Abstract
In this paper, we propose a model-driven approach for specifying, deploying and testing security policies in Java applications. First, a security policy is specified independently of the underlying access control language (OrBAC, RBAC). It is based on a generic security meta-model which can be used for early consistency checks in the security policy. This model is then automatically transformed into security policy for the XACML platform and integrated in the application using aspect-oriented programming. To qualify test cases that validate the security policy in the application, we inject faults into the policy. The fault model and the fault injection process are defined at the meta-model level, making the qualification process language-independent. Empirical results on 3 case studies explore both the feasibility of the approach and the efficiency of a full design & test MDE process.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Le Traon, Y., Mouelhi, T., Pretschner, A., Baudry, B.: Test-Driven Assessment of Access Control in Legacy Applications. In: ICST 2008: First IEEE International Conference on Software, Testing, Verification and Validation (2008)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Transactions on Information and System Security 4(3), 224–274 (2001)
Abou El Kalam, A., El Baida, R., Balbiani, P., Benferhat, S., Cuppens, F., Deswarte, Y., Miège, A., Saurel, C., Trouessin, G.: Organization Based Access Control. In: IEEE 4th International Workshop on Policies for Distributed Systems and Networks (2003)
DeMillo, R., Lipton, R., Sayward, F.: Hints on Test Data Selection: Help For The Practicing Programmer. IEEE Computer 11(4), 34–41 (1978)
Martin, E., Xie, T.: A Fault Model and Mutation Testing of Access Control Policies. In: Proceedings of the 16th International Conference on World Wide Web (2007)
Mouelhi, T., Le Traon, Y., Baudry, B.: Mutation analysis for security tests qualification. In: Mutation 2007: third workshop on mutation analysis in conjuction with TAIC-Part (2007)
Sun’s XACML implementation, http://sunxacml.sourceforge.net/
Le Traon, Y., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: ISSRE 2007: The 18th IEEE International Symposium on Software Reliability Engineering (2007)
Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Proceedings of the 5th International Conference on The Unified Modeling Language (2002)
Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Proceedings of the 5th International Conference on The Unified Modeling Language (2002)
Masood, A., Ghafoor, A., Mathur, A.: Scalable and Effective Test Generation for Access Control Systems that Employ RBAC Policies (2006)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Mouelhi, T., Fleurey, F., Baudry, B., Le Traon, Y. (2008). A Model-Based Framework for Security Policy Specification, Deployment and Testing. In: Czarnecki, K., Ober, I., Bruel, JM., Uhl, A., Völter, M. (eds) Model Driven Engineering Languages and Systems. MODELS 2008. Lecture Notes in Computer Science, vol 5301. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87875-9_38
Download citation
DOI: https://doi.org/10.1007/978-3-540-87875-9_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87874-2
Online ISBN: 978-3-540-87875-9
eBook Packages: Computer ScienceComputer Science (R0)