An automated model-based test oracle for access control systems
This work addresses the need for cost-effective testing in access control systems, though it appears incremental as it builds on existing model-based methods.
The paper tackles the problem of manual inspection in testing XACML-based access control systems by introducing XACMET, a model-based approach that automates verdict derivation using an XAC-Graph, with validation confirming its effectiveness.
In the context of XACML-based access control systems, an intensive testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. Unfortunately, it requires a huge effort for manual inspection of results: thus automated verdict derivation is a key aspect for improving the cost-effectiveness of testing. To this purpose, we introduce XACMET, a novel approach for automated model-based oracle definition. XACMET defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation. The expected verdict of a specific request execution can thus be automatically derived by executing the corresponding path in such graph. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.