| | This Article | |
| |
| |
| | Share | |
| |
| |
| | Bibliographic References | |
| |
| |
| | Add to: | |
| |
 Digg
 Furl
 Spurl
 Blink
 Simpy
 Google
 Del.icio.us
 Y!MyWeb
| |
| | Search | |
| |
| |
| | |
Conformance Testing of Temporal Role-Based Access Control Systems
April-June 2010 (vol. 7 no. 2)
pp. 144-158
We propose an approach for conformance testing of implementations required to enforce access control policies specified using the Temporal Role-Based Access Control (TRBAC) model. The proposed approach uses Timed Input-Output Automata (TIOA) to model the behavior specified by a TRBAC policy. The TIOA model is transformed to a deterministic se-FSA model that captures any temporal constraint by using two special events Set and Exp. The modified W-method and integer-programming-based approach are used to construct a conformance test suite from the transformed model. The conformance test suite so generated provides complete fault coverage with respect to the proposed fault model for TRBAC specifications.
[1] T. Ahmed and A.R. Tripathi, "Static Verification of Security Requirements in Role Based CSCW Systems," Proc. Eighth ACM Symp. Access Control Models and Technologies (SACMAT '03), pp. 196-203, 2003.
[2] G.-J. Ahn and R. Sandhu, "Role-Based Authorization Constraints Specification," ACM Trans. Information System Security, vol. 3, no. 4, pp. 207-226, 2000.
[3] R. Alur and D.L. Dill, "A Theory of Timed Automata," Theoretical Computer Science, vol. 126, no. 2, pp. 183-235, 1994.
[4] S. Barker and P.J. Stuckey, "Flexible Access Control Policy Specification with Constraint Logic Programming," ACM Trans. Information and System Security, vol. 6, no. 4, pp. 501-546, 2003.
[5] B. Berthomieu and M. Diaz, "Modeling and Verification of Time Dependent Systems Using Time Petri Nets," IEEE Trans. Software Eng., vol. 17, no. 3, pp. 259-273, Mar.-Apr. 1991.
[6] E. Bertino, P.A. Bonatti, and E. Ferrari, "Trbac: A Temporal Role-Based Access Control Model," ACM Trans. Information and System Security, vol. 4, no. 3, pp. 191-233, 2001.
[7] R.V. Binder, Testing Object-Oriented Systems: Models, Patterns, and Tools. Addison-Wesley Longman Publishing Co., Inc., 1999.
[8] R. Cardell-Oliver, "Conformance Tests for Real-Time Systems with Timed Automata Specifications," Formal Aspects of Computing, vol. 12, no. 5, pp. 350-371, 2000.
[9] T.S. Chow, "Testing Software Design Modelled by Finite State Machines," IEEE Trans. Software Eng., vol. 4, no. 3, pp. 178-187, May-June 1978.
[10] A. En-Nouaary, R. Dssouli, and F. Khendek, "Timed wp-Method: Testing Real-Time Systems," IEEE Trans. Software Eng., vol. 28, no. 11, pp. 1023-1038, Nov.-Dec. 2002.
[11] D.F. Ferraiolo, R. Sandhu, S. Gavrila, D.R. Kuhn, and R. Chandramouli, "Proposed NIST Standard for Role-Based Access Control," ACM Trans. Information and System Security, vol. 4, no. 3, pp. 224-274, 2001.
[12] A. Gal and V. Atluri, "An Authorization Model for Temporal Data," Proc. ACM Conf. Computer and Comm. Security, pp. 144-153, 2000.
[13] T.A. Henzinger, X. Nicollin, J. Sifakis, and S. Yovine, "Symbolic Model Checking for Real-Time Systems," Information and Computation, vol. 111, no. 2, pp. 193-244, 1994.
[14] J.B.D. Joshi, E. Bertino, U. Latif, and A. Ghafoor, "A Generalized Temporal Role-Based Access Control Model," IEEE Trans. Knowledge and Data Eng., vol. 17, no. 1, pp. 4-23, Jan. 2005.
[15] A. Khoumsi, "A Method for Testing the Conformance of Real Time Systems," Proc. Seventh Int'l Symp. Formal Techniques in Real-Time and Fault-Tolerant Systems (FTRTFT), pp. 331-354, 2002.
[16] A. Khoumsi and L. Ouedraogo, "A New Method for Transforming Timed Automata," Electronic Notes in Theoretical Computer Science, vol. 130, pp. 101-128, 2005.
[17] M. Krichen and S. Tripakis, "Black-Box Conformance Testing for Real-Time Systems," Proc. 11th Int'l SPIN Workshop Model Checking Software, pp. 109-126, 2004.
[18] M. Krichen and S. Tripakis, "An Expressive and Implementable Formal Framework for Testing Real-Time Systems," Proc. 17th IFIP TC6/WG 6.1 Int'l Conf. Testing of Comm. Systems (TestCom '05), pp. 209-225, 2005.
[19] K.G. Larsen, M. Mikucionis, and B. Nielsen, "Online Testing of Real-Time Systems Using UPPAAL," Proc. Int'l Workshop Formal Approaches to Testing of Software (FATES '04), pp. 79-94, 2004.
[20] E.C. Lupu and M. Sloman, "Conflicts in Policy-Based Distributed Systems Management," IEEE Trans. Software Eng., vol. 25, no. 6, pp. 852-869, Nov.-Dec. 1999.
[21] F. Malamateniou, G. Vassilacopoulos, and P. Tsanakas, "A Workflow-Based Approach to Virtual Patient Record Security," IEEE Trans. Information Technology in Biomedicine, vol. 2, no. 3, pp. 139-145, Sept. 1998.
[22] A. Masood, R. Bhatti, A. Ghafoor, and A. Mathur, " Scalable and Effective Test Generation for Role-Based Access Control Systems," IEEE Trans. Software Engineering vol. 35, no. 5, pp. 654-668, Sept. 2009.
[23] A. Petrenko, G.V. Bochmann, and M. Yao, "On Fault Coverage of Tests for Finite State Specifications," Computer Networks and ISDN Systems, vol. 29, no. 1, pp. 81-106, 1996.
[24] R. Sandhu, "Role Activation Hierarchies," Proc. Third ACM Workshop Role-Based Access Control (RBAC '98), pp. 33-40, 1998.
[25] J. Springintveld, F.W. Vaandrager, and P.R. D'Argenio, "Testing Timed Automata," Theoretical Computer Science, vol. 254, nos. 1/2, pp. 225-257, 2001.
[26] S. Tripakis1 and S. Yovine, "Analysis of Timed Systems Using Time-Abstracting Bisimulations," Formal Methods in System Design, vol. 18, no. 1, pp. 25-68, 2001.
[27] L.A. Wolsey, Integer Programming. John Wiley, 1998.
Index Terms:
Role-based access control (RBAC), temporal role-based access control (TRBAC), finite-state models, timed input-output automata (TIOA), W-method, fault model, se-FSA transformation, integer programming (IP).
Citation:
Ammar Masood, Arif Ghafoor, Aditya Mathur, "Conformance Testing of Temporal Role-Based Access Control Systems," IEEE Transactions on Dependable and Secure Computing, vol. 7, no. 2, pp. 144-158, Apr.-June 2010, doi:10.1109/TDSC.2008.41
