A formal approach for testing security rules

Authors:
Wissam Mallouli;Jean-Marie Orset;Ana Cavalli;Nora Cuppens;Frederic Cuppens
Affiliations:
GET/INT Evry, SAMOVAR, Evry Cedex, France;GET/INT Evry, SAMOVAR, Evry Cedex, France;GET/INT Evry, SAMOVAR, Evry Cedex, France;GET/ENST Bretagne, Cesson Sevigne Cedex, France;GET/ENST Bretagne, Cesson Sevigne Cedex, France
Venue:
Proceedings of the 12th ACM symposium on Access control models and technologies
Year:
2007

Citing 6
Cited 6

A policy description language

AAAI '99/IAAI '99 Proceedings of the sixteenth national conference on Artificial intelligence and the eleventh Innovative applications of artificial intelligence conference innovative applications of artificial intelligence
Hit-or-Jump: An algorithm for embedded testing with applications to IN services

FORTE XII / PSTV XIX '99 Proceedings of the IFIP TC6 WG6.1 Joint International Conference on Formal Description Techniques for Distributed Systems and Communication Protocols (FORTE XII) and Protocol Specification, Testing and Verification (PSTV XIX)
Organization based access control

POLICY '03 Proceedings of the 4th IEEE International Workshop on Policies for Distributed Systems and Networks
Test generation for network security rules

TestCom'06 Proceedings of the 18th IFIP TC6/WG6.1 international conference on Testing of Communicating Systems
Firewall conformance testing

TestCom'05 Proceedings of the 17th IFIP TC6/WG 6.1 international conference on Testing of Communicating Systems
Analysis of policy anomalies on distributed network security setups

ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security

Modeling System Security Rules with Time Constraints Using Timed Extended Finite State Machines

DS-RT '08 Proceedings of the 2008 12th IEEE/ACM International Symposium on Distributed Simulation and Real-Time Applications
Towards a test cases generation method for security policies

ICT'09 Proceedings of the 16th international conference on Telecommunications
More testable properties

ICTSS'10 Proceedings of the 22nd IFIP WG 6.1 international conference on Testing software and systems
A systematic approach to integrate common timed security rules within a TEFSM-based system specification

Information and Software Technology
A model-based approach to automated testing of access control policies

Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Supporting customized views for enforcing access control constraints in real-time collaborative web applications

ICWE'13 Proceedings of the 13th international conference on Web Engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

Nowadays, security policies are the key point of every modern infrastructure. The specification and the testing of such policies are the fundamental steps in the development of a secure system since any error in a set of rules is likely to harm the global security. To address both challenges, we propose a framework to specify security policies and test their implementation on a system. Our framework makes it possible to generate in an automatic manner, test sequences, in order to validate the conformance of a security policy. system behavior is specified using a formal description technique based on extended finite state machine (EFSM) [12]. The integration of security rules within the system specification is performed by specific algorithms. Then, the automatic tests generation is performed using a dedicated tool, called SIRIUS, developed in our laboratory. Finally, we briefly present a weblog system as a case study to demonstrate the reliability of our framework.