TAROT2013 Testing School - Antonia Bertolino presentation
-
Upload
henry-muccini -
Category
Technology
-
view
421 -
download
1
description
Transcript of TAROT2013 Testing School - Antonia Bertolino presentation
11-07-2013
1
9th International Summer School on Training And Research On Testing
9-13 July, 2013 - Volterra, Italy
Theme 3: Security Testing XML-based approaches for security testing
Antonia Bertolino, ISTI-CNR [email protected]
1
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Acknowledgements
All presented approaches and tools are the result of research work in collaboration with: Said Daoudagh, Francesca Lonetti, Eda Marchetti
(plus also concerning TAXI with Cesare Bartolini, JingHua Gao and Andrea Polini,
and concerning Polpa testing with Fabio Martinelli, Paolo Mori)
and have been partially developed within the European Projects:
TAS3 (completed) and NESSOS (ongoing)
2
11-07-2013
2
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Agenda
! Introduction to: ! Security mechanisms and access control systems ! Security testing ! XACML
! XML-based testing and TAXI tool ! XACML combinatorial testing and X-CREATE tool ! XACML mutations and XACMUT tool ! Usage-control systems and testing of Polpa ! Conclusions and hints for further research
3
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Software is everywhere
Software is routinely used in many disparate aspects of everyday life
More and more the different software-intensive devices that we use communicate among themselves
In many cases software applications are critical either money-wise or health-wise
The evident consequence is that malfunctions of software heavily impact our wellness and welfare
4
11-07-2013
3
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Software malfunctions
• Your web browser crashes while you are reading news
• Your web mail account is stolen
• The computerized device releases a radiations overdose (*)
" This is annoying
" This could be serious
" This is very serious
can be very different
(*) Leveson, N.G.; Turner, C.S., "An investigation of the Therac-25 accidents," Computer , vol.26, no.7, pp.18,41, July 1993
5
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Software puts us at risk
Two somehow contrasting wishes: • Being connected everytime and everywhere • Preserving our own privacy and data integrity
However, for business and society connectivity is no longer an option. The point is to balance potential risks with benefits.
Networks must be enabled to support security services that provide adequate protection to users and companies in a relatively open environment
6
11-07-2013
4
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Rising vulnerability of evolving technology
Catherine Paquet, Network Security Concepts and Policies, Cisco Press, 2013
7
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Three related sw quality concerns
Dependability Safety
Security
8
11-07-2013
5
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
9
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
the ability to deliver service that can justifiably be trusted
10
11-07-2013
6
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
the absence of catastrophic consequences on the user(s) and the environment
11
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Definitions
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
the absence of unauthorized access to, or handling of, system state
12
11-07-2013
7
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Composite definition of security
Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004
13
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Security engineering
• Systems engineering must be unified with security engineering:
• Currently(*) security modeling remains largely independent of system models.
• Typically, system requirements and design are done first, and security is added as an afterthought.
(*) Premkumar T. Devanbu and Stuart Stubblebine. Software engineering for security: a roadmap. In FOSE 2000 @ICSE '00. ACM, 227-239.
14
11-07-2013
8
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Information Assurance: an overarching approach
! Information must be protected throughout its lifetime, while at rest and while passing through different processing systems
! The strength of any system is no greater than its weakest link
! Each component of the information processing system must have its own protection mechanisms
! The building up, layering on and overlapping of security measures is called defense in depth: ! a design principle to ensure resilience against
different forms of attack, and to reduce the probability of a single-point of failure
The Onion Model of Defense_In_Depth
15
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Why ensuring security is difficult
Security engineers (and especially testers) must take into account not only legitimate users and clients, but also potential (malicious) adversaries
Therefore to design a secure system we should provide defenses against all plausible threats: a secure system does only what it is supposed to do and nothing else.
16
11-07-2013
9
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Risk-oriented approach
• Information Security is about minimizing risk to an acceptable level while maintaining the Confidentiality, Integrity, and Availability of the systems and data.
• All systems have some level of risk. • A completely secure, zero risk, system is one
that has zero functionality.
17
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Towards a Security-centered Development Process
! A security development lifecycle (SDL) is a software development lifecycle placing special emphasis on security in each phase
! Several SDLs have been proposed, of which Microsoft SDL is the best established in industry
18
11-07-2013
10
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
There exist many different types of security testing.
For example, Microsoft SDL includes three practices: " Dynamic Analysis: performs run-time verification of software
functionality using tools that monitor application behavior for memory corruption, user privilege issues, and other
" Fuzz Testing: induces program failure by deliberately introducing malformed or random data to an application so to reveal potential security issues prior to release
" Attack Surface Review: Reviewing attack surface before and after the installation of product(s) and displays the changes to key elements of the attack surface
Security testing
19
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Scope of security testing
Software security
Security software
" testing security mechanisms to ensure that their functionality is properly implemented
" performing risk-based security testing driven by understanding and simulating the attacker’s approach
To keep in mind: “software security is not security software” (*) Security features such as cryptography, strong authentication, and access control play critical roles in software security, however security itself is an emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and Privacy 2, 5 (September 2004), 81-85.
20
11-07-2013
11
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Approaches for testing “software security”
Mostly negative testing, aiming at detecting whether the application does something it should not do. It includes: • Fuzzing, either random or systematic (e.g.,
model-based fuzz testing) • Vulnerability injection, e.g. SQL injection • Risk-based testing • Security test patterns (e.g., DIAMONDS
project) • ….
21
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Scope of security testing
Software security
Security software
" testing security mechanisms to ensure that their functionality is properly implemented
" performing risk-based security testing driven by understanding and simulating the attacker’s approach
To keep in mind: “software security is not security software” (*) Security features such as cryptography, strong authentication, and access control play critical roles in software security, however security itself is an emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and Privacy 2, 5 (September 2004), 81-85.
It relies on expertise and knowledge of the system: requires that you think about your project and possible misuses or attack
22
11-07-2013
12
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Scope of security testing
Software security
Security software
" testing security mechanisms to ensure that their functionality is properly implemented
" performing risk-based security testing driven by understanding and simulating the attacker’s approach
To keep in mind: “software security is not security software” (*) Security features such as cryptography, strong authentication, and access control play critical roles in software security, however security itself is an emergent property of an entire system, not just its security mechanisms.
(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and Privacy 2, 5 (September 2004), 81-85.
23
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
CIA
24
11-07-2013
13
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
CIA
25
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Data classification
Assets (data, programs, resources,…) have different security levels, e.g. ! Unclassified
! Restricted ! Confidential
! ….
Correspondingly differing roles for people or applications are introduced defining who can access what level, e.g. ! Owner
! Administrator ! User
! ….
26
11-07-2013
14
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control
! Once a system involves security-classified data, we need to ensure that only the intended people can access them and that these intended users are only given the level of access required to accomplish their tasks.
27
An access control system provides a decision (ok, ko) to an authorization request, typically based on predefined policies
request response Access Control
policy
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
28
11-07-2013
15
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
the activity of a subject supplying information to identify itself to an authentication service. Examples: username, account number, ID card, …
29
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
a means to verify the authenticity of the identity declared during Identification. Three ways (of increasing cost): - What subject knows: passwords, PINs, passcodes, etc. - What subject has: covers keys, tokens, smartcards, etc. - What subject is: biometric data, e.g., fingerprints, voice recognition, etc. Authentication can be one-factor or two/three-factor (strong)
30
11-07-2013
16
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Access control mechanisms
Identification Authentication Authorization
the process of assigning to authenticated subjects a set of permissions that defines what they can and cannot do. These permissions are generally defined by security policies
31
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Defining security rules (or policies)
A security policy is a specific statement of what is and is not allowed
32
11-07-2013
17
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Security policies
From Wikipedia:
Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.
• Access control • Computer security policy • Environmental design • Information Protection Policy • Information security policy • National security policy, Military strategy • Network security policy • Virtual security policy • …
33
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
The eXtensible Access Control Markup Language
34
! XACML is the OASIS standard for specifying Access Control Policy
! The latest version is XACML 3.0 that has been released in January 2013 -- Before, XACML 2.0 was released on
Feb. 2005 (this is the version implemented in our tool)
-- XACML 1.0 had been released in Feb. 2003
! Organizations sponsoring OASIS and contributing to the XACML standard include: CA Technologies, Cisco Systems, Connectis, Dell, EMC, IBM, Microsoft, Oracle, Primeton Technologies, Inc., Red Hat, SailPoint Technologies, The Boeing Company, Veterans Health Administration, ViewDS, etc..
www.oasis-open.org
11-07-2013
18
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
35
XACML
! XACML is a general-purpose language for access control policies. It provides an XML-based syntax for managing access to resources
! XML is a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended and the widespread support that it enjoys from all the main platform and tool vendors
! It is generic (can be used by many different kinds of applications and platforms), distributed (a policy can refers to other sub-policies, and XACML knows how to correctly combine the results from these different policies into one decision) and powerful (supports a wide variety of data types, functions, and rules about combining the results of different policies)
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
36
XACML languages
Policy Language Used to describe access control requirements. Who is
allowed to do what?
Request/Response Language The request is a query about permissions associated
with x. The response is permit, deny, indeterminate, or not
applicable.
11-07-2013
19
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML architecture
XACML also proposes a standard reference architecture
37
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML architecture
XACML also proposes a standard reference architecture
performs access control, by making decision requests and enforcing authorization decisions. Basically the entity that sends the XACML request to the Policy Decision Point (PDP) and receives an authorization decision.
38
11-07-2013
20
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML architecture
XACML also proposes a standard reference architecture
evaluates applicable policy and returns an authorization decision
39
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO” 40
XACML Flow
" A Subject who wishes to access an Object (Resource) must do so through the PEP
" The PEP forms the XACML request and sends it to the PDP
" The PDP checks the request against the Policy and returns a XACML response
" The PEP either Permits or Denies access to the resource.
Policy Enforcement Point (PEP)
Can I access Resource?
Policy Decision Point (PDP)
Permit/Deny
The relevant XACML policy needs to be
selected and its rules evaluated
Requests and responses also specified in XACML
11-07-2013
21
XACML Structure
41 The nice picture is taken from: Yoon Jae Kim, Access Control Service Oriented Architecture Security, on line at http://www.cs.wustl.edu/~jain/cse571-09/ftp/soa/
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML policy example <Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue >http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string"> write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
Target
Rule2
Rule1
Condition
42
11-07-2013
22
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
We need to verify the access control system
XACML properties of interoperability, extensibility, distribution are paid in terms of complexity and verbosity
Policies can be deceiving and need to be carefully checked
43
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Policy testing
Provide test strategies for test suite generation so to simulate correct or improper usage of data and resources by execution of test suites
Data
Resources
Test suite 1
User1 X
X
Test suite 2
User2
X X
X
Policies specification
44
11-07-2013
23
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Testing Purpose
Testing the policy specification
PDP
Policies
Test Suite
SUT
Oracle
reply request request
request request
verdict
45
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Testing Purpose
Testing the policy implementation (PDP)
PDP
Policies
Test Suite
SUT
Oracle
reply
request request
request request
verdict
46
11-07-2013
24
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACML testing
Different types of approaches have been proposed, including: " Structural Coverage of XACML elements " Combinatorial (Targen, X-Create) " Category-partition (X-Create) " Change-impact based " Model-based " …..
47
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Targen
Targen(*) is a seminal tool on XACML testing that is the closest competitor to X-CREATE
Targen applies a combinatorial approach on the attribute values and for each target included in the policy under test it derives as many requests as many are all the possible combinations of values of the attributes found in the subject, resource, and action sections
(*) E. Martin and T. Xie, “Automated test generation for access control policies,” in Supplemental Proc. of ISSRE, November 2006.
48
11-07-2013
25
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our approach
X-CREATE XaCml REquests derivAtion for TEsting
X-CREATE tool supports several different tests derivation strategies based on a combinatorial approach
It can be downloaded from our laboratory page at: http://labsewiki.isti.cnr.it/labsedc/tools/xcreate/public/main
49
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our approach
X-CREATE XaCml REquests derivAtion for TEsting
Original idea: We exploit the XML nature of XACML and adapt our previous tool TAXI for XML test generation
…so, let’s now open a brief parenthesis about TAXI …
50
11-07-2013
26
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
• A tool for systematic document generation from XML Schema
• It can be downloaded from our laboratory page at:
51
http://labsewiki.isti.cnr.it/labsedc/tools/taxi/public/main
TAXI
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
The eXtensible Markup Language(XML)
<?xml version="1.0" encoding="ISO88591"?> <card> <name>John Doe</name> <title>CEO, Widget Inc.</title> <email>[email protected]</email> <phone>(202) 4561414</phone> </card>
# The eXtensible Markup Language (XML) is a Markup Language which is a standard format to store information and data.
# XML documents are tree structured documents in which data are formatted/organised using tags
52
11-07-2013
27
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XML & XML Schema
# XML Schema provides a means for defining the structure and content of XML documents
# In the open networked world, XML Schema support interoperability between independently developed applications
Chinese
Italian
53
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Automatic XML-Based Testing and Benchmarking
54
11-07-2013
28
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Automatic XML-Based Testing and Benchmarking
55
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our systematic approach
The approach has been inspired at-large by the well-known semi-automated Category Partition methodology for systematic
test generation …
..or, you can think of it as grammar-based generation, on the XSD syntax, although we have also introduced practical rules
56
11-07-2013
29
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mapping CP to XPT
CP (*) XPT
Analyze Specifications Identify Functional Units Partition Categories Selecte Choices Determine Constraints
$% Preprocessor $% Identify Sub-Schema Sets $% Identify Types $% Partition Values and Structures $% Determine “valid/invalid” constraints
Generate Intermediate Instances Generate Final Instances
Generate Test Specification $%
Generate Test Cases $%
(*) Thomas J. Ostrand and Marc J. Balcer. The category-partition method for specifying and generating functional tests. Communications of ACM,31(6),1988.
57
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Identification of Sub-Schema Sets
<choice> elements partition the XML Schema into distinct sets corresponding to the CP functional units
XML Schema
choice A B
1 2 choice
XML Schema
sequence A
1 sequence
XML Schema
sequence A
2 sequence
XML Schema
sequence B
1 sequence
XML Schema
sequence B
2 sequence
preprocessor Analyze Specifications
Mapping from CP to XPT
Identify Functional Units
Identify Sub- Schema Sets
Partition Categories
Identify Types
Selecte Choices Partition Values and Structures
Determine Constraints
Determine “valid/invalid” Constraints
Generate Test Specification
Generate Intermediate Instances
Generate Test Specification
Generate Final Instances
58
11-07-2013
30
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Intermediate Instances " Generate intermediate instance by combining the values of “minOccurs” and “maxOccurs”.
" Apply the conventional Boundary Condition test approach to reduce the combinations
sub-Schema
minOccurs=0
maxOccurs=3
minOccurs=2
maxOccurs=4
A
B
Intermediate Instance
B occurs=2
Intermediate Instance
Intermediate Instance
Intermediate Instance
A occurs=0 A occurs=3
B occurs=2
A occurs=0
B occurs=4
A occurs=3
B occurs=4
preprocessor Analyze Specifications
Identify Functional Units
Identify Sub- Schema Sets
Partition Categories
Identify Types
Selecte Choices Partition Values and Structures
Determine Constraints
Determine “valid/invalid” Constraints
Generate Test Specification
Generate Intermediate Instances
Generate Test Specification
Generate Final Instances
Mapping from CP to XPT
59
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Potential Applications ! For validating database management systems:
- automatically generate valid XML instances for populating database - evaluate the performance and the quality of the associated management
systems ! For testing the inter-operability between applications and for enabling
the correct interactions among the interfaces used by remote components in distributed systems. - automatic and controlled generation of valid and invalid instances enables
the automated testing of I/O behavior ! For verifying the proper communication protocols between web-
services. - SOAP-based interaction between services exploiting the corresponding
XML Schemas… ! …
• For validating database management systems:
Further Reading: Bertolino, Antonia, Jinghua Gao, Eda Marchetti, and Andrea Polini. "Automatic test data generation for XML schema-based partition testing." In Proc. of the Second International ICSE Workshop on Automation of Software Test, p. 4. IEEE Computer Society, 2007.
Bartolini, Cesare, Antonia Bertolino, Eda Marchetti, and Andrea Polini. "WS-TAXI: A WSDL-based testing tool for web services." In Proc. ICST'09, pp. 326-335. IEEE, 2009. 60
11-07-2013
31
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
X-CREATE Testing Framework
Request structure
Policies specification
Instantiated Request
Implements several testing strategies: • Preliminary XPT (XML Partition Testing) • Incremental XPT • Simple Combinatorial • Multiple Combinatorial • Hierarchical Simple • Hierarchical Incremental
61
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Preliminary XPT Main Idea
Inspired by TAXI: Derive (once and for all) a universally valid generic test suite of conforming requests by applying: • A variant of the Category Partition methodology
• The Boundary Conditions methodology
Each request in this generic test suite is a general structure of a valid XACML request instance.
XACML Context Schema
Request structure
Conforming test suite
62
11-07-2013
32
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XPT implementation
The tool consists of three main components:
& an intermediate-request generator, which is based on the XPT approach for intermediate instances (request structures) generation
& a policy analyzer which selects the input values from the policy specification, and
& a values manager, which distributes the input values to the request structures.
63
64
A Sketch of the XACML Context Schema
11-07-2013
33
65
X {1,...,k/2,...,k}
X {0,...,k/2,...,k}
X {1,...,k/2,...,k}
1. Fix ! to K
2. Apply XPT strategy to the obtained scheme
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
We thus automatically obtain a set of different Request Structures
Example of request structure <Request> <Subject> </Subject> <Subject> </Subject> <Resource> </Resource> <Action> </Action> </Request>
11-07-2013
34
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
118098!!!!! Too Much!!!
10 elements with unbounded occurrence and 1 having [0,1] cardinality -> 310 * 21 = 118098 request structures (still to be filled with values…)
We need to apply some approach to select those request structures that could maximize the fault detection capability
Note: the full set of request structures needs to be derived once and for all
Only the selection of the subset is redone each time
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Policy Under-Test Analyzer
Take values from the policy under test for elements and attributes.
Four values sets are defined: • SubjectSet • ResourceSet • ActionSet • EnvironmentSet
For robustness and negative testing random values for elements and attributes are added
68
11-07-2013
35
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Example of results from the policy analyser
69
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Request Values Manager
Responsible for the final requests generation. Two possible approaches using either standard
structures or combinatorial structures 1. Pure combinatorial approach using all the
values in the 4 sets 2. Hierarchical combination (to focus the request
generation on a specific part of a policy)
11-07-2013
36
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
How many combinations?
Avoiding duplication derive all combinations of subject “entities”, resource “entities”, action “entities” and environment “entities” by applying: • the pair-wise combination (PW) • the three-wise combination (TW) • apply the four-wise combination (FW)
Note: The number of combinations strictly depends on the policy considered
71
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Examples
Example of request <Request> <Subject>Mario Rossi</Subject> <Resource>personal id</Resource> <Action>read</Action> </Request>
Example of request <Request> <Subject>s2</Subject> <Resource>personal id</Resource> <Action>a2</Action> </Request>
Example of request <Request> <Subject>Mario Rossi</Subject> <Subject>s2</Subject> <Resource>p2</Resource> <Action>read</Action> <Enviroment>e2</Enviroment> </Request>
72
11-07-2013
37
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
X-CREATE v.s. Targen
We considered the available policies used also for Targen presentation
We applied mutation to the policies to introduce faults We used the same mutation operators for XACML policies indicated
in Targen experiment We used the sets of mutants obtained for answering the
two Research Questions:
TSEff: Is the test suite derived by X-CREATE more effective than that derived by Targen?
TSIncr: Is X-CREATE provided capability to vary test request number and structure useful to increase effectiveness?
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Some Results
We generated the same number of requests generated by the Targen tool for each policy, so to get a fair comparison
We only derived the data for PolicyExample, the other are from the Targen evaluation
11-07-2013
38
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Well done!! …but can we do better?
• New methodology for request structures generation (Incremental XPT)
• New specific test strategy providing a stopping criterion (Simple Combinatorial)
75
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Incremental XPT
one value for the <AttributeValue>
zero to minOccurs and maxOccurs of the ResourceContent element and those of the contained <Any> element because not used in test values generation
We end up with
36 = 729 request stuctures 76
We introduce a modified (reduced) schema as follows:
11-07-2013
39
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Simple Combinatorial
Idea: derive as many requests as the possible combinations of the values of the subjects, resources, actions and environment of the XACML policy. • The derived requests are first those obtained using all
combinations of the Pairwise set, then of the 3wise set and finally those of the 4wise set.
• The maximum number of requests derived by this strategy is equal to the cardinality of the 4wise set.
The resulting number of combinations could be also be used as a stopping criterion for the test case generation in XPT
77
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Evaluation of the test strategies effectiveness: ' Define a set of XACML policies ' Apply mutation to each policy to introduce faults ' Execute each set of test cases on the policy and
its mutants ' Establish the winner in each match
Incremental XPT vs. Simple Combinatorial
78
11-07-2013
40
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XPT v.s. Simple Combinatorial
The same number of requests for each policy
the effectiveness of the Incremental XPT is generally higher than that of the Simple Combinatorial strategy
In two cases the fault detection of the Simple Combinatorial is higher than that of Incremental XPT
Simple combinatorial Incremental XPT
79
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Deeper Analysis
Incremental XPT is the winner when the access decision of the policy rules depends concurrently on the values of more than one subject or resource or action or environment entity
Simple Combinatorial is the winner when the policies are simple and the satisfiability of the policy rules depends on the combinations of a single subject, resource, action and environment entity
80
11-07-2013
41
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
How to evaluate XACML testing approaches?
The mutation approach typically used in software testing has been adapted to XACML policy testing
81
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACMUT: XACML 2.0 Mutants Generator
It can be downloaded from our laboratory page at: http://labsewiki.isti.cnr.it/labsedc/tools/xacmut/public/main
Our tool
82
11-07-2013
42
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACMUT
" !"!#$%!&'!()%*+&,!&-$.*%&.#!*//.$##0,1!#-$2032!'*)4%#!&'!%5$!6"789!:;<!
*22$##!2&,%.&4!-&402=!!
" !6"78>?!@6"7(4!8>?*+&,AB!
" 1$,$.*%$#!%5$!#$%!&'!()%*,%#!
" -.&C0/$#!'*2040+$#!%&!.),!*!10C$,!%$#%!#)0%$!&,!%5$!()%*,%#!#$%!
" 2&(-)%$#!%5$!%$#%!#)0%$!$D$2+C$,$##!0,!%$.(#!&'!()%*+&,!#2&.$!
83
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Previous work
E.&-&#*4F*!
E.$40(0,*.=!#$%!&'!()%*+&,!&-$.*%&.#!'&.!6"789!-&4020$#;!!
G&%!0,24)/$/B!
" *44!%5$!0(-&.%*,%!2.0+2*40+$#!&'!%5$!6"789!-&402=!#-$2032*+&,! !
" (&#%!&'!%5$!*C*04*H4$!6"789!'),2+&,#!!
E.&-&#*4:**!!
" I$%!&'!()%*+&,!&-$.*%&.#!H*#$/!&,!($%*(&/$4!
" #0()4*%$!%5$!'*)4%#!0,!%5$!#$2).0%=!(&/$4#!0,/$-$,/$,%4=!'.&(!%5$!.&4$JH*#$/!
'&.(*40#(!@KJL"7!M!N.L"7!M!OA!
E$2)40*.0%=B!?5$!()%*+&,!&-$.*%&.#!2*,,&%!H$!/0.$2%4=!*--40$/!%&!6"789!!
!*E. Martin and T. Xie, “A fault model and mutation testing of access control policies,” in Proc. of WWW, May 2007, pp. 667–676 **T. Mouelhi, F. Fleurey, and B. Baudry, “A generic metamodel for security policies mutation,” in Proc. of ICSTW, 2008, pp. 278–286
84
11-07-2013
43
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mutation operators of Proposal1
E&402=!I$%!?*.1$%!?.)$!@EI??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=I$%!
$,#).0,1!%5*%!%5$!E&402=I$%!0#!*--40$/!%&!*44!.$P)$#%#!
E&402=!I$%!?*.1$%!Q*4#$!@EI?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=I$%!#)25!
%5*%!%5$!E&402=I$%!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
E&402=!?*.1$%!?.)$!@E??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!
%5$!E&402=!0#!*--40$/!%&!*44!.$P)$#%#!
E&402=!?*.1$%!Q*4#$!@E?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!
%5$!E&402=!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
K)4$!?*.1$%!?.)$!@K??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!.)4$!$,#).0,1!%5*%!%5$!
K)4$!0#!*--40$/!%&!*44!.$P)$#%#!
K)4$!?*.1$%!Q*4#$!@K?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!.)4$!#)25!%5*%!%5$!
K)4$!0#!,$C$.!*--40$/!%&!*!.$P)$#%!
85
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mutation operators of Proposal1(cont.)
" K)4$!7&,/0+&,!?.)$!@K7?A!J!.$(&C$#!%5$!2&,/0+&,!&'!$*25!K)4$!$,#).0,1!
%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!?.)$!
" K)4$!7&,/0+&,!Q*4#$!@K7QA!J!(*,0-)4*%$#!%5$!7&,/0+&,!C*4)$#!&.!%5$!
7&,/0+&,!'),2+&,#!$,#).0,1!%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!Q*4#$!
" 75*,1$!E&402=!7&(H0,0,1!"41&.0%5(!@7E7A!J!.$-4*2$#!%5$!$S0#+,1!-&402=!
2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!-&402=!2&(H0,0,1!*41&.0%5(;!!?5$!#$%!&'!
2&,#0/$.$/!-&402=!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%&'"(()!"*+,0(*/%1--2)3142"+,$%&#",1--2)3142"U!
" 75*,1$!K)4$!7&(H0,0,1!"41&.0%5(!@7K7A!J!.$-4*2$#!%5$!$S0#+,1!.)4$!
2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!.)4$!2&(H0,0,1!*41&.0%5(;!?5$!#$%!&'!
2&,#0/$.$/!.)4$!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%&'"(()!"*+,0(*/%1--2)3142"U!
" 75*,1$!K)4$!VD$2%!@7KVA!J!25*,1$#!%5$!.)4$!$D$2%!H=!.$-4*20,1!E$.(0%!R0%5!
W$,=!&.!W$,=!R0%5!E$.(0%!
86
11-07-2013
44
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
E&402=!?*.1$%!?.)$!@E??A!$S*(-4$
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string"> write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target></Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
8)%*%$/!-&402=!X&4/!-&402=!
A request with http://library.com/record resource will be applicable
A request with any resource will be applicable
87
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
E&402=!?*.1$%!Q*4#$!@E?QA!$S*(-4$!
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string"> write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>RandomValue##+]][[*##_####987654 32_RandomValue456Mutant_xyz </AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
8)%*%$/!-&402=!X&4/!-&402=!
No request will be applicable
88
11-07-2013
45
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Mutation operators of Proposal2 " KE?!J!.$-4*2$#!*!.)4$!-*.*($%$.!5*C0,1!*!%=-$!R0%5!*,&%5$.!-*.*($%$.!&'!*!
/0D$.$,%!.)4$!5*C0,1!%5$!#*($!%=-$;!Y,!6"789!4*,1)*1$!%5$!.)4$!-*.*($%$.#!
2&..$#-&,/!%&!#)HZ$2%#M!.$#&).2$#M!*2+&,#!*,/!$,C0.&,($,%#!
" EEK!J!25&&#$#!&,$!.)4$!'.&(!%5$!#$%!&'!.)4$#M!*,/!%5$,!.$-4*2$#!%5$!#%*%)#!R0%5!
%5$!&--�%$!&,$!!
" 0%!2&0,20/$#!R0%5!7KV!&-$.*%&.!&'!E.&-&#*4F!
" "GK!J!*//#!*!,$R!.)4$!2&,%*0,0,1!*!,$R!2&(H0,*+&,!&'!-*.*($%$.#!%5*%!0#!,&%!
#-$203$/!0,!%5$!$S0#+,1!.)4$#!&'!%5$!-&402=!!
" KVK!J!25&&#$#!&,$!.)4$!*,/!.$(&C$#!0%!!
" EEW!J!.$-4*2$#!*!-*.*($%$.!R0%5!&,$!&'!0%#!/$#2$,/0,1!-*.*($%$.#!
" 0%!0#!,&%!*--402*H4$!%&!6"789!:;<!4*,1)*1$!!!!
" %5$!.&4$#!*,/!.$#&).2$#!50$.*.25=!0#!&,4=!2&,#0/$.$/!0,!-&4020$#!2&(-40*,%!%&!7&.$!*,/!
[0$.*.2502*4!KL"7!-.&34$!*,/!%&![0$.*.2502*4!.$#&).2$!-.&34$!&'!6"789!:;<!
" \$!!*/*-%!KE?M!EEKM!"GK!*,/!KVK!5015!4$C$4!&-$.*%&.#!%&!6"789!
4*,1)*1$!
89
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
K$(&C$!K)4$!@KVKA!$S*(-4$!
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
8)%*%$/!-&402=!X&4/!-&402=!
A request with http://library.com/record resource will be denied
90
11-07-2013
46
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
75*,1$!K)4$!VD$2%!@7KVA!$S*(-4$! 8)%*%$/!-&402=!X&4/!-&402=!
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Permit"></Rule> </Policy>
A request with http://library.com/record resource will be allowed
91
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our new Mutation operators
" K$(&C$>,0P)$,$##Q),2+&,!@K>QA!J!.$(&C$#!%5$!/$-"%&#"%1#!%$!!@/$-"!.$'$.#!%&!*!-.0(0+C$!%=-$B!#%.0,1M!0,%$1$.M!/&)H4$M!$%2;A!'),2+&,!'.&(!%5$!.)4$!2&,/0+&,M!
'&.20,1!%5$!'),2+&,!$C*4)*+&,!%&!?.)$!*,/!Q*4#$!
" "//>,0P)$,$##Q),2+&,!@">QA!J!*//#!%5$!/$-"%&#"%1#!%$!'),2+&,!.$'$..0,1!%&!$*25!56()47/"8"*)9#1/&(!&.!56()47/":"2"3/&(!$4$($,%#!&'!%5$!.)4$!7&,/0+&,M!
'&.20,1!%5$!'),2+&,!$C*4)*+&,!%&!?.)$!*,/!Q*4#$!
" 75*,1$JGJNQJQ),2+&,!@7GNQA!J!25*,1$#!%5$!;!-*.*($%$.!&'!%5$!;%<=!'),2+&,;!?5$!*.1)($,%!;!#-$203$#!%5$!(0,0()(!,)(H$.!&'!%5$!H&&4$*,!*.1)($,%#!@8A!
%5*%!()#%!H$!$C*4)*%$/!%&!?.)$!'&.!%5$!$S-.$##0&,!%&!H$!2&,#0/$.$/!?.)$;!\$!#$%!
;!%&!<M!8JF!*,/!8]F!
" 75*,1$9&102*4Q),2+&,!@79QA!J!.$-4*2$#!*!4&102*4!'),2+&,!@5;8+,<>+,;%<=A!R0%5!*,&%5$.!&,$;!\$!#$%!%5$!;!*.1)($,%!&'!;%<=!'),2+&,!$P)*4!%&!<!'&.20,1!%5$!'),2+&,!$C*4)*+&,!*4R*=#!%&!?.)$!
" "//G&%Q),2+&,!@"GQA!J!*//#!%5$!;&/!'),2+&,!*#!3.#%!'),2+&,!&'!$*25!7&,/0+&,!$4$($,%!
92
11-07-2013
47
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Our new Mutation operators (cont.)
" K$(&C$G&%Q),2+&,!@KGQA!J!/$4$%$#!%5$!;&/!'),2+&,!/$3,$/!0,!%5$!2&,/0+&,!
" 75*,1$7&(-*.0#&,Q),2+&,!@77QA!J!.$-4*2$#!*!2&(-*.0#&,!'),2+&,!@/$-"%"?712+,/$-"%9("1/"(%/@1#+,/$-"%9("1/"(%/@1#%&(%"?712+,/$-"%2"**%/@1#+,/$-"%2"**%/@1#%&(%,,"?712A!R0%5!*,&%5$.!&,$!
" Q0.#%E$.(0%K)4$!@QEKA!J!(&C$#!0,!$*25!-&402=!%5$!.)4$#!5*C0,1!*!E$.(0%!$D$2%!
H$'&.$!%5&#$!&,$#!5*C0,1!*!W$,=!$D$2%
" Q0.#%W$,=K)4$!@QWKA!J!(&C$#!0,!$*25!-&402=!%5$!.)4$#!5*C0,1!*!W$,=!$D$2%!
H$'&.$!%5&#$!&,$#!5*C0,1!*!E$.(0%!$D$2%!!
93
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
"//G&%Q),2+&,!@"GQA!$S*(-4$! X&4/!-&402=!
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
8)%*%$/!-&402=!
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:not"> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
A request with read or write will be allowed A request with read or write will be denied
94
11-07-2013
48
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Q0.#%W$,=K)4$!@QWKA!$S*(-4$! X&4/!-&402=!@$C*4)*%$!.)4$F!*,/!%5$,!.)4$:A!!
<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>
8)%*%$/!-&402=!@$C*4)*%$!.)4$:!*,/!%5$,!.)4$FA!!<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule2" Effect="Deny"></Rule> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> </Policy>
A request with read or write will be allowed A request with read or write will be denied since the first rule will be applied
95
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACMUT
Mutation operators for XACML policies
Proposal1
PSTT PSTF
PTT PTF
RTT RTF RCT
RCF
CPC
CRC
CRE
New operators
RUF AUF CNOF
CLF ANF CCF
FPR FDR
Proposal2
PPD RPT ANR RER
96
11-07-2013
49
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
XACMUT Main Interface
97
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Experimental Setting
#M %E #M %E #M %E #M %E
Policy #Rule #Cond #Sub #Res #Act #Funct #TS Proposal1 Proposal2 New
Operators
Total
demo-5 3 2 2 3 2 4 39 18 67 43 21 37 86 98 54
demo-11 3 2 2 3 1 5 35 16 63 29 21 32 84 77 56
demo-26 2 1 1 3 1 4 32 13 31 28 14 31 77 72 44
student1 2 0 5 2 2 2 85 12 75 336 58 85 98 433 67
student2 2 0 11 2 2 2 24 23 70 6 50 29 67 58 67
create-doc 3 2 1 2 1 3 8 14 86 3 67 19 74 36 78
read-doc 4 3 2 4 1 3 7 17 53 4 0 26 54 47 49
delete-doc 3 2 1 3 1 3 6 14 57 3 0 21 57 38 53
university1 3 0 24 3 3 2 203 18 72 109 85 61 97 188 88
university2 3 0 23 3 3 2 33 12 75 56 79 37 95 105 84
M: Mutants E: Test suite Effectiveness TS: Test Suite derived using Targen
98
11-07-2013
50
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
And now…
Forget everything you have just learned about XACML-based control of access, because ….
is the new big thing ahead !!!
99
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Usage Control Model: Beyond Access Control
Traditional Access Control
time
Before usage
Pre decision Ongoing decision
Ongoing usage
Mutability of attributes
Pre update Ongoing update
Post update
After usage
100
11-07-2013
51
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Usage Control Model (UCON)*
Is based on: Authorizations
Obligations
Conditions
Mutability of Attributes
Continuous policy enforcement
* Defined by J. Park and R. Sandhu, The UCON Usage Control Model. ACM Trans. On Information and System Security, 7(1), 2004
101
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Policy Language (based) on Process Algebra (PolPA)*
• A formal policy language for UCON
• An operational language based on process description languages
• The idea is to describe the allowed sequences of actions
(commands)
• Policies can thus be formally verified, compared, minimized,
refined
*F. Martinelli and P. Mori, “On usage control for grid systems,” Future Generation Computer Systems, vol. 26, no. 7, pp. 1032–1042, 2010
102
11-07-2013
52
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Usage control commands
tryaccess(s, r, a): performed by subject s when performing a new access
request (s, r, a)
permitaccess/denyaccess(s, r, a): performed by the system when
granting/denying the access request (s, r, a)
endaccess(s, r, a): performed by subject s when ending an access (s, r, a)
revokeaccess(s, r, a): performed by the system when revoking an ongoing
access (s, r, a)
update(attribute): updating a subject or an object attribute
Commands composition operators: ., or, par
103
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Example of PolPA Policy
104
11-07-2013
53
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
PolPA Authorization System
105
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Testing Purpose
PDP
Policies
Test Suite
SUT
Oracle
reply
request request
request request
verdict
PDP (Policy Decision Point): evaluates the requests against the usage control policies
106
11-07-2013
54
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
How to do PDP testing?
Emulate a possible PEP by issuing tryaccess and endaccess commands to the PDP
107
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Which test approach?
# A test case (request) is a sequence of commands (tryaccess/endaccess)
with a variable number of action parameters
# Traditional combinatorial approaches are not suitable since they do not
specifically address the commands order
# We propose:
# a fault model and the corresponding mutation operators classes for PolPA language
# a test cases derivation strategy from the fault model
108
11-07-2013
55
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
A. Apply fault-model mutation classes to the PolPA policy (FMM)
B. Derive a set of mutants (each mutant is a faulty policy) (FPG)
C. Apply test case generation strategy to each policy (gold policy
and all derived faulty policies) (TCG)
D. Execute test cases (TD)
E. Analyze test results (TO)
Testing procedure
109
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Change Composition Operator (CCO) implements a violation of the order of execution of the commands
Change Command (CC) implements faults in the execution of a command
Change Guard String Predicate (CGSP) implements a wrong management of the values of string parameters
Change Guard Integer Predicate (CGIP) implements a wrong management of the values of integer parameters
Mutation classes
110
11-07-2013
56
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Depth-first visit of the policy
111
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Depth-first visit of the faulty policy (CCO class)
112
11-07-2013
57
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Experimental Data
#Mutants #Executed Test cases
#Faults
Policy - 2 0
Mutant Class
CCO 14 45 0
CC 56 84 9
CGSP 4 8 0
CGIP 4 8 0
Total 78 175 9
# for 9 test cases (of 84) the responses were not the expected ones
# all faults given by test cases derived by mutants having 2
tryaccess(user_id, R1, A(x1, x2))
# PDP implementation allows for tryaccess an arbitrary number of
times (specific application constraint)
113
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
We have covered:
! XML-based testing and TAXI tool ! XACML combinatorial testing and X-CREATE tool ! XACML mutations and XACMUT tool ! Usage-control systems and testing of Polpa
quite enough for today!
114
11-07-2013
58
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
What after?
Concerning access control -- we are integrating the tools into a continuous
framework -- supporting the policy developer after a problem
is detected in debugging the policy Concerning usage control -- provide support for continuous on-line testing
(already ongoing) -- towards standardized U-XACML
115
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
not only technology
humans
116
11-07-2013
59
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Social engineering
' People are generally considered the weakest link in information assurance
' As organizations improve their security processes and technologies, more and more attackers focus on exploiting human errors or ingenuity
' So-called social engineering malware is rising as the most successful tactic: it manipulates the natural human tendency to trust Figure from Sherly Abraham, InduShobha
Chengalur-Smith, An overview of social engineering malware: Trends, tactics, and implications, Technology in Society, 32 (3), 2010, 183–196
117
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
So the message is:
- Stay informed on the technology - Adopt best practice and protect your data, - Test your security mechanisms, and..
- Stay alert!
118
11-07-2013
60
SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”
Question time
119