MUTATION TESTING OF ACCESS CONTROL POLICIES
Article Sidebar
Main Article Content
Abstract
One of the most important and integral components of modern computer security are access control systems. The objective of an access control system (ACS) is often described in terms of protecting system resources against inappropriate or unwanted user access. However, a large degree of sharing can interfere with the protection of resources, so a sufficiently detailed AC policy should allow selective exchange of information when, in its absence, sharing can be considered too risky in general. Erroneous configurations, faulty policies, as well as flaws in the implementation of software can lead to global insecurity. Identifying the differences between policy specifications and their intended functions is crucial because the correct implementation and enforcement of the policies of a particular application is based on the premise that the specifications of this policy are correct. As a result of the policy, the specifications presented by the models must undergo rigorous validation and legalization through systematic checks and tests to ensure that the specifications of the policies really correspond to the wishes of the creators. Verifying that access control policies and models are consistent is not a trivial and critical task. And one of the important aspects of such a check is a formal check for inconsistency and incompleteness of the model, and the security requirements of the policy, because the access control model and its implementation do not necessarily express policies that can also be hidden, embedded by mixing with direct access restrictions or another access control model.
Article Details
References
Hu, V.C., Ferraiolo, D.F. and Kuhn, D.R. (2006), Assessment of Access Control Systems, NIST Interagency Report 7316, National Institute of Standards and Technology, Gaithersburg, Maryland, DOI: https://doi.org/10.6028/NIST.IR.7316.
Muhammad, Aqib and Riaz Ahmed, Shaikh (2015), “Analysis and Comparison of Access Control Policies Validation Mechanisms”, International Journal of Computer Network and Information Security (IJCNIS), Vol. 1, pp. 54-69. DOI: https://doi.org/10.5815/ijcnis.2015.01.08.
Hu, V.C., Kuhn, D.R. and Xie, T. (2008), “Property Verification for Generic Access Control Models”, Proceeding of The 2008 IEEE/IFIP International Symposium on Trust, Security and Privacy for Pervasive Application (TSP2008), Shanghai, China, December 17-20, DOI: https://doi.org/10.1109/EUC.2008.22.
Brian, L.K., Labish, Yu. and Shusha, M. (2005), “Stress Testing of Real Time Systems with Genetic Algorithms,”, Proceedings of the 7th Annual Conference on Genetic and Evolutionary Computing, pp. 1021-1028, Washington, DC, USA.
Hu, Vincent C., Kuhn, Rick and Yaga, Dylan (2017), Verification and Test Methods for Access Control Policies/Models, NIST Special Publication 800-192, DOI: https://doi.org/10.6028/NIST.SP.800-192.
Martin, E. and Xie, T. (2007), “A Fault Model and Mutation Testing of Access Control Policies”, Proceedings of the 16th International Conference on World Wide Web (WWW 2007), Security, Privacy, Reliability, and Ethics Track, Banff, Alberta, Canada, pp. 667-676, DOI: https://doi.org/10.1145/1242572.1242663.
Jia, Yu. and Harman, M. (2011), “Analysis and Investigation of the Development of Mutation Testing”, IEEE Transactions on Software Engineering, vol. 37, issue 6, pp. 649–678.