skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


Title: Towards a Theory on Testing XACML Policies
Policy testing is an important means for quality assurance of access control policies. Experimental studies on the testing methods of XACML policies have shown their varying levels of effectiveness. However, there is a lack of explanation for why they are unable to detect certain types of faults. It is unclear what is essential to the fault detection capability. To address this issue, we propose a theory on policy testing by formalizing the fault detection conditions with respect to a comprehensive fault model of XACML policies. The detection condition of a policy fault, composed of the reachability, necessity, and propagation constraints, is sufficient and necessary for revealing the fault. The formalized fault detection conditions can qualify the inherent strengths and limitations of testing methods. We have applied the formalization to the qualitative evaluations of five testing methods for the current version of the XACML standard. The results show that, for each method, there are certain types of faults that can always or never be revealed, while the detection of other faults may depend on the particular policy structure.  more » « less
Award ID(s):
1954327
PAR ID:
10376450
Author(s) / Creator(s):
; ; ;
Date Published:
Journal Name:
Proc. of the 27th ACM Symposium on Access Control Models and Technologies
Page Range / eLocation ID:
103 to 114
Format(s):
Medium: X
Sponsoring Org:
National Science Foundation
More Like this
  1. ; ; (, Proc. of the 26h ACM Symposium on Access Control Models and Technologies)
    The NGAC (Next Generation Access Control) standard for attribute-based access control (ABAC) allows for run-time changes of the permission and prohibition configurations through administrative obligations triggered by access events. It makes access control more fine-grained and dynamic. However, it raises challenges for assuring the correctness of NGAC policies. As policy testing is an important technique for quality assurance, this paper presents an approach to mutation analysis of NGAC policies. It can evaluate the effectiveness of a testing method and reveal potential faults in an inadequately tested policy. The mutation analysis covers various types of potential faults in the assignments, associations, prohibitions, and obligations of NGAC policies. This paper also proposes an incremental testing approach that first validates the initial configuration of a policy and then the policy as a whole. It helps determine whether faults appear in the configuration or the obligations. To evaluate the work, we have developed four working policies and their test suites based on the current NGAC reference implementation. The empirical studies show that the mutation analysis can shed light on the strengths and weaknesses of the test suites. They also demonstrate the need for developing more cost-effective testing methods. 
    more » « less
  2. (, ACM Transactions on Design Automation of Electronic Systems)
    null (Ed.)
    A recent work showed that it is possible to transform a single-cycle test for stuck-at faults into a launch-on-shift (LOS) test that is guaranteed to detect the same stuck-at faults without any logic or fault simulation. The LOS test also detects transition faults. This was used for obtaining a compact LOS test set that detects both types of faults. In the scenario where LOS tests are used for both stuck-at and transition faults, this article observes that, under certain conditions, the detection of a stuck-at fault guarantees the detection of a corresponding transition fault. This implies that the two faults are equivalent under LOS tests. Equivalence can be used for reducing the set of target faults for test generation and test compaction. The article develops this notion of equivalence under LOS tests with equal primary input vectors and provides an efficient procedure for identifying it. It presents experimental results to demonstrate that such equivalences exist in benchmark circuits, and shows an unexpected effect on a test compaction procedure. 
    more » « less
  3. ; ; (, International High Performance Buildings Conference)
    Faults in components (valves, sensors, etc.) of radiant floor heating and cooling systems affect the efficiency, cooling and heating capacity as well as the reliability of the system. While various fault detection and diagnostic (FDD) methods have been developed and tested for building systems, FDD algorithms for radiant heating and cooling systems have previously not been available. This paper presents an evolving learning-based FDD approach for a radiant floor heating and cooling system based on growing Gaussian mixture regression (GGMR). The experimental space was controlled with a building automation system (BAS) in which the operating conditions can be monitored, and control parameters can be overridden to desired values. Trend data for normal operation and faulty operation were collected. A total of six fault types with different severities in a radiant floor system were emulated through overriding control parameters. An FDD model based on the GGMR approach was developed with training data and the performance of the model was tested for "known" faults that were including in the training and new "unknown" faults that were implemented in the fault testing. The prediction accuracy for each known fault was extremely high with the lowest prediction accuracy of 98% for one of the faults. The algorithm was successful in detecting the new fault as an unknown state before evolving the model and in diagnosing it as a new fault after evolving the model. 
    more » « less
  4. ; ; (, Proc. of the 23rd ACM Symposium on Access Control Models and Technologies)
    While the existing methods for testing XACML policies have varying levels of effectiveness, none of them can reveal the majority of policy faults. The undisclosed faults may lead to unauthorized access and denial of service. This paper presents an approach to strong mutation testing of XACML policies that automatically generates tests from the mutants of a given policy. Such mutants represent the targeted faults that may appear in the policy. In this approach, we first compose the strong mutation constraints that capture the semantic difference between each mutant and its original policy. Then, we use a constraint solver to derive an access request (i.e., test). The test suite generated from all the mutants of a policy can achieve a perfect mutation score, thus uncover all hypothesized faults or demonstrate their absence. Based on the mutation-based approach, this paper further explores optimal test suite that achieves a perfect mutation score without duplicate tests. To evaluate the proposed approach, our experiments have included all the subject policies in the relevant literature and used a number of new policies. The results demonstrate that: (1) it is scalable to generate a mutation-based test suite to achieve a perfect mutation score, (2) it can be impractical to generate the optimal test suite due to the expensive removal of duplicate tests, (3) different from the results of the existing study, the modified-condition/decision coverage-based method, currently the most effective one, has low mutation scores for several policies. 
    more » « less
  5. (, Empirical software engineering)
    Studies have shown that combinatorial testing (CT) can be effective for detecting faults in software systems. By focusing on the interactions between different factors of a system, CT shows its potential for detecting faults, especially those that can be revealed only by the specific combinations of values of multiple factors (multi-factor faults). However, is CT practical enough to be applied in the industry? Can it be more effective than other industry-favored techniques? Are there any challenges when applying CT in practice? These research questions remain in the context of industrial settings. In this paper, we present an empirical study of CT on five industrial systems with real faults. The details of the input space model (ISM) construction, such as factor identification and value assignment, are included. We compared the faults detected by CT with those detected by the inhouse testing teams using other methods, and the results suggest that despite some challenges, CT is an effective technique to detect real faults, especially multi-factor faults, of software systems in industrial settings. Observations and lessons learned are provided to further improve the fault detection effectiveness and overcome various challenges. 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email