Validation of access control systems

Abstract

Access Control is among the most important security mechanisms to put in place in order to secure applications, and XACML is the de facto standard for defining access control policies. Due to the complexity of XACML language it is important to perform efficient testing to identify potential security flaws and bugs. However, in practice, exhaustive testing is impossible due to budget constraints. Test cases selection and prioritization are two well-known solutions to maximize the effectiveness of the test suite in terms of discovered faults, reducing as much as possible the required effort for tests execution and results analysis. In this chapter, after providing a survey on validation approaches for XACML based access control systems, we present a coverage based selection strategy and a similarity based test prioritization solution, both applied to XACML test cases. Then we compare the effectiveness of the two approaches in terms of mutation score and number of test cases. Experimental results show that coverage based selection outperforms similarity based prioritization, hinting to future improvements of the proposed approaches.