Mutating DAC and MAC Security Policies: A Generic Metamodel Based Approach

In this paper we show how DAC and MAC security policies can be specified, implemented and validated through mutation testing using a generic approach. This work is based on a generic security framework originally designed to support RBAC and OrBAC security policies and their implementation in Java applications.

[1]  K. J. Bma Integrity considerations for secure computer systems , 1977 .

[2]  Yves Le Traon,et al.  Testing Security Policies: Going Beyond Functional Testing , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[3]  Yves Le Traon,et al.  Test-Driven Assessment of Access Control in Legacy Applications , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[4]  Tao Xie,et al.  A fault model and mutation testing of access control policies , 2007, WWW '07.

[5]  Jan Jürjens,et al.  Specification-Based Test Generation for Security-Critical Systems Using Mutations , 2002, ICFEM.

[6]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[7]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[8]  Aaas News,et al.  Book Reviews , 1893, Buffalo Medical and Surgical Journal.

[9]  Yves Le Traon,et al.  A Model-Based Framework for Security Policy Specification, Deployment and Testing , 2008, MoDELS.

[10]  B. Baudry,et al.  Mutation Analysis for Security Tests Qualification , 2007, Testing: Academic and Industrial Conference Practice and Research Techniques - MUTATION (TAICPART-MUTATION 2007).

[11]  Yves Le Traon,et al.  Testing Security Policies: Going Beyond Functional Testing , 2007, The 18th IEEE International Symposium on Software Reliability (ISSRE '07).

[12]  B. Lampson,et al.  Protection 1 , 2022 .

[13]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[14]  Richard J. Lipton,et al.  Hints on Test Data Selection: Help for the Practicing Programmer , 1978, Computer.

[15]  Ramaswamy Chandramouli,et al.  The Queen's Guard: A Secure Enforcement of Fine-grained Access Control In Distributed Data Analytics Platforms , 2001, ACM Trans. Inf. Syst. Secur..

[16]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[17]  Carole S. Jordan A Guide to Understanding Discretionary Access Control in Trusted Systems , 1987 .

[18]  Martin Halvey,et al.  WWW '07: Proceedings of the 16th international conference on World Wide Web , 2007, WWW 2007.