Property Verification for Generic Access Control Models

To formally and precisely capture the security properties that access control should adhere to, access control models are usually written to bridge the rather wide gap in abstraction between policies and mechanisms. In this paper, we propose a new general approach for property verification for access control models. The approach defines a standardized structure for access control models, providing for both property verification and automated generation of test cases. The approach expresses access control models in the specification language of a model checker and expresses generic access control properties in the property language. Then the approach uses the model checker to verify these properties for the access control models and generates test cases via combinatorial covering array for the system implementations of the models.

[1]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[2]  Paul Ammann,et al.  Abstracting formal specifications to generate software tests via model checking , 1999, Gateway to the New Millennium. 18th Digital Avionics Systems Conference. Proceedings (Cat. No.99CH37033).

[3]  D. Richard Kuhn,et al.  Pseudo-Exhaustive Testing for Software , 2006, 2006 30th Annual IEEE/NASA Software Engineering Workshop.

[4]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[5]  Mark Ryan,et al.  Evaluating Access Control Policies Through Model Checking , 2005, ISC.

[6]  Andreas Schaad,et al.  A model-checking approach to analysing organisational controls in a loan origination process , 2006, SACMAT '06.

[7]  References , 1971 .

[8]  Tsuneo Katsuyama,et al.  Policy Verification and Validation Framework Based on Model Checking Approach , 2007, Fourth International Conference on Autonomic Computing (ICAC'07).

[9]  D. Richard Kuhn,et al.  Software fault interactions and implications for software testing , 2004, IEEE Transactions on Software Engineering.