Selective Regression Test for Access Control System Employing RBAC
To provide a selective regression test method for the access control systems which employ role based access control (RBAC) policy. Access control regression test is always tedious and error-prone for financial systems involving complicated constraints, like separation of duty and cardinality constraints. We give the formal definition of RBAC policy change then we propose a test selection framework via policy change and change propagation analysis. Our method provides the confidence that it’s only necessary to exercise the selected test cases to guarantee the access control of the system is not broken for the new release. We also describe SACRT, an access control regression test tool which realizes our framework. According to our practical application experience in the realistic financial systems, SACRT demonstrates the effectiveness in reducing the size of the access control regression test suite.
KeywordsRBAC regression test test selection security policy verification
Unable to display preview. Download preview PDF.
- 1.Ferraiolo, D.F., Chandramouli, R., Ahn, G., Gavrila, S.I.: The role control center: features and case studies. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies SACMAT 2003 (2003)Google Scholar
- 2.Sandhu, R.: Role Based Access Control. Adv. in Computer Science 48, 38–47 (1998)Google Scholar
- 4.Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a European bank: a case study and discussion. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. SACMAT 2001, Chantilly, Virginia, United States, pp. 3–9. ACM, New York (2001)Google Scholar
- 6.Martin, E.: Testing and Analysis of Access Control Policies. In: Companion To the Proceedings of the 29th international Conference on Software Engineering, May 20 - 26 (2007)Google Scholar
- 7.Ball, T.: On the limit of control flow analysis for regression test selection. In: ACM Int’l Symp. on Softw. Testing and Analysis, pp. 134–142 (March 1998)Google Scholar
- 8.Harrold, M.J., Jones, J.A., Li, T.A.: Regression test selection for Java software. In: Proceedings of the 16th ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, OOPSLA 2001, Tampa Bay, FL, USA, October 14 - 18, 2001, pp. 312–326. ACM, New York (2001)CrossRefGoogle Scholar
- 9.Vokolos, F., Pythia, P.F.: A regression test selection tool based on text differencing. In: International Conference on Reliability, Quality, and Safety of Software Intensive Systems (May 1997)Google Scholar
- 10.Pretschner, A., Mouelhi, T., Traon, Y.L.: Model-Based Tests for Access Control Policies. In: Proceedings of the 2008 international Conference on Software Testing, Verification, and Validation, pp. 338–347 (November 2008)Google Scholar
- 11.Zheng, J., Robinson, B., Williams, L., Smiley, K.: Applying regression test selection for COTS-based applications. In: Proceedings of the 28th international Conference on Software Engineering, ICSE 2006, Shanghai, China, May 20-28 (2006)Google Scholar