Design of Access Control Policy Checker (ACPC)

Abstract

Any type of system, having different users, need to have a access control system for authorized access and prevention of harm. Access Control System which is specifying separately in the system by a separate policy specification is a solution for that problem. Access Control System contains the different policies, whose work is to receive access requests then it consults to the policy and then returns a response, specifying that the user request is permitted or denied. To implement these access control policies are not an easy task, because of the huge system requirement. For checking the correctness of the policies which is deployed into the system are very difficult. In this thesis, a systematic and automated toll for policy testing is provided. For test a policy it involve generation of test cases, evaluation of policies with respect to those test cases and at last comparison between the expected and actual results.

In the approach to policy testing, we conducted the change-impact analysis for generating the requests, and mutation testing for testing the specified policy. The testing framework called ACPC (Access Control Policy Checker), used Margrave tool [25] to perform change-impact analysis [7] for generating requests. We have choosen like previous work [22] an access control specification language, Extensible Access Control Markup Language (XACML).

We conducted experiments using nine policy sets to evaluate the effectiveness by the framework. The experimental result shows that ACPC can effectively generate requests to achieve high structural coverage of policies and outperforms random requests generation in terms of structural coverage and fault-detection capability. We have used nine mutation operators to make the mutant policy for mutation testing. We found the better result by classify these mutation operator in to three classes. We got up to 98% of mutant killed by one class of mutation operator, this results shows that, the classification gives better performance in terms of cost and time.