TAROT 2013 9th International Summer School on Training And Research On Testing, Volterra, Italy, 9-13 July, 2013
These slides summarize Paolo Tonella's presentation about "Academic developments in search based testing for the Future Internet."
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
TAROT2013 Testing School - Antonia Bertolino presentation
1. 11-07-2013
1
9th International Summer School on
Training And Research On Testing
9-13 July, 2013 - Volterra, Italy
Theme 3: Security Testing
XML-based approaches for security testing
Antonia Bertolino, ISTI-CNR
antonia.bertolino@isti.cnr.it
1
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Acknowledgements
All presented approaches and tools are the result of
research work in collaboration with:
Said Daoudagh, Francesca Lonetti, Eda Marchetti
(plus also concerning TAXI with Cesare Bartolini, JingHua
Gao and Andrea Polini,
and concerning Polpa testing with Fabio Martinelli,
Paolo Mori)
and have been partially developed within the European
Projects:
TAS3 (completed) and NESSOS (ongoing)
2
2. 11-07-2013
2
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Agenda
! Introduction to:
! Security mechanisms and access control systems
! Security testing
! XACML
! XML-based testing and TAXI tool
! XACML combinatorial testing and X-CREATE tool
! XACML mutations and XACMUT tool
! Usage-control systems and testing of Polpa
! Conclusions and hints for further research
3
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Software is everywhere
Software is routinely used in many
disparate aspects of everyday life
More and more the different
software-intensive devices that we
use communicate among themselves
In many cases software applications
are critical either money-wise or
health-wise
The evident consequence is that
malfunctions of software heavily
impact our wellness and welfare
4
3. 11-07-2013
3
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Software malfunctions
• Your web browser crashes
while you are reading news
• Your web mail account is
stolen
• The computerized device
releases a radiations
overdose (*)
" This is annoying
" This could be serious
" This is very serious
can be very different
(*) Leveson, N.G.; Turner, C.S., "An investigation of the Therac-25
accidents," Computer , vol.26, no.7, pp.18,41, July 1993
5
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Software puts us at risk
Two somehow contrasting wishes:
• Being connected everytime and everywhere
• Preserving our own privacy and data integrity
However, for business and society connectivity is no longer an
option. The point is to balance potential risks with benefits.
Networks must be enabled to support security services that
provide adequate protection to users and companies in a
relatively open environment
6
4. 11-07-2013
4
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Rising vulnerability of evolving technology
Catherine Paquet, Network Security Concepts and Policies, Cisco Press, 2013
7
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Three related sw quality concerns
Dependability
Safety
Security
8
5. 11-07-2013
5
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and
secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
9
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and
secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
the ability to
deliver service that
can justifiably be
trusted
10
6. 11-07-2013
6
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and
secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
the absence of catastrophic
consequences on the user(s)
and the environment
11
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and
secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
the absence of
unauthorized
access to, or handling
of, system state
12
7. 11-07-2013
7
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Composite definition of security
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and
secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
13
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Security engineering
• Systems engineering must
be unified with security
engineering:
• Currently(*) security
modeling remains largely
independent of system
models.
• Typically, system
requirements and design are
done first, and security is
added as an afterthought.
(*) Premkumar T. Devanbu and Stuart Stubblebine. Software engineering
for security: a roadmap. In FOSE 2000 @ICSE '00. ACM, 227-239.
14
8. 11-07-2013
8
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Information Assurance: an overarching approach
! Information must be protected throughout
its lifetime, while at rest and while passing
through different processing systems
! The strength of any system is no
greater than its weakest link
! Each component of the information
processing system must have its own
protection mechanisms
! The building up, layering on and
overlapping of security measures is called
defense in depth:
! a design principle to ensure resilience against
different forms of attack, and to reduce the
probability of a single-point of failure
The Onion Model
of Defense_In_Depth
15
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Why ensuring security is difficult
Security engineers (and especially testers)
must take into account not only legitimate
users and clients, but also potential (malicious)
adversaries
Therefore to design a secure system we should
provide defenses against all plausible threats:
a secure system does only what it is supposed
to do and nothing else.
16
9. 11-07-2013
9
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Risk-oriented approach
• Information Security is about minimizing risk to
an acceptable level while maintaining the
Confidentiality, Integrity, and Availability of the
systems and data.
• All systems have some level of risk.
• A completely secure, zero risk, system is one
that has zero functionality.
17
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Towards a Security-centered Development Process
! A security development lifecycle (SDL) is a
software development lifecycle placing special
emphasis on security in each phase
! Several SDLs have been proposed, of which
Microsoft SDL is the best established in industry
18
10. 11-07-2013
10
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
There exist many different types of security testing.
For example, Microsoft SDL includes three practices:
" Dynamic Analysis: performs run-time verification of software
functionality using tools that monitor application behavior for
memory corruption, user privilege issues, and other
" Fuzz Testing: induces program failure by deliberately introducing
malformed or random data to an application so to reveal
potential security issues prior to release
" Attack Surface Review: Reviewing attack surface before and after
the installation of product(s) and displays the changes to key
elements of the attack surface
Security testing
19
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Scope of security testing
Software
security
Security
software
" testing security mechanisms
to ensure that their
functionality is properly
implemented
" performing risk-based
security testing driven
by understanding and
simulating the attacker’s
approach
To keep in mind: “software security is not security software” (*)
Security features such as cryptography, strong authentication, and access
control play critical roles in software security, however security itself is an
emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and
Privacy 2, 5 (September 2004), 81-85.
20
11. 11-07-2013
11
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Approaches for testing “software security”
Mostly negative testing, aiming at detecting
whether the application does something it should
not do. It includes:
• Fuzzing, either random or systematic (e.g.,
model-based fuzz testing)
• Vulnerability injection, e.g. SQL injection
• Risk-based testing
• Security test patterns (e.g., DIAMONDS
project)
• ….
21
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Scope of security testing
Software
security
Security
software
" testing security mechanisms
to ensure that their
functionality is properly
implemented
" performing risk-based
security testing driven
by understanding and
simulating the attacker’s
approach
To keep in mind: “software security is not security software” (*)
Security features such as cryptography, strong authentication, and access
control play critical roles in software security, however security itself is an
emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and
Privacy 2, 5 (September 2004), 81-85.
It relies on expertise and
knowledge of the system:
requires that you think
about your project and
possible misuses or attack
22
12. 11-07-2013
12
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Scope of security testing
Software
security
Security
software
" testing security mechanisms
to ensure that their
functionality is properly
implemented
" performing risk-based
security testing driven
by understanding and
simulating the attacker’s
approach
To keep in mind: “software security is not security software” (*)
Security features such as cryptography, strong authentication, and access
control play critical roles in software security, however security itself is an
emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and
Privacy 2, 5 (September 2004), 81-85.
23
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
CIA
24
13. 11-07-2013
13
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
CIA
25
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Data classification
Assets (data, programs,
resources,…) have
different security levels,
e.g.
! Unclassified
! Restricted
! Confidential
! ….
Correspondingly differing
roles for people or
applications are introduced
defining who can access
what level, e.g.
! Owner
! Administrator
! User
! ….
26
14. 11-07-2013
14
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control
! Once a system involves security-classified data, we need to
ensure that only the intended people can access them and
that these intended users are only given the level of access
required to accomplish their tasks.
27
An access control system provides a decision (ok, ko)
to an authorization request, typically based on
predefined policies
request response
Access
Control
policy
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
28
15. 11-07-2013
15
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
the activity of a subject supplying information to
identify itself to an authentication service. Examples:
username, account number, ID card, …
29
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
a means to verify the authenticity of the identity declared during
Identification. Three ways (of increasing cost):
- What subject knows: passwords, PINs, passcodes, etc.
- What subject has: covers keys, tokens, smartcards, etc.
- What subject is: biometric data, e.g., fingerprints, voice recognition, etc.
Authentication can be one-factor or two/three-factor (strong)
30
16. 11-07-2013
16
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
the process of assigning to authenticated subjects a
set of permissions that defines what they can and
cannot do. These permissions are generally defined
by security policies
31
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Defining security rules (or policies)
A security policy is a specific statement
of what is and is not allowed
32
17. 11-07-2013
17
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Security policies
From Wikipedia:
Security policy is a definition of what it means to be secure for a system,
organization or other entity. For an organization, it addresses the constraints
on behavior of its members as well as constraints imposed on adversaries by
mechanisms such as doors, locks, keys and walls. For systems, the security
policy addresses constraints on functions and flow among them, constraints
on access by external systems and adversaries including programs and access
to data by people.
• Access control
• Computer security policy
• Environmental design
• Information Protection Policy
• Information security policy
• National security policy, Military strategy
• Network security policy
• Virtual security policy
• …
33
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
The eXtensible Access Control Markup Language
34
! XACML is the OASIS standard
for specifying Access Control
Policy
! The latest version is XACML 3.0
that has been released in
January 2013
-- Before, XACML 2.0 was released on
Feb. 2005 (this is the version
implemented in our tool)
-- XACML 1.0 had been released in Feb.
2003
! Organizations sponsoring OASIS and contributing to the
XACML standard include: CA Technologies, Cisco Systems,
Connectis, Dell, EMC, IBM, Microsoft, Oracle, Primeton Technologies, Inc.,
Red Hat, SailPoint Technologies, The Boeing Company, Veterans Health
Administration, ViewDS, etc..
www.oasis-open.org
18. 11-07-2013
18
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
35
XACML
! XACML is a general-purpose language for access control
policies. It provides an XML-based syntax for managing
access to resources
! XML is a natural choice as the basis for the common
security-policy language, due to the ease with which its
syntax and semantics can be extended and the widespread
support that it enjoys from all the main platform and tool
vendors
! It is generic (can be used by many different kinds of
applications and platforms), distributed (a policy can refers to
other sub-policies, and XACML knows how to correctly
combine the results from these different policies into one
decision) and powerful (supports a wide variety of data
types, functions, and rules about combining the results of
different policies)
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
36
XACML languages
Policy Language
Used to describe access control requirements. Who is
allowed to do what?
Request/Response Language
The request is a query about permissions associated
with x.
The response is permit, deny, indeterminate, or not
applicable.
19. 11-07-2013
19
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML architecture
XACML also proposes a standard reference architecture
37
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML architecture
XACML also proposes a standard reference architecture
performs access control, by making
decision requests and enforcing
authorization decisions. Basically
the entity that sends the XACML
request to the Policy Decision Point
(PDP) and receives an
authorization decision.
38
20. 11-07-2013
20
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML architecture
XACML also proposes a standard reference architecture
evaluates applicable policy and
returns an authorization decision
39
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO” 40
XACML Flow
" A Subject who wishes to access
an Object (Resource) must do so
through the PEP
" The PEP forms the XACML
request and sends it to the PDP
" The PDP checks the request
against the Policy and returns a
XACML response
" The PEP either Permits or Denies
access to the resource.
Policy Enforcement Point
(PEP)
Can I access
Resource?
Policy Decision Point
(PDP)
Permit/Deny
The relevant XACML
policy needs to be
selected and its rules
evaluated
Requests and responses also
specified in XACML
21. 11-07-2013
21
XACML Structure
41
The nice picture is taken from: Yoon Jae Kim, Access Control Service Oriented Architecture Security, on
line at http://www.cs.wustl.edu/~jain/cse571-09/ftp/soa/
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML policy example
<Policy
RuleCombiningAlgId="first-applicable" PolicyId="policyExample">
<Target>
<Resource>
<AttributeValue >http://library.com/record/</AttributeValue>
</Resource>
</Target>
<Rule RuleId="rule1" Effect="Permit">
<Condition>
<Apply FunctionId="function:string-is-in">
<Apply FunctionId="function:string-one-and-only">
<ActionAttributeDesignator AttributeId="action:id" DataType="string"/>
</Apply>
<Apply FunctionId="function:string-bag">
<AttributeValue DataType="string"> write</AttributeValue>
<AttributeValue DataType="string"> read</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="rule2" Effect="Deny"></Rule>
</Policy>
Target
Rule2
Rule1
Condition
42
22. 11-07-2013
22
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
We need to verify the access control system
XACML properties of interoperability, extensibility,
distribution are paid in terms of complexity and verbosity
Policies can be deceiving and need to be
carefully checked
43
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Policy testing
Provide test strategies for test suite generation so
to simulate correct or improper usage of data
and resources by execution of test suites
Data
Resources
Test suite 1
User1
X
X
Test suite 2
User2
X
X
X
Policies
specification
44
23. 11-07-2013
23
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Testing Purpose
Testing the policy specification
PDP
Policies
Test Suite
SUT
Oracle
reply
request
request
request
request
verdict
45
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Testing Purpose
Testing the policy implementation (PDP)
PDP
Policies
Test Suite
SUT
Oracle
reply
request
request
request
request
verdict
46
24. 11-07-2013
24
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML testing
Different types of approaches have been
proposed, including:
" Structural Coverage of XACML elements
" Combinatorial (Targen, X-Create)
" Category-partition (X-Create)
" Change-impact based
" Model-based
" …..
47
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Targen
Targen(*) is a seminal tool on XACML testing that is
the closest competitor to X-CREATE
Targen applies a combinatorial approach on the attribute
values and for each target included in the policy under
test it derives as many requests as many are all the
possible combinations of values of the attributes found in
the subject, resource, and action sections
(*) E. Martin and T. Xie, “Automated test generation for access control policies,”
in Supplemental Proc. of ISSRE, November 2006.
48
25. 11-07-2013
25
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our approach
X-CREATE
XaCml REquests derivAtion for TEsting
X-CREATE tool supports several
different tests derivation strategies
based on a combinatorial approach
It can be downloaded from our laboratory page at:
http://labsewiki.isti.cnr.it/labsedc/tools/xcreate/public/main
49
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our approach
X-CREATE
XaCml REquests derivAtion for TEsting
Original idea:
We exploit the XML nature
of XACML and adapt our
previous tool TAXI for
XML test generation
…so, let’s now open a
brief parenthesis about
TAXI …
50
26. 11-07-2013
26
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
• A tool for systematic document
generation from XML Schema
• It can be downloaded from our
laboratory page at:
5
1
http://labsewiki.isti.cnr.it/labsedc/tools/taxi/public/main
TAXI
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
The eXtensible Markup Language(XML)
<?xml version="1.0"
encoding="ISO88591"?>
<card>
<name>John Doe</name>
<title>CEO, Widget Inc.</title>
<email>john.doe@widget.com</email>
<phone>(202) 4561414</phone>
</card>
# The eXtensible Markup Language (XML) is a Markup
Language which is a standard format to store
information and data.
# XML documents are tree structured documents in
which data are formatted/organised using tags
52
27. 11-07-2013
27
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XML & XML Schema
# XML Schema provides a means for defining the structure and
content of XML documents
# In the open networked world, XML Schema support interoperability
between independently developed applications
Chinese
Italian
53
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Automatic XML-Based Testing and
Benchmarking
54
28. 11-07-2013
28
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Automatic XML-Based Testing and
Benchmarking
55
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our systematic approach
The approach has been inspired at-large by the well-known
semi-automatedCategory Partition methodology for systematic
test generation …
..or, you can think of it as grammar-based generation, on the XSD
syntax, although we have also introduced practical rules
56
29. 11-07-2013
29
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mapping CP to XPT
CP (*) XPT
Analyze Specifications
Identify Functional Units
Partition Categories
Selecte Choices
Determine Constraints
$% Preprocessor
$% Identify Sub-Schema Sets
$% Identify Types
$% Partition Values and Structures
$% Determine “valid/invalid” constraints
Generate Intermediate Instances
Generate Final Instances
Generate Test Specification $%
Generate Test Cases $%
(*) Thomas J. Ostrand and Marc J. Balcer. The category-partition method for specifying and
generating functional tests. Communications of ACM,31(6),1988.
57
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Identification of Sub-Schema Sets
<choice> elements partition the XML Schema into distinct
sets corresponding to the CP functional units
XML Schema
choice A
B
1
2
choice
XML Schema
sequence A
1sequence
XML Schema
sequence A
2sequence
XML Schema
sequence B
1sequence
XML Schema
sequence B
2sequence
preprocessorAnalyze
Specifications
Mapping from CP to XPT
Identify
Functional Units
Identify Sub-
Schema Sets
Partition
Categories
Identify Types
Selecte Choices
Partition
Values and
Structures
Determine
Constraints
Determine
“valid/invalid”
Constraints
Generate Test
Specification
Generate
Intermediate
Instances
Generate Test
Specification
Generate
Final Instances
58
30. 11-07-2013
30
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Intermediate Instances
" Generate intermediate instance by combining the values of
“minOccurs” and “maxOccurs”.
" Apply the conventional Boundary Condition test approach to
reduce the combinations
sub-Schema
minOccurs=0
maxOccurs=3
minOccurs=2
maxOccurs=4
A
B
Intermediate Instance
B occurs=2
Intermediate Instance
Intermediate Instance
Intermediate Instance
A occurs=0 A occurs=3
B occurs=2
A occurs=0
B occurs=4
A occurs=3
B occurs=4
preprocessorAnalyze
Specifications
Identify
Functional Units
Identify Sub-
Schema Sets
Partition
Categories
Identify Types
Selecte Choices
Partition
Values and
Structures
Determine
Constraints
Determine
“valid/invalid”
Constraints
Generate Test
Specification
Generate
Intermediate
Instances
Generate Test
Specification
Generate
Final Instances
Mapping from CP to XPT
59
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Potential Applications
! For validating database management systems:
- automatically generate valid XML instances for populating database
- evaluate the performance and the quality of the associated management
systems
! For testing the inter-operability between applications and for enabling
the correct interactions among the interfaces used by remote
components in distributed systems.
- automatic and controlled generation of valid and invalid instances enables
the automated testing of I/O behavior
! For verifying the proper communication protocols between web-
services.
- SOAP-based interaction between services exploiting the corresponding
XML Schemas…
! …
• For validating database management systems:
Further Reading:
Bertolino, Antonia, Jinghua Gao, Eda Marchetti, and Andrea Polini. "Automatic test data generation for
XML schema-based partition testing." In Proc. of the Second International ICSE Workshop on
Automation of Software Test, p. 4. IEEE Computer Society, 2007.
Bartolini, Cesare, Antonia Bertolino, Eda Marchetti, and Andrea Polini. "WS-TAXI: A WSDL-based
testing tool for web services." In Proc. ICST'09, pp. 326-335. IEEE, 2009.60
31. 11-07-2013
31
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
X-CREATE Testing Framework
Request
structure
Policies
specification
Instantiated
Request
Implements several testing strategies:
• Preliminary XPT (XML Partition Testing)
• Incremental XPT
• Simple Combinatorial
• Multiple Combinatorial
• Hierarchical Simple
• Hierarchical Incremental
61
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Preliminary XPT Main Idea
Inspired by TAXI:
Derive (once and for all) a universally valid generic test suite of
conforming requests by applying:
• A variant of the Category Partition methodology
• The Boundary Conditions methodology
Each request in this generic test suite is a general structure of a
valid XACML request instance.
XACML
Context
Schema
Request
structure
Conforming
test suite
62
32. 11-07-2013
32
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XPT implementation
The tool consists of three main components:
& an intermediate-request generator, which is based
on the XPT approach for intermediate instances
(request structures) generation
& a policy analyzer which selects the input values
from the policy specification, and
& a values manager, which distributes the input
values to the request structures.
63
64
A Sketch of the
XACML Context Schema
33. 11-07-2013
33
65
X
{1,...,k/2,...,k}
X
{0,...,k/2,...,k}
X
{1,...,k/2,...,k}
1. Fix ! to K
2. Apply XPT
strategy to
the obtained
scheme
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
We thus automatically obtain a set of different
Request Structures
Example of request structure
<Request>
<Subject> </Subject>
<Subject> </Subject>
<Resource> </Resource>
<Action> </Action>
</Request>
34. 11-07-2013
34
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
118098!!!!! Too Much!!!
10 elements with unbounded occurrence and 1
having [0,1] cardinality -> 310 * 21 = 118098
request structures (still to be filled with values…)
We need to apply some approach to select those
request structures that could maximize the fault
detection capability
Note: the full set of request structures needs to be derived once and
for all
Only the selection of the subset is redone each time
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Policy Under-Test Analyzer
Take values from the policy under test for elements
and attributes.
Four values sets are defined:
• SubjectSet
• ResourceSet
• ActionSet
• EnvironmentSet
For robustness and negative testing random values
for elements and attributes are added
68
35. 11-07-2013
35
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Example of results from the policy analyser
69
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Request Values Manager
Responsible for the final requests generation.
Two possible approaches using either standard
structures or combinatorial structures
1. Pure combinatorial approach using all the
values in the 4 sets
2. Hierarchical combination (to focus the request
generation on a specific part of a policy)
36. 11-07-2013
36
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
How many combinations?
Avoiding duplication derive all combinations of
subject “entities”, resource “entities”, action
“entities” and environment “entities” by applying:
• the pair-wise combination (PW)
• the three-wise combination (TW)
• apply the four-wise combination (FW)
Note: The number of combinations strictly depends
on the policy considered
71
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Examples
Example of request
<Request>
<Subject>Mario Rossi</Subject>
<Resource>personal id</Resource>
<Action>read</Action>
</Request>
Example of request
<Request>
<Subject>s2</Subject>
<Resource>personal id</Resource>
<Action>a2</Action>
</Request>
Example of request
<Request>
<Subject>Mario Rossi</Subject>
<Subject>s2</Subject>
<Resource>p2</Resource>
<Action>read</Action>
<Enviroment>e2</Enviroment>
</Request>
72
37. 11-07-2013
37
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
X-CREATE v.s. Targen
We considered the available policies used also for Targen
presentation
We applied mutation to the policies to introduce faults
We used the same mutation operators for XACML policies indicated
in Targen experiment
We used the sets of mutants obtained for answering the
two Research Questions:
TSEff: Is the test suite derived by X-CREATE more
effective than that derived by Targen?
TSIncr: Is X-CREATE provided capability to vary test
request number and structure useful to increase
effectiveness?
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Some Results
We generated the same
number of requests generated
by the Targen tool for each
policy, so to get a fair
comparison
We only derived the data
for PolicyExample, the
other are from the Targen
evaluation
38. 11-07-2013
38
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Well done!! …but can we do better?
• New methodology for request structures
generation (Incremental XPT)
• New specific test strategy providing a
stopping criterion (Simple Combinatorial)
75
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Incremental XPT
one value for the
<AttributeValue>
zero to minOccurs and
maxOccurs of the
ResourceContent
element and those of
the contained <Any>
element because not
used in test values
generation
We end up with
36 = 729 request stuctures
76
We introduce a modified (reduced) schema as follows:
39. 11-07-2013
39
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Simple Combinatorial
Idea: derive as many requests as the possible
combinations of the values of the subjects, resources,
actions and environment of the XACML policy.
• The derived requests are first those obtained using all
combinations of the Pairwise set, then of the 3wise
set and finally those of the 4wise set.
• The maximum number of requests derived by this
strategy is equal to the cardinality of the 4wise set.
The resulting number of combinations could
be also be used as a stopping criterion for the test
case generation in XPT
77
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Evaluation of the test strategies effectiveness:
' Define a set of XACML policies
' Apply mutation to each policy to introduce faults
' Execute each set of test cases on the policy and
its mutants
' Establish the winner in each match
Incremental XPT vs. Simple Combinatorial
78
40. 11-07-2013
40
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XPT v.s. Simple Combinatorial
The same number of requests for each policy
the effectiveness of the Incremental XPT is generally higher than
that of the Simple Combinatorial strategy
In two cases the fault detection of the Simple Combinatorial is
higher than that of Incremental XPT
Simple combinatorial Incremental XPT
79
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Deeper Analysis
Incremental XPT is the winner when the access
decision of the policy rules depends concurrently
on the values of more than one subject or
resource or action or environment entity
Simple Combinatorial is the winner when the
policies are simple and the satisfiability of the
policy rules depends on the combinations of a
single subject, resource, action and environment
entity
80
41. 11-07-2013
41
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
How to evaluate XACML testing approaches?
The mutation approach typically used in software
testing has been adapted to XACML policy
testing
81
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACMUT: XACML 2.0 Mutants Generator
It can be downloaded from our laboratory page at:
http://labsewiki.isti.cnr.it/labsedc/tools/xacmut/public/main
Our tool
82
42. 11-07-2013
42
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACMUT
" !"!#$%!&'!()%*+&,!&-$.*%&.#!*//.$##0,1!#-$2032!'*)4%#!&'!%5$!6"789!:;<!
*22$##!2&,%.&4!-&402=!!
" !6"78>?!@6"7(4!8>?*+&,AB!
" 1$,$.*%$#!%5$!#$%!&'!()%*,%#!
" -.&C0/$#!'*2040+$#!%&!.),!*!10C$,!%$#%!#)0%$!&,!%5$!()%*,%#!#$%!
" 2&(-)%$#!%5$!%$#%!#)0%$!$D$2+C$,$##!0,!%$.(#!&'!()%*+&,!#2&.$!
83
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Previous work
E.&-&#*4F*!
E.$40(0,*.=!#$%!&'!()%*+&,!&-$.*%&.#!'&.!6"789!-&4020$#;!!
G&%!0,24)/$/B!
" *44!%5$!0(-&.%*,%!2.0+2*40+$#!&'!%5$!6"789!-&402=!#-$2032*+&,! !
" (&#%!&'!%5$!*C*04*H4$!6"789!'),2+&,#!!
E.&-&#*4:**!!
" I$%!&'!()%*+&,!&-$.*%&.#!H*#$/!&,!($%*(&/$4!
" #0()4*%$!%5$!'*)4%#!0,!%5$!#$2).0%=!(&/$4#!0,/$-$,/$,%4=!'.&(!%5$!.&4$JH*#$/!
'&.(*40#(!@KJL"7!M!N.L"7!M!OA!
E$2)40*.0%=B!?5$!()%*+&,!&-$.*%&.#!2*,,&%!H$!/0.$2%4=!*--40$/!%&!6"789!!
!*E. Martin and T. Xie, “A fault model and mutation testing of access control policies,” in Proc. of WWW, May
2007, pp. 667–676
**T. Mouelhi, F. Fleurey, and B. Baudry, “A generic metamodel for security policies mutation,” in Proc. of
ICSTW, 2008, pp. 278–286
84
43. 11-07-2013
43
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mutation operators of Proposal1
E&402=!I$%!?*.1$%!?.)$!@EI??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=I$%!
$,#).0,1!%5*%!%5$!E&402=I$%!0#!*--40$/!%&!*44!.$P)$#%#!
E&402=!I$%!?*.1$%!Q*4#$!@EI?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=I$%!#)25!
%5*%!%5$!E&402=I$%!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
E&402=!?*.1$%!?.)$!@E??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!
%5$!E&402=!0#!*--40$/!%&!*44!.$P)$#%#!
E&402=!?*.1$%!Q*4#$!@E?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!
%5$!E&402=!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
K)4$!?*.1$%!?.)$!@K??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!.)4$!$,#).0,1!%5*%!%5$!
K)4$!0#!*--40$/!%&!*44!.$P)$#%#!
K)4$!?*.1$%!Q*4#$!@K?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!.)4$!#)25!%5*%!%5$!
K)4$!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
85
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mutation operators of Proposal1(cont.)
" K)4$!7&,/0+&,!?.)$!@K7?A!J!.$(&C$#!%5$!2&,/0+&,!&'!$*25!K)4$!$,#).0,1!
%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!?.)$!
" K)4$!7&,/0+&,!Q*4#$!@K7QA!J!(*,0-)4*%$#!%5$!7&,/0+&,!C*4)$#!&.!%5$!
7&,/0+&,!'),2+&,#!$,#).0,1!%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!Q*4#$!
" 75*,1$!E&402=!7&(H0,0,1!"41&.0%5(!@7E7A!J!.$-4*2$#!%5$!$S0#+,1!-&402=!
2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!-&402=!2&(H0,0,1!*41&.0%5(;!!?5$!#$%!&'!
2&,#0/$.$/!-&402=!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%
&'"(()!"*+,0(*/%1--2)3142"+,$%&#",1--2)3142"U!
" 75*,1$!K)4$!7&(H0,0,1!"41&.0%5(!@7K7A!J!.$-4*2$#!%5$!$S0#+,1!.)4$!
2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!.)4$!2&(H0,0,1!*41&.0%5(;!?5$!#$%!&'!
2&,#0/$.$/!.)4$!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%
&'"(()!"*+,0(*/%1--2)3142"U!
" 75*,1$!K)4$!VD$2%!@7KVA!J!25*,1$#!%5$!.)4$!$D$2%!H=!.$-4*20,1!E$.(0%!R0%5!
W$,=!&.!W$,=!R0%5!E$.(0%!
86
50. 11-07-2013
50
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
And now…
Forget everything you have just learned about
XACML-based control of access, because ….
is the new big thing ahead !!!
99
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Usage Control Model: Beyond Access Control
Traditional
Access
Control
time
Before
usage
Pre decision
Ongoing
decision
Ongoing
usage
Mutability of attributes
Pre update Ongoing
update
Post update
After usage
100
51. 11-07-2013
51
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Usage Control Model (UCON)*
Is based on:
Authorizations
Obligations
Conditions
Mutability of Attributes
Continuous policy enforcement
* Defined by J. Park and R. Sandhu, The UCON Usage Control Model. ACM Trans. On
Information and System Security, 7(1), 2004
101
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Policy Language (based) on Process Algebra (PolPA)*
• A formal policy language for UCON
• An operational language based on process description languages
• The idea is to describe the allowed sequences of actions
(commands)
• Policies can thus be formally verified, compared, minimized,
refined
*F. Martinelli and P. Mori, “On usage control for grid systems,” Future Generation
Computer Systems, vol. 26, no. 7, pp. 1032–1042, 2010
102
52. 11-07-2013
52
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Usage control commands
tryaccess(s, r, a): performed by subject s when performing a new access
request (s, r, a)
permitaccess/denyaccess(s, r, a): performed by the system when
granting/denying the access request (s, r, a)
endaccess(s, r, a): performed by subject s when ending an access (s, r, a)
revokeaccess(s, r, a): performed by the system when revoking an ongoing
access (s, r, a)
update(attribute): updating a subject or an object attribute
Commands composition operators: ., or, par
103
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Example of PolPA Policy
104
53. 11-07-2013
53
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
PolPA Authorization System
105
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Testing Purpose
PDP
Policies
Test Suite
SUT
Oracle
reply
request
request
request
request
verdict
PDP (Policy Decision Point): evaluates the requests against the
usage control policies
106
54. 11-07-2013
54
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
How to do PDP testing?
Emulate a possible PEP by issuing tryaccess and endaccess
commands to the PDP
107
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Which test approach?
# A test case (request) is a sequence of commands (tryaccess/endaccess)
with a variable number of action parameters
# Traditional combinatorial approaches are not suitable since they do not
specifically address the commands order
# We propose:
# a fault model and the corresponding mutation operators classes for
PolPA language
# a test cases derivation strategy from the fault model
108
55. 11-07-2013
55
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
A. Apply fault-model mutation classes to the PolPA policy (FMM)
B. Derive a set of mutants (each mutant is a faulty policy) (FPG)
C. Apply test case generation strategy to each policy (gold policy
and all derived faulty policies) (TCG)
D. Execute test cases (TD)
E. Analyze test results (TO)
Testing procedure
109
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Change Composition Operator (CCO) implements a
violation of the order of execution of the commands
Change Command (CC) implements faults in the
execution of a command
Change Guard String Predicate (CGSP) implements a
wrong management of the values of string
parameters
Change Guard Integer Predicate (CGIP) implements a
wrong management of the values of integer
parameters
Mutation classes
110
56. 11-07-2013
56
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Depth-first visit of the policy
111
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Depth-first visit of the faulty policy (CCO class)
112
57. 11-07-2013
57
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Experimental Data
#Mutants #Executed
Test cases
#Faults
Policy - 2 0
Mutant
Class
CCO 14 45 0
CC 56 84 9
CGSP 4 8 0
CGIP 4 8 0
Total 78 175 9
# for 9 test cases (of 84) the responses were not the expected ones
# all faults given by test cases derived by mutants having 2
tryaccess(user_id, R1, A(x1, x2))
# PDP implementation allows for tryaccess an arbitrary number of
times (specific application constraint)
113
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
We have covered:
! XML-based testing and TAXI tool
! XACML combinatorial testing and X-CREATE tool
! XACML mutations and XACMUT tool
! Usage-control systems and testing of Polpa
quite enough for today!
114
58. 11-07-2013
58
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
What after?
Concerning access control
-- we are integrating the tools into a continuous
framework
-- supporting the policy developer after a problem
is detected in debugging the policy
Concerning usage control
-- provide support for continuous on-line testing
(already ongoing)
-- towards standardized U-XACML
115
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
not only technology
humans
116
59. 11-07-2013
59
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Social engineering
' People are generally considered the weakest link in
information assurance
' As organizations improve
their security processes
and technologies, more
and more attackers focus
on exploiting human errors
or ingenuity
' So-called social engineering
malware is rising as the
most successful tactic: it
manipulates the natural
human tendency to trust Figure from Sherly Abraham, InduShobha
Chengalur-Smith, An overview of social engineering
malware: Trends, tactics, and implications,
Technology in Society, 32 (3), 2010, 183–196
117
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY
ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
So the message is:
- Stay informed on the technology
- Adopt best practice and protect your data,
- Test your security mechanisms, and..
- Stay alert!
118