72 109 85 61 97 188 88
university2 3 0 23 3 3 2 33 12 75 56 79 37 95 105 84
M: Mutants E: Test suite EffectivenessTS: Test Suite derived using Targen
98

11-07-2013
50
And now…
Forget everything you have just learned about
XACML-based control of access, because ….
is the new big thing ahead !!!
99
Usage Control Model: Beyond Access Control
Traditional
Access
Control
time
Before
usage
Pre decision
Ongoing
decision
Ongoing
usage
Mutability of attributes
Pre update Ongoing
update
Post update
After usage
100

11-07-2013
51
Usage Control Model (UCON)*
Is based on:
Authorizations
Obligations
Conditions
Mutability of Attributes
Continuous policy enforcement
* Defined by J. Park and R. Sandhu, The UCON Usage Control Model. ACM Trans. On
Information and System Security, 7(1), 2004
101
Policy Language (based) on Process Algebra (PolPA)*
• A formal policy language for UCON
• An operational language based on process description languages
• The idea is to describe the allowed sequences of actions
(commands)
• Policies can thus be formally verified, compared, minimized,
refined
*F. Martinelli and P. Mori, “On usage control for grid systems,” Future Generation
Computer Systems, vol. 26, no. 7, pp. 1032–1042, 2010
102

11-07-2013
52
Usage control commands
tryaccess(s, r, a): performed by subject s when performing a new access
request (s, r, a)
permitaccess/denyaccess(s, r, a): performed by the system when
granting/denying the access request (s, r, a)
endaccess(s, r, a): performed by subject s when ending an access (s, r, a)
revokeaccess(s, r, a): performed by the system when revoking an ongoing
access (s, r, a)
update(attribute): updating a subject or an object attribute
Commands composition operators: ., or, par
103
Example of PolPA Policy
104

11-07-2013
53
PolPA Authorization System
105
Testing Purpose
PDP
Policies
Test Suite
SUT
Oracle
reply
request
request
request
request
verdict
PDP (Policy Decision Point): evaluates the requests against the
usage control policies
106

11-07-2013
54
How to do PDP testing?
Emulate a possible PEP by issuing tryaccess and endaccess
commands to the PDP
107
Which test approach?
# A test case (request) is a sequence of commands (tryaccess/endaccess)
with a variable number of action parameters
# Traditional combinatorial approaches are not suitable since they do not
specifically address the commands order
# We propose:
# a fault model and the corresponding mutation operators classes for
PolPA language
# a test cases derivation strategy from the fault model
108

11-07-2013
55
A. Apply fault-model mutation classes to the PolPA policy (FMM)
B. Derive a set of mutants (each mutant is a faulty policy) (FPG)
C. Apply test case generation strategy to each policy (gold policy
and all derived faulty policies) (TCG)
D. Execute test cases (TD)
E. Analyze test results (TO)
Testing procedure
109
Change Composition Operator (CCO) implements a
violation of the order of execution of the commands
Change Command (CC) implements faults in the
execution of a command
Change Guard String Predicate (CGSP) implements a
wrong management of the values of string
parameters
Change Guard Integer Predicate (CGIP) implements a
wrong management of the values of integer
parameters
Mutation classes
110

11-07-2013
56
Depth-first visit of the policy
111
Depth-first visit of the faulty policy (CCO class)
112

11-07-2013
57
Experimental Data
#Mutants #Executed
Test cases
#Faults
Policy - 2 0
Mutant
Class
CCO 14 45 0
CC 56 84 9
CGSP 4 8 0
CGIP 4 8 0
Total 78 175 9
# for 9 test cases (of 84) the responses were not the expected ones
# all faults given by test cases derived by mutants having 2
tryaccess(user_id, R1, A(x1, x2))
# PDP implementation allows for tryaccess an arbitrary number of
times (specific application constraint)
113
We have covered:
! XML-based testing and TAXI tool
! XACML combinatorial testing and X-CREATE tool
! XACML mutations and XACMUT tool
! Usage-control systems and testing of Polpa
quite enough for today!
114

11-07-2013
58
What after?
Concerning access control
-- we are integrating the tools into a continuous
framework
-- supporting the policy developer after a problem
is detected in debugging the policy
Concerning usage control
-- provide support for continuous on-line testing
(already ongoing)
-- towards standardized U-XACML
115
not only technology
humans
116

11-07-2013
59
Social engineering
' People are generally considered the weakest link in
information assurance
' As organizations improve
their security processes
and technologies, more
and more attackers focus
on exploiting human errors
or ingenuity
' So-called social engineering
malware is rising as the
most successful tactic: it
manipulates the natural
human tendency to trust Figure from Sherly Abraham, InduShobha
Chengalur-Smith, An overview of social engineering
malware: Trends, tactics, and implications,
Technology in Society, 32 (3), 2010, 183–196
117
So the message is:
- Stay informed on the technology
- Adopt best practice and protect your data,
- Test your security mechanisms, and..
- Stay alert!
118

11-07-2013
60
Question time
119

TAROT2013 Testing School - Antonia Bertolino presentation

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a TAROT2013 Testing School - Antonia Bertolino presentation

Semelhante a TAROT2013 Testing School - Antonia Bertolino presentation (20)

Mais de Henry Muccini

Mais de Henry Muccini (20)

Último

Último (20)

TAROT2013 Testing School - Antonia Bertolino presentation