Selective Regression Test for Access Control System Employing RBAC

  • Chao Huang
  • Jianling Sun
  • Xinyu Wang
  • Yuanjie Si
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5576)


To provide a selective regression test method for the access control systems which employ role based access control (RBAC) policy. Access control regression test is always tedious and error-prone for financial systems involving complicated constraints, like separation of duty and cardinality constraints. We give the formal definition of RBAC policy change then we propose a test selection framework via policy change and change propagation analysis. Our method provides the confidence that it’s only necessary to exercise the selected test cases to guarantee the access control of the system is not broken for the new release. We also describe SACRT, an access control regression test tool which realizes our framework. According to our practical application experience in the realistic financial systems, SACRT demonstrates the effectiveness in reducing the size of the access control regression test suite.


RBAC regression test test selection security policy verification 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ferraiolo, D.F., Chandramouli, R., Ahn, G., Gavrila, S.I.: The role control center: features and case studies. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies SACMAT 2003 (2003)Google Scholar
  2. 2.
    Sandhu, R.: Role Based Access Control. Adv. in Computer Science 48, 38–47 (1998)Google Scholar
  3. 3.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. ACM Trans. Inf. Syst. Secur. 4(3), 224–274 (2001)CrossRefGoogle Scholar
  4. 4.
    Schaad, A., Moffett, J., Jacob, J.: The role-based access control system of a European bank: a case study and discussion. In: Proceedings of the Sixth ACM Symposium on Access Control Models and Technologies. SACMAT 2001, Chantilly, Virginia, United States, pp. 3–9. ACM, New York (2001)Google Scholar
  5. 5.
    Thompson, H.H.: Why Security Testing Is Hard. IEEE Security and Privacy 1(4), 83–86 (2003)CrossRefGoogle Scholar
  6. 6.
    Martin, E.: Testing and Analysis of Access Control Policies. In: Companion To the Proceedings of the 29th international Conference on Software Engineering, May 20 - 26 (2007)Google Scholar
  7. 7.
    Ball, T.: On the limit of control flow analysis for regression test selection. In: ACM Int’l Symp. on Softw. Testing and Analysis, pp. 134–142 (March 1998)Google Scholar
  8. 8.
    Harrold, M.J., Jones, J.A., Li, T.A.: Regression test selection for Java software. In: Proceedings of the 16th ACM SIGPLAN Conference on Object Oriented Programming, Systems, Languages, and Applications, OOPSLA 2001, Tampa Bay, FL, USA, October 14 - 18, 2001, pp. 312–326. ACM, New York (2001)CrossRefGoogle Scholar
  9. 9.
    Vokolos, F., Pythia, P.F.: A regression test selection tool based on text differencing. In: International Conference on Reliability, Quality, and Safety of Software Intensive Systems (May 1997)Google Scholar
  10. 10.
    Pretschner, A., Mouelhi, T., Traon, Y.L.: Model-Based Tests for Access Control Policies. In: Proceedings of the 2008 international Conference on Software Testing, Verification, and Validation, pp. 338–347 (November 2008)Google Scholar
  11. 11.
    Zheng, J., Robinson, B., Williams, L., Smiley, K.: Applying regression test selection for COTS-based applications. In: Proceedings of the 28th international Conference on Software Engineering, ICSE 2006, Shanghai, China, May 20-28 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Chao Huang
    • 1
  • Jianling Sun
    • 1
  • Xinyu Wang
    • 1
  • Yuanjie Si
    • 1
  1. 1.West Lake Science & Technology Economic ParkCollege of computer, Zhejiang UniversityHangzhouChina

Personalised recommendations