A fault model and mutation testing of access control policies
Proceedings of the 16th international conference on World Wide Web
Testing and Analysis of Access Control Policies
ICSE COMPANION '07 Companion to the proceedings of the 29th International Conference on Software Engineering
Working set-based access control for network file systems
Proceedings of the 14th ACM symposium on Access control models and technologies
Nemesis: preventing authentication & access control vulnerabilities in web applications
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Mining likely properties of access control policies via association rule mining
DBSec'10 Proceedings of the 24th annual IFIP WG 11.3 working conference on Data and applications security and privacy
Hi-index | 0.00 |
To ease the burden of implementing and maintaining access-control aspects in a system, a growing trend among developers is to write access-control policies in a specification language such as XACML and integrate the policies with applications through the use of a Policy Decision Point (PDP). To assure that the specified polices reflect the expected ones, recent research has developed policy verification tools; however, their applications in practice are still limited, being constrained by the limited set of supported policy language features and the unavailability of policy properties. This paper presents a data-mining approach to the problem of verifying that expressed access-control policies reflect the true desires of the policy author. We developed a tool to investigate this approach by automatically generating requests, evaluating those requests to get responses, and applying machine learning on the requestresponse pairs to infer policy properties. These inferred properties facilitate the inspection of the policy behavior. We applied our tool on an access-control policy of a central grades repository system for a university. Our results show that machine learning algorithms can provide valuable insight into basic policy properties and help identify specific bug-exposing requests.