A Model-Based Framework for Security Policy Specification, Deployment and Testing
MoDELS '08 Proceedings of the 11th international conference on Model Driven Engineering Languages and Systems
Refactoring access control policies for performance improvement
ICPE '12 Proceedings of the 3rd ACM/SPEC International Conference on Performance Engineering
A model-based approach to automated testing of access control policies
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Proceeding of the 44th ACM technical symposium on Computer science education
| Hi-index | 0.00 |
If access control policy decision points are not neatly separated from the business logic of a system, the evolution of a security policy likely leads to the necessity of changing the system’s code base. This is often the case with legacy systems. We present a test- driven methodology to assess the flexibility of a system, a property that describes the degree of coupling be-tween the access control logic and the business logic of a system. A low flexibility indicates that a modification of the policy will lead to substantial changes of the code. In this paper, we analyze the notion of flexibility which is related to the presence of hidden and implicit security mechanisms in the business logic. We detail how testing can be used for detecting such mechanisms and how it may drive the incremental evolution of a security policy. We use several case studies to illus-trate and validate the methodology.