1

Testing Implementations Of Access Control Systems

(New Proposal)

Ammar Masood: Graduate StudentArif Ghafoor (ECE) and Aditya Mathur (CS)

Purdue University, West LafayetteSERC Showcase, June 7-8, 2006

Motorola Labs, Schaumburg, IL

2

Research Objectives

To develop, experiment with and study the effectiveness of techniques for the generation of tests to validate conformance of implementations of access control policies (in particular Role Based Access Control [RBAC] with or without temporal constraints)

3

Related Work R. Chandramouli. M. Blackburn. Automated Testing of

Security Functions using a combined Model & Interface driven Approach. Proc. 37th Hawaii International Conference on System Sciences, pp. 299-308, 2004

J. Springintveld, F. Vaandrager and P.R. D'Argenio. Testing timed automata. Theoretical Computer Science, 254(1-2), pp. 225-257, 2001

A. En-Nouaary, R. Dssouli and F. Khendek. Timed Wp method: testing real time systems. IEEE Transactions on Software Engineering, 28(11), pp. 1023 – 1038, 2002.

K.G. Larsen, M. Mikucionis and B. Nielsen. Online Testing of Real-time Systems Using UPPAAL. Formal Approaches to Testing of Software. Linz, Austria. September 21, 2004

4

Proposed Test Infrastructure

Access Control policy

Policy verifier plugin

Policy(internal representation)

Policy model

Policy tests

Modeling plugin

Test generator plugin

Test harness

IUT

5

Challenges

Modeling: Naïve FSM or timed automata models are prohibitively

large even for policies with 10 users and 5 roles (and 3 clocks).

How to reduce model size and the tests generated? Test generation:

How to generate tests to detect (ideally) all policy violation faults that might lead to violation of the policy?

Test execution: Distributed policy enforcement?

6

Proposed Approach

Express behavior implied by a policy as an FSM.

Apply heuristics to scale down the model. Use the W- method, or its variant, to generate

tests from the scaled down model. Generate additional tests using a combination

of stress and random testing aimed at faults that might go undetected due to scaling.

7

Sample Model

Two users, one role. Only one user can activate the role. Number of states≤32

.

AS11

0000

1000 0010

1100

1110

1010 0011

1011

AS21

AC11

AC21AS21

AS21 AS11AC21

AC11

AS11

DS11

DS21

DC11

DS21

DC11

DS11

DS21 DS11

DC21

DC21

DS21

DS11

DS11 DS21

AS: assign. DS: De-assign. AC: activate. DC: deactivate. Xij: do X for user i role j.

8

Heuristics

H1: Separate assignment and activation

H2: Use FSM for activation and single test sequence for assignment

H3: Use single test sequence for assignment and activation

H4: Use a separate FSM for each user

H5: Use a separate FSM for each role

H6: Create user groups for FSM modeling.

9

Reduced Models

AS11

00

10 01DS21DS11

11

AS21

DS11DS21

AC11

00

10 01

AC21

DC21DC11

AC21 AC11

Assignment Machine

Activation Machine

Heuristic 1

AS11

00

10 11

DS11 DS11

AC11

DC11

AC11

AS21

00

10 11

DS21 DS21

AC21

DC21

AC21

Heuristic 4

User u1 Machine User u2 Machine

10

Tests Generated

11

Fault Model

12

Claim

The proposed method for generating the complete behavior model and tests guarantees a test set that detects all faults in the IUT that correspond to the proposed fault model when the number of states in the IUT is correctly estimated.

13

Future Research

Modeling: Handling timing constraints? (timed

automata, fault model, heuristics) Experimentation:

With large/realistic policies to assess the efficiency and effectiveness of the test generation methods.

Prototype tool development

14

Schedule Month 1: Extend the un-timed Fault Model for temporal

RBAC

Months 2-4: Study applicability/extensions in existing timed automata test generation techniques for complete fault coverage with respect to the timed fault model

Months: 5-8: Develop techniques to reduce the cost of testing (Number of test cases)

Months 9-11: Perform a case study to verify the efficacy of the finally proposed approach.

Month 12: Final report.

15

Deliverables A methodology for testing access control

implementations that employ temporal constraints.

Evaluation of the methodology through a case study.

A set of recommendations on the implementation of the methodology as an integral part of the software development lifecycle.

16

Budget- Year 1 Salaries (faculty + graduate student): $30,000

Travel: $8,000

Miscellaneous: $2000

Indirect costs: $10,000

Total: $50,000

17

18

Sequential Steps to a Verified Implementation

Step 1

Security Testing

Access Control Policy

Specifications

Specification verification

Consistent Specifications

Policy Implementation

Access Control System

Implementation

Security Verified Implementation

Step 2

Step 3