Multiple-implementation testing for XACML implementations

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Multiple-implementation testing for XACML implementations

Full text

Pdf (355 KB)

Source

International Symposium on Software Testing and Analysis archive
Proceedings of the 2008 workshop on Testing, analysis, and verification of web services and applications table of contents

Seattle, Washington

Pages 27-33

Year of Publication: 2008

ISBN:978-1-60558-053-1

Authors

Nuo Li	North Carolina State University, NC and Beihang University, Beijing, China
JeeHyun Hwang	North Carolina State University, NC
Tao Xie	North Carolina State University, NC

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 8, Downloads (12 Months): 103, Citation Count: 1

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1390832.1390837 What is a DOI?

ABSTRACT

Many Web applications enhance their security via access-control systems. XACML is a standardized policy language, which has been widely used in access-control systems. In an XACML-based access-control system, policies, requests, and responses are written in XACML. An XACML implementation implements XACML functionalities to validate XACML requests against XACML policies. To ensure the quality of an XACML-based access-control system, we need an effective means to test whether the XACML implementation correctly implements XACML functionalities. The test inputs of an XACML implementation are XACML policies and requests. The test outputs are XACML responses. This paper proposes an approach to detect defects in XACML implementations via observing the behaviors of different XACML implementations for the same test inputs. As XACML has been widely used, we can collect different XACML implementations, and test them with the same XACML polices and requests to observe whether the different implementations produce different responses. Based on the analysis of different responses, we can detect defects in different XACML implementations. We show the feasibility of the proposed approach with a preliminary study on three XACML implementations.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	XACML 1.1 Committee Specification Conformance Tests, 2002. http: //www.oasis-open.org/committees/xacml/ ConformanceTests/ConformanceTests.html.
	2	Parthenon Policy Tester, 2005. http: //www.parthcomp.com/xacml_toolkit.html.
	3	XACML 2.0 Approved as OASIS Standard, 2005. http://xml.coverpages.org/ XACMLv20-Standard.html.
	4	XACML.NET, 2005. http://mvpos.sourceforge.net/.
	5	Sun's XACML Implementation, 2006. http://sunxacml.sourceforge.net/.
	6	Organization for the Advancement of Structured Information Standards, 2008. http://www.oasis-open.org/home/index.php.
	7	Xiaoying Bai , Wenli Dong , Wei-Tek Tsai , Yinong Chen, WSDL-Based Automatic Test Case Generation for Web Services Testing, Proceedings of the IEEE International Workshop, p.215-220, October 20-21, 2005 [doi>10.1109/SOSE.2005.43]
	8	Antonia Bertolino , Jinghua Gao , Eda Marchetti , Andrea Polini, TAXI--A Tool for XML-Based Testing, Companion to the proceedings of the 29th International Conference on Software Engineering, p.53-54, May 20-26, 2007 [doi>10.1109/ICSECOMPANION.2007.72]
	9	L. Chen and A. Avizienis. N-version programming: A fault-tolerance approach to reliability of software operation. In Proc. FTCS, pages 3--9, 1978.
	10	Vincent C. Hu , Evan Martin , JeeHyun Hwang , Tao Xie, Conformance Checking of Access Control Policies Specified in XACML, Proceedings of the 31st Annual International Computer Software and Applications Conference - Vol. 2- (COMPSAC 2007), p.275-280, July 24-27, 2007 [doi>10.1109/COMPSAC.2007.96]
	11	Evan Martin , Tao Xie, Automated Test Generation for Access Control Policies via Change-Impact Analysis, Proceedings of the Third International Workshop on Software Engineering for Secure Systems, p.5, May 20-26, 2007 [doi>10.1109/SESS.2007.5]
	12	Evan Martin , Tao Xie, A fault model and mutation testing of access control policies, Proceedings of the 16th international conference on World Wide Web, May 08-12, 2007, Banff, Alberta, Canada [doi>10.1145/1242572.1242663]
	13	E. Martin, T. Xie, and T. Yu. Defining and measuring policy coverage in testing access control policies. In Proc. ICICS, pages 139--158, 2006.
	14	W. M. McKeeman. Differential testing for software. Digital Technical Journal, 10(1):100--107, 1998.
	15	OASIS. eXtensible Access Control Markup Language (XACML). http: //docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.
	16	Jeff Offutt , Wuzhi Xu, Generating test cases for web services using data perturbation, ACM SIGSOFT Software Engineering Notes, v.29 n.5, September 2004 [doi>10.1145/1022494.1022529]
	17	Wei-Tek Tsai , Yinong Chen , Raymond Paul , Hai Huang , Xinyu Zhou , Xiao Wei, Adaptive Testing, Oracle Generation, and Test Case Ranking for Web Services, Proceedings of the 29th Annual International Computer Software and Applications Conference (COMPSAC'05) Volume 1, p.101-106, July 26-28, 2005