Abstract
Different security policy models have been developed and published in the past. Proven security policy models, if correctly implemented, guarantee the protection of data objects from unauthorized access or usage or prevent an illegal information flow. To verify that a security policy model has been correctly implemented, it is important to define and execute an exhaustive list of test cases, which verify that the formal security policy neither has been over-constrained nor under-constrained. In this paper we present a method for defining an exhaustive list of test cases, based on formally described equivalence classes that are derived from the formal security policy description.
Chapter PDF
Similar content being viewed by others
References
Lampson, B.W.: Protection. In: Proceedings of the 5th Princeton Conference on Information Sciences and Systems, Princeton, p. 437 (1971)
Brewer, D.F.C., Nash, M.J.: The Chinese Wall Security Policy. In: IEEE Symposium on Security and Privacy, Oakland, pp. 206–214 (1989)
Lin, T.Y.: Chinese Wall Security Policy-An Aggressive Model. In: Proceedings of the Fifth Aerospace Computer Security Application Conference, December 4-8, pp. 286–293 (1989)
Bell, D., LaPadula, L.: Secure Computer Systems: Mathematical Foundations. Technical Report MTR-2547, Vol. I. MITRE Corporation, Bedford (1973)
Clark, D., Wilson, D.: A Comparison of Commercial and Military Security Policies. In: IEEE Symposium on Security and Privacy, pp. 184–194 (1987)
Hermann, E.: The Limes Security Model for Information Flow Control. In: FARES Workshop of the Sixth International Conference on Availability, Reliability and Security (ARES 2011), Vienna, Austria, August 22-26 (2011)
Hu, H., Ahn, G.-J.: Enabling Verification and Conformance Testing for Access Control Model. In: SACMAT 2008, Estes Park, Colorado, USA, June 11-13 (2008)
Murnane, T., Reed, K.: On the Effectiveness of Mutation Analysis as a Black Box Testing Technique. In: 13th Australian Software Engineering Conference (ASWEC 2001), Canberra, Australia, August 27-28 (2001)
Grimm, R.: A Formal IT-Security Model for a Weak Fair-Exchange Cooperation with Non-Repudiation Proofs. In: International Conference on Emerging Security Information, Systems and Technologies, Athens, June 18-23 (2009)
Godefroid, P., Levin, M.Y., Molnar, D.: Automated Whitebox Fuzz Testing. In: Network and IT Security Conference, San Diego, CA, February 8-11 (2008)
Myers, G.: The Art of Software Testing. Wiley-Interscience Publication (1979)
Hu, V.C., Martin, E., Hwang, J., Xie, T.: Conformance Checking of Access Control Policies Specified in XACML. In: 31st Annual International Computer Software and Applications Conference, Beijing (2007)
Martin, E., Xie, T.: A fault model and mutation testing of access control policies. In: 16th International Conference on World Wide Web (May 2007)
Martin, E., Xie, T.: Automated test generation for access control policies. In: 17th IEEE International Conference on Software Reliability Engineering (November 2006)
Martin, E., Xie, T., Yu, T.: Defining and Measuring Policy Coverage in Testing Access Control Policies. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 139–158. Springer, Heidelberg (2006)
De Angelis, G., Kirkham, T., Winfield, S.: Access Policy Compliance Testing in a User Centric Trust Service Infrastructure. In: QASBA 2011, Lugano, Switzerland, September 14 (2011)
Traon, Y.L., Mouelhi, T., Baudry, B.: Testing security policies: going beyond functional testing. In: 18th IEEE International Symposium on Software Reliability (ISSRE 2007), Sweden, November 5-9 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hermann, E., Litschauer, U., Fuß, J. (2012). A Formal Equivalence Classes Based Method for Security Policy Conformance Checking. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds) Multidisciplinary Research and Practice for Information Systems. CD-ARES 2012. Lecture Notes in Computer Science, vol 7465. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32498-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-32498-7_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32497-0
Online ISBN: 978-3-642-32498-7
eBook Packages: Computer ScienceComputer Science (R0)