tarot2013 testing school - antonia bertolino presentation

11-07-2013

1

9th International Summer School on Training And Research On Testing

9-13 July, 2013 - Volterra, Italy

Theme 3: Security Testing XML-based approaches for security testing

Antonia Bertolino, ISTI-CNR [email protected]

1

SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO”

Acknowledgements

All presented approaches and tools are the result of research work in collaboration with: Said Daoudagh, Francesca Lonetti, Eda Marchetti

(plus also concerning TAXI with Cesare Bartolini, JingHua Gao and Andrea Polini,

and concerning Polpa testing with Fabio Martinelli, Paolo Mori)

and have been partially developed within the European Projects:

TAS3 (completed) and NESSOS (ongoing)

2

11-07-2013

2


Agenda

! Introduction to: ! Security mechanisms and access control systems ! Security testing ! XACML

! XML-based testing and TAXI tool ! XACML combinatorial testing and X-CREATE tool ! XACML mutations and XACMUT tool ! Usage-control systems and testing of Polpa ! Conclusions and hints for further research

3


Software is everywhere

Software is routinely used in many disparate aspects of everyday life

More and more the different software-intensive devices that we use communicate among themselves

In many cases software applications are critical either money-wise or health-wise

The evident consequence is that malfunctions of software heavily impact our wellness and welfare

4

11-07-2013

3


Software malfunctions

• Your web browser crashes while you are reading news

• Your web mail account is stolen

• The computerized device releases a radiations overdose (*)

" This is annoying

" This could be serious

" This is very serious

can be very different

(*) Leveson, N.G.; Turner, C.S., "An investigation of the Therac-25 accidents," Computer , vol.26, no.7, pp.18,41, July 1993

5


Software puts us at risk

Two somehow contrasting wishes: • Being connected everytime and everywhere • Preserving our own privacy and data integrity

However, for business and society connectivity is no longer an option. The point is to balance potential risks with benefits.

Networks must be enabled to support security services that provide adequate protection to users and companies in a relatively open environment

6

11-07-2013

4


Rising vulnerability of evolving technology

Catherine Paquet, Network Security Concepts and Policies, Cisco Press, 2013

7


Three related sw quality concerns

Dependability Safety

Security

8

11-07-2013

5


Definitions

Avizienis, A.; Laprie, J.-C.; Randell, B.; Landwehr, C., "Basic concepts and taxonomy of dependable and secure computing", IEEE Trans. Dependable and Secure Computing, 1 (1), pp.11,33, Jan.-March 2004

9


Definitions


the ability to deliver service that can justifiably be trusted

10

11-07-2013

6


Definitions


the absence of catastrophic consequences on the user(s) and the environment

11


Definitions


the absence of unauthorized access to, or handling of, system state

12

11-07-2013

7


Composite definition of security


13


Security engineering

• Systems engineering must be unified with security engineering:

• Currently(*) security modeling remains largely independent of system models.

• Typically, system requirements and design are done first, and security is added as an afterthought.

(*) Premkumar T. Devanbu and Stuart Stubblebine. Software engineering for security: a roadmap. In FOSE 2000 @ICSE '00. ACM, 227-239.

14

11-07-2013

8


Information Assurance: an overarching approach

! Information must be protected throughout its lifetime, while at rest and while passing through different processing systems

! The strength of any system is no greater than its weakest link

! Each component of the information processing system must have its own protection mechanisms

! The building up, layering on and overlapping of security measures is called defense in depth: ! a design principle to ensure resilience against

different forms of attack, and to reduce the probability of a single-point of failure

The Onion Model of Defense_In_Depth

15


Why ensuring security is difficult

Security engineers (and especially testers) must take into account not only legitimate users and clients, but also potential (malicious) adversaries

Therefore to design a secure system we should provide defenses against all plausible threats: a secure system does only what it is supposed to do and nothing else.

16

11-07-2013

9


Risk-oriented approach

• Information Security is about minimizing risk to an acceptable level while maintaining the Confidentiality, Integrity, and Availability of the systems and data.

• All systems have some level of risk. • A completely secure, zero risk, system is one

that has zero functionality.

17


Towards a Security-centered Development Process

! A security development lifecycle (SDL) is a software development lifecycle placing special emphasis on security in each phase

! Several SDLs have been proposed, of which Microsoft SDL is the best established in industry

18

11-07-2013

10


There exist many different types of security testing.

For example, Microsoft SDL includes three practices: " Dynamic Analysis: performs run-time verification of software

functionality using tools that monitor application behavior for memory corruption, user privilege issues, and other

" Fuzz Testing: induces program failure by deliberately introducing malformed or random data to an application so to reveal potential security issues prior to release

" Attack Surface Review: Reviewing attack surface before and after the installation of product(s) and displays the changes to key elements of the attack surface

Security testing

19


Scope of security testing

Software security

Security software

" testing security mechanisms to ensure that their functionality is properly implemented

" performing risk-based security testing driven by understanding and simulating the attacker’s approach

To keep in mind: “software security is not security software” (*) Security features such as cryptography, strong authentication, and access control play critical roles in software security, however security itself is an emergent property of an entire system, not just its security mechanisms.

(*) Gary McGraw and Bruce Potter. 2004. Software Security Testing. IEEE Security and Privacy 2, 5 (September 2004), 81-85.

20

11-07-2013

11


Approaches for testing “software security”

Mostly negative testing, aiming at detecting whether the application does something it should not do. It includes: • Fuzzing, either random or systematic (e.g.,

model-based fuzz testing) • Vulnerability injection, e.g. SQL injection • Risk-based testing • Security test patterns (e.g., DIAMONDS

project) • ….

21



Software security

Security software





It relies on expertise and knowledge of the system: requires that you think about your project and possible misuses or attack

22

11-07-2013

12



Software security

Security software





23


CIA

24

11-07-2013

13


CIA

25


Data classification

Assets (data, programs, resources,…) have different security levels, e.g. ! Unclassified

! Restricted ! Confidential

! ….

Correspondingly differing roles for people or applications are introduced defining who can access what level, e.g. ! Owner

! Administrator ! User

! ….

26

11-07-2013

14


Access control

! Once a system involves security-classified data, we need to ensure that only the intended people can access them and that these intended users are only given the level of access required to accomplish their tasks.

27

An access control system provides a decision (ok, ko) to an authorization request, typically based on predefined policies

request response Access Control

policy


Access control mechanisms

Identification Authentication Authorization

28

11-07-2013

15




the activity of a subject supplying information to identify itself to an authentication service. Examples: username, account number, ID card, …

29




a means to verify the authenticity of the identity declared during Identification. Three ways (of increasing cost): - What subject knows: passwords, PINs, passcodes, etc. - What subject has: covers keys, tokens, smartcards, etc. - What subject is: biometric data, e.g., fingerprints, voice recognition, etc. Authentication can be one-factor or two/three-factor (strong)

30

11-07-2013

16




the process of assigning to authenticated subjects a set of permissions that defines what they can and cannot do. These permissions are generally defined by security policies

31


Defining security rules (or policies)

A security policy is a specific statement of what is and is not allowed

32

11-07-2013

17


Security policies

From Wikipedia:

Security policy is a definition of what it means to be secure for a system, organization or other entity. For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys and walls. For systems, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries including programs and access to data by people.

• Access control • Computer security policy • Environmental design • Information Protection Policy • Information security policy • National security policy, Military strategy • Network security policy • Virtual security policy • …

33


The eXtensible Access Control Markup Language

34

! XACML is the OASIS standard for specifying Access Control Policy

! The latest version is XACML 3.0 that has been released in January 2013 -- Before, XACML 2.0 was released on

Feb. 2005 (this is the version implemented in our tool)

-- XACML 1.0 had been released in Feb. 2003

! Organizations sponsoring OASIS and contributing to the XACML standard include: CA Technologies, Cisco Systems, Connectis, Dell, EMC, IBM, Microsoft, Oracle, Primeton Technologies, Inc., Red Hat, SailPoint Technologies, The Boeing Company, Veterans Health Administration, ViewDS, etc..

www.oasis-open.org

11-07-2013

18


35

XACML

! XACML is a general-purpose language for access control policies. It provides an XML-based syntax for managing access to resources

! XML is a natural choice as the basis for the common security-policy language, due to the ease with which its syntax and semantics can be extended and the widespread support that it enjoys from all the main platform and tool vendors

! It is generic (can be used by many different kinds of applications and platforms), distributed (a policy can refers to other sub-policies, and XACML knows how to correctly combine the results from these different policies into one decision) and powerful (supports a wide variety of data types, functions, and rules about combining the results of different policies)


36

XACML languages

Policy Language Used to describe access control requirements. Who is

allowed to do what?

Request/Response Language The request is a query about permissions associated

with x. The response is permit, deny, indeterminate, or not

applicable.

11-07-2013

19


XACML architecture

XACML also proposes a standard reference architecture

37


XACML architecture


performs access control, by making decision requests and enforcing authorization decisions. Basically the entity that sends the XACML request to the Policy Decision Point (PDP) and receives an authorization decision.

38

11-07-2013

20


XACML architecture


evaluates applicable policy and returns an authorization decision

39

SOFTWARE ENGINEERING AND DEPENDABLE COMPUTING LABORATORY ISTITUTO DI SCIENZA E TECNOLOGIE DELL'INFORMAZIONE “A. FAEDO” 40

XACML Flow

" A Subject who wishes to access an Object (Resource) must do so through the PEP

" The PEP forms the XACML request and sends it to the PDP

" The PDP checks the request against the Policy and returns a XACML response

" The PEP either Permits or Denies access to the resource.

Policy Enforcement Point (PEP)

Can I access Resource?

Policy Decision Point (PDP)

Permit/Deny

The relevant XACML policy needs to be

selected and its rules evaluated

Requests and responses also specified in XACML

11-07-2013

21

XACML Structure

41 The nice picture is taken from: Yoon Jae Kim, Access Control Service Oriented Architecture Security, on line at http://www.cs.wustl.edu/~jain/cse571-09/ftp/soa/


XACML policy example <Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue >http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string"> write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

Target

Rule2

Rule1

Condition

42

11-07-2013

22


We need to verify the access control system

XACML properties of interoperability, extensibility, distribution are paid in terms of complexity and verbosity

Policies can be deceiving and need to be carefully checked

43


Policy testing

Provide test strategies for test suite generation so to simulate correct or improper usage of data and resources by execution of test suites

Data

Resources

Test suite 1

User1 X

X

Test suite 2

User2

X X

X

Policies specification

44

11-07-2013

23


Testing Purpose

Testing the policy specification

PDP

Policies

Test Suite

SUT

Oracle

reply request request

request request

verdict

45


Testing Purpose

Testing the policy implementation (PDP)

PDP

Policies

Test Suite

SUT

Oracle

reply

request request

request request

verdict

46

11-07-2013

24


XACML testing

Different types of approaches have been proposed, including: " Structural Coverage of XACML elements " Combinatorial (Targen, X-Create) " Category-partition (X-Create) " Change-impact based " Model-based " …..

47


Targen

Targen(*) is a seminal tool on XACML testing that is the closest competitor to X-CREATE

Targen applies a combinatorial approach on the attribute values and for each target included in the policy under test it derives as many requests as many are all the possible combinations of values of the attributes found in the subject, resource, and action sections

(*) E. Martin and T. Xie, “Automated test generation for access control policies,” in Supplemental Proc. of ISSRE, November 2006.

48

11-07-2013

25


Our approach

X-CREATE XaCml REquests derivAtion for TEsting

X-CREATE tool supports several different tests derivation strategies based on a combinatorial approach

It can be downloaded from our laboratory page at: http://labsewiki.isti.cnr.it/labsedc/tools/xcreate/public/main

49


Our approach

X-CREATE XaCml REquests derivAtion for TEsting

Original idea: We exploit the XML nature of XACML and adapt our previous tool TAXI for XML test generation

…so, let’s now open a brief parenthesis about TAXI …

50

11-07-2013

26


• A tool for systematic document generation from XML Schema

• It can be downloaded from our laboratory page at:

51

http://labsewiki.isti.cnr.it/labsedc/tools/taxi/public/main

TAXI


The eXtensible Markup Language(XML)

<?xml version="1.0" encoding="ISO88591"?> <card> <name>John Doe</name> <title>CEO, Widget Inc.</title> <email>[email protected]</email> <phone>(202) 4561414</phone> </card>

# The eXtensible Markup Language (XML) is a Markup Language which is a standard format to store information and data.

# XML documents are tree structured documents in which data are formatted/organised using tags

52

11-07-2013

27


XML & XML Schema

# XML Schema provides a means for defining the structure and content of XML documents

# In the open networked world, XML Schema support interoperability between independently developed applications

Chinese

Italian

53


Automatic XML-Based Testing and Benchmarking

54

11-07-2013

28


Automatic XML-Based Testing and Benchmarking

55


Our systematic approach

The approach has been inspired at-large by the well-known semi-automated Category Partition methodology for systematic

test generation …

..or, you can think of it as grammar-based generation, on the XSD syntax, although we have also introduced practical rules

56

11-07-2013

29


Mapping CP to XPT

CP (*) XPT

Analyze Specifications Identify Functional Units Partition Categories Selecte Choices Determine Constraints

$% Preprocessor $% Identify Sub-Schema Sets $% Identify Types $% Partition Values and Structures $% Determine “valid/invalid” constraints

Generate Intermediate Instances Generate Final Instances

Generate Test Specification $%

Generate Test Cases $%

(*) Thomas J. Ostrand and Marc J. Balcer. The category-partition method for specifying and generating functional tests. Communications of ACM,31(6),1988.

57


Identification of Sub-Schema Sets

<choice> elements partition the XML Schema into distinct sets corresponding to the CP functional units

XML Schema

choice A B

1 2 choice

XML Schema

sequence A

1 sequence

XML Schema

sequence A

2 sequence

XML Schema

sequence B

1 sequence

XML Schema

sequence B

2 sequence

preprocessor Analyze Specifications

Mapping from CP to XPT

Identify Functional Units

Identify Sub- Schema Sets

Partition Categories

Identify Types

Selecte Choices Partition Values and Structures

Determine Constraints

Determine “valid/invalid” Constraints

Generate Test Specification

Generate Intermediate Instances


Generate Final Instances

58

11-07-2013

30


Intermediate Instances " Generate intermediate instance by combining the values of “minOccurs” and “maxOccurs”.

" Apply the conventional Boundary Condition test approach to reduce the combinations

sub-Schema

minOccurs=0

maxOccurs=3

minOccurs=2

maxOccurs=4

A

B

Intermediate Instance

B occurs=2




A occurs=0 A occurs=3

B occurs=2

A occurs=0

B occurs=4

A occurs=3

B occurs=4

preprocessor Analyze Specifications

Identify Functional Units

Identify Sub- Schema Sets

Partition Categories

Identify Types

Selecte Choices Partition Values and Structures

Determine Constraints

Determine “valid/invalid” Constraints


Generate Intermediate Instances


Generate Final Instances

Mapping from CP to XPT

59


Potential Applications ! For validating database management systems:

- automatically generate valid XML instances for populating database - evaluate the performance and the quality of the associated management

systems ! For testing the inter-operability between applications and for enabling

the correct interactions among the interfaces used by remote components in distributed systems. - automatic and controlled generation of valid and invalid instances enables

the automated testing of I/O behavior ! For verifying the proper communication protocols between web-

services. - SOAP-based interaction between services exploiting the corresponding

XML Schemas… ! …

• For validating database management systems:

Further Reading: Bertolino, Antonia, Jinghua Gao, Eda Marchetti, and Andrea Polini. "Automatic test data generation for XML schema-based partition testing." In Proc. of the Second International ICSE Workshop on Automation of Software Test, p. 4. IEEE Computer Society, 2007.

Bartolini, Cesare, Antonia Bertolino, Eda Marchetti, and Andrea Polini. "WS-TAXI: A WSDL-based testing tool for web services." In Proc. ICST'09, pp. 326-335. IEEE, 2009. 60

11-07-2013

31


X-CREATE Testing Framework

Request structure

Policies specification

Instantiated Request

Implements several testing strategies: • Preliminary XPT (XML Partition Testing) • Incremental XPT • Simple Combinatorial • Multiple Combinatorial • Hierarchical Simple • Hierarchical Incremental

61


Preliminary XPT Main Idea

Inspired by TAXI: Derive (once and for all) a universally valid generic test suite of conforming requests by applying: • A variant of the Category Partition methodology

• The Boundary Conditions methodology

Each request in this generic test suite is a general structure of a valid XACML request instance.

XACML Context Schema

Request structure

Conforming test suite

62

11-07-2013

32


XPT implementation

The tool consists of three main components:

& an intermediate-request generator, which is based on the XPT approach for intermediate instances (request structures) generation

& a policy analyzer which selects the input values from the policy specification, and

& a values manager, which distributes the input values to the request structures.

63

64

A Sketch of the XACML Context Schema

11-07-2013

33

65

X {1,...,k/2,...,k}

X {0,...,k/2,...,k}

X {1,...,k/2,...,k}

1. Fix ! to K

2. Apply XPT strategy to the obtained scheme


We thus automatically obtain a set of different Request Structures

Example of request structure <Request> <Subject> </Subject> <Subject> </Subject> <Resource> </Resource> <Action> </Action> </Request>

11-07-2013

34


118098!!!!! Too Much!!!

10 elements with unbounded occurrence and 1 having [0,1] cardinality -> 310 * 21 = 118098 request structures (still to be filled with values…)

We need to apply some approach to select those request structures that could maximize the fault detection capability

Note: the full set of request structures needs to be derived once and for all

Only the selection of the subset is redone each time


Policy Under-Test Analyzer

Take values from the policy under test for elements and attributes.

Four values sets are defined: • SubjectSet • ResourceSet • ActionSet • EnvironmentSet

For robustness and negative testing random values for elements and attributes are added

68

11-07-2013

35


Example of results from the policy analyser

69


Request Values Manager

Responsible for the final requests generation. Two possible approaches using either standard

structures or combinatorial structures 1. Pure combinatorial approach using all the

values in the 4 sets 2. Hierarchical combination (to focus the request

generation on a specific part of a policy)

11-07-2013

36


How many combinations?

Avoiding duplication derive all combinations of subject “entities”, resource “entities”, action “entities” and environment “entities” by applying: • the pair-wise combination (PW) • the three-wise combination (TW) • apply the four-wise combination (FW)

Note: The number of combinations strictly depends on the policy considered

71


Examples

Example of request <Request> <Subject>Mario Rossi</Subject> <Resource>personal id</Resource> <Action>read</Action> </Request>

Example of request <Request> <Subject>s2</Subject> <Resource>personal id</Resource> <Action>a2</Action> </Request>

Example of request <Request> <Subject>Mario Rossi</Subject> <Subject>s2</Subject> <Resource>p2</Resource> <Action>read</Action> <Enviroment>e2</Enviroment> </Request>

72

11-07-2013

37


X-CREATE v.s. Targen

We considered the available policies used also for Targen presentation

We applied mutation to the policies to introduce faults We used the same mutation operators for XACML policies indicated

in Targen experiment We used the sets of mutants obtained for answering the

two Research Questions:

TSEff: Is the test suite derived by X-CREATE more effective than that derived by Targen?

TSIncr: Is X-CREATE provided capability to vary test request number and structure useful to increase effectiveness?


Some Results

We generated the same number of requests generated by the Targen tool for each policy, so to get a fair comparison

We only derived the data for PolicyExample, the other are from the Targen evaluation

11-07-2013

38


Well done!! …but can we do better?

• New methodology for request structures generation (Incremental XPT)

• New specific test strategy providing a stopping criterion (Simple Combinatorial)

75


Incremental XPT

one value for the <AttributeValue>

zero to minOccurs and maxOccurs of the ResourceContent element and those of the contained <Any> element because not used in test values generation

We end up with

36 = 729 request stuctures 76

We introduce a modified (reduced) schema as follows:

11-07-2013

39


Simple Combinatorial

Idea: derive as many requests as the possible combinations of the values of the subjects, resources, actions and environment of the XACML policy. • The derived requests are first those obtained using all

combinations of the Pairwise set, then of the 3wise set and finally those of the 4wise set.

• The maximum number of requests derived by this strategy is equal to the cardinality of the 4wise set.

The resulting number of combinations could be also be used as a stopping criterion for the test case generation in XPT

77


Evaluation of the test strategies effectiveness: ' Define a set of XACML policies ' Apply mutation to each policy to introduce faults ' Execute each set of test cases on the policy and

its mutants ' Establish the winner in each match

Incremental XPT vs. Simple Combinatorial

78

11-07-2013

40


XPT v.s. Simple Combinatorial

The same number of requests for each policy

the effectiveness of the Incremental XPT is generally higher than that of the Simple Combinatorial strategy

In two cases the fault detection of the Simple Combinatorial is higher than that of Incremental XPT

Simple combinatorial Incremental XPT

79


Deeper Analysis

Incremental XPT is the winner when the access decision of the policy rules depends concurrently on the values of more than one subject or resource or action or environment entity

Simple Combinatorial is the winner when the policies are simple and the satisfiability of the policy rules depends on the combinations of a single subject, resource, action and environment entity

80

11-07-2013

41


How to evaluate XACML testing approaches?

The mutation approach typically used in software testing has been adapted to XACML policy testing

81


XACMUT: XACML 2.0 Mutants Generator

It can be downloaded from our laboratory page at: http://labsewiki.isti.cnr.it/labsedc/tools/xacmut/public/main

Our tool

82

11-07-2013

42


XACMUT

" !"!#$%!&'!()%*+&,!&-$.*%&.#!*//.$##0,1!#-$2032!'*)4%#!&'!%5$!6"789!:;<!

*22$##!2&,%.&4!-&402=!!

" !6"78>?!@6"7(4!8>?*+&,AB!

" 1$,$.*%$#!%5$!#$%!&'!()%*,%#!

" -.&C0/$#!'*2040+$#!%&!.),!*!10C$,!%$#%!#)0%$!&,!%5$!()%*,%#!#$%!

" 2&(-)%$#!%5$!%$#%!#)0%$!$D$2+C$,$##!0,!%$.(#!&'!()%*+&,!#2&.$!

83


Previous work

E.&-&#*4F*!

E.$40(0,*.=!#$%!&'!()%*+&,!&-$.*%&.#!'&.!6"789!-&4020$#;!!

G&%!0,24)/$/B!

" *44!%5$!0(-&.%*,%!2.0+2*40+$#!&'!%5$!6"789!-&402=!#-$2032*+&,! !

" (&#%!&'!%5$!*C*04*H4$!6"789!'),2+&,#!!

E.&-&#*4:**!!

" I$%!&'!()%*+&,!&-$.*%&.#!H*#$/!&,!($%*(&/$4!

" #0()4*%$!%5$!'*)4%#!0,!%5$!#$2).0%=!(&/$4#!0,/$-$,/$,%4=!'.&(!%5$!.&4$JH*#$/!

'&.(*40#(!@KJL"7!M!N.L"7!M!OA!

E$2)40*.0%=B!?5$!()%*+&,!&-$.*%&.#!2*,,&%!H$!/0.$2%4=!*--40$/!%&!6"789!!

!*E. Martin and T. Xie, “A fault model and mutation testing of access control policies,” in Proc. of WWW, May 2007, pp. 667–676 **T. Mouelhi, F. Fleurey, and B. Baudry, “A generic metamodel for security policies mutation,” in Proc. of ICSTW, 2008, pp. 278–286

84

11-07-2013

43


Mutation operators of Proposal1

E&402=!I$%!?*.1$%!?.)$!@EI??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=I$%!

$,#).0,1!%5*%!%5$!E&402=I$%!0#!*--40$/!%&!*44!.$P)$#%#!

E&402=!I$%!?*.1$%!Q*4#$!@EI?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=I$%!#)25!

%5*%!%5$!E&402=I$%!0#!,$C$.!*--40$/!%&!*!.$P)$#%!

E&402=!?*.1$%!?.)$!@E??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!

%5$!E&402=!0#!*--40$/!%&!*44!.$P)$#%#!

E&402=!?*.1$%!Q*4#$!@E?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!E&402=!$,#).0,1!%5*%!

%5$!E&402=!0#!,$C$.!*--40$/!%&!*!.$P)$#%!

K)4$!?*.1$%!?.)$!@K??A!J!.$(&C$#!%5$!?*.1$%!&'!$*25!.)4$!$,#).0,1!%5*%!%5$!

K)4$!0#!*--40$/!%&!*44!.$P)$#%#!

K)4$!?*.1$%!Q*4#$!@K?QA!J!(&/03$#!%5$!?*.1$%!&'!$*25!.)4$!#)25!%5*%!%5$!

K)4$!0#!,$C$.!*--40$/!%&!*!.$P)$#%!

85


Mutation operators of Proposal1(cont.)

" K)4$!7&,/0+&,!?.)$!@K7?A!J!.$(&C$#!%5$!2&,/0+&,!&'!$*25!K)4$!$,#).0,1!

%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!?.)$!

" K)4$!7&,/0+&,!Q*4#$!@K7QA!J!(*,0-)4*%$#!%5$!7&,/0+&,!C*4)$#!&.!%5$!

7&,/0+&,!'),2+&,#!$,#).0,1!%5*%!%5$!7&,/0+&,!*4R*=#!$C*4)*%$#!%&!Q*4#$!

" 75*,1$!E&402=!7&(H0,0,1!"41&.0%5(!@7E7A!J!.$-4*2$#!%5$!$S0#+,1!-&402=!

2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!-&402=!2&(H0,0,1!*41&.0%5(;!!?5$!#$%!&'!

2&,#0/$.$/!-&402=!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%&'"(()!"*+,0(*/%1--2)3142"+,&#2$%&#",1--2)3142"U!

" 75*,1$!K)4$!7&(H0,0,1!"41&.0%5(!@7K7A!J!.$-4*2$#!%5$!$S0#+,1!.)4$!

2&(H0,0,1!*41&.0%5(!R0%5!*,&%5$.!.)4$!2&(H0,0,1!*41&.0%5(;!?5$!#$%!&'!

2&,#0/$.$/!.)4$!2&(H0,0,1!*41&.0%5(#!0#!T!"#$%&'"(()!"*+,-"(.)/%&'"(()!"*+,0(*/%1--2)3142"U!

" 75*,1$!K)4$!VD$2%!@7KVA!J!25*,1$#!%5$!.)4$!$D$2%!H=!.$-4*20,1!E$.(0%!R0%5!

W$,=!&.!W$,=!R0%5!E$.(0%!

86

11-07-2013

44


E&402=!?*.1$%!?.)$!@E??A!$S*(-4$

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string"> write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target></Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

8)%*%$/!-&402=!X&4/!-&402=!

A request with http://library.com/record resource will be applicable

A request with any resource will be applicable

87


E&402=!?*.1$%!Q*4#$!@E?QA!$S*(-4$!

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string"> write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>RandomValue##+]][[*##_####987654 32_RandomValue456Mutant_xyz </AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string"> read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

8)%*%$/!-&402=!X&4/!-&402=!

No request will be applicable

88

11-07-2013

45


Mutation operators of Proposal2 " KE?!J!.$-4*2$#!*!.)4$!-*.*($%$.!5*C0,1!*!%=-$!R0%5!*,&%5$.!-*.*($%$.!&'!*!

/0D$.$,%!.)4$!5*C0,1!%5$!#*($!%=-$;!Y,!6"789!4*,1)*1$!%5$!.)4$!-*.*($%$.#!

2&..$#-&,/!%&!#)HZ$2%#M!.$#&).2$#M!*2+&,#!*,/!$,C0.&,($,%#!

" EEK!J!25&&#$#!&,$!.)4$!'.&(!%5$!#$%!&'!.)4$#M!*,/!%5$,!.$-4*2$#!%5$!#%*%)#!R0%5!

%5$!&--&#0%$!&,$!!

" 0%!2&0,20/$#!R0%5!7KV!&-$.*%&.!&'!E.&-&#*4F!

" "GK!J!*//#!*!,$R!.)4$!2&,%*0,0,1!*!,$R!2&(H0,*+&,!&'!-*.*($%$.#!%5*%!0#!,&%!

#-$203$/!0,!%5$!$S0#+,1!.)4$#!&'!%5$!-&402=!!

" KVK!J!25&&#$#!&,$!.)4$!*,/!.$(&C$#!0%!!

" EEW!J!.$-4*2$#!*!-*.*($%$.!R0%5!&,$!&'!0%#!/$#2$,/0,1!-*.*($%$.#!

" 0%!0#!,&%!*--402*H4$!%&!6"789!:;<!4*,1)*1$!!!!

" %5$!.&4$#!*,/!.$#&).2$#!50$.*.25=!0#!&,4=!2&,#0/$.$/!0,!-&4020$#!2&(-40*,%!%&!7&.$!*,/!

[0$.*.2502*4!KL"7!-.&34$!*,/!%&![0$.*.2502*4!.$#&).2$!-.&34$!&'!6"789!:;<!

" \$!!*/*-%!KE?M!EEKM!"GK!*,/!KVK!5015!4$C$4!&-$.*%&.#!%&!6"789!

4*,1)*1$!

89


K$(&C$!K)4$!@KVKA!$S*(-4$!

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

8)%*%$/!-&402=!X&4/!-&402=!

A request with http://library.com/record resource will be denied

90

11-07-2013

46


75*,1$!K)4$!VD$2%!@7KVA!$S*(-4$! 8)%*%$/!-&402=!X&4/!-&402=!


<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Permit"></Rule> </Policy>

A request with http://library.com/record resource will be allowed

91


Our new Mutation operators

" K$(&C$>,0P)$,$##Q),2+&,!@K>QA!J!.$(&C$#!%5$!/$-"%&#"%1#!%&#2$!!@/$-"!.$'$.#!%&!*!-.0(0+C$!%=-$B!#%.0,1M!0,%$1$.M!/&)H4$M!$%2;A!'),2+&,!'.&(!%5$!.)4$!2&,/0+&,M!

'&.20,1!%5$!'),2+&,!$C*4)*+&,!%&!?.)$!*,/!Q*4#$!

" "//>,0P)$,$##Q),2+&,!@">QA!J!*//#!%5$!/$-"%&#"%1#!%&#2$!'),2+&,!.$'$..0,1!%&!$*25!56()47/"8"*)9#1/&(!&.!56()47/":"2"3/&(!$4$($,%#!&'!%5$!.)4$!7&,/0+&,M!

'&.20,1!%5$!'),2+&,!$C*4)*+&,!%&!?.)$!*,/!Q*4#$!

" 75*,1$JGJNQJQ),2+&,!@7GNQA!J!25*,1$#!%5$!;!-*.*($%$.!&'!%5$!;%<=!'),2+&,;!?5$!*.1)($,%!;!#-$203$#!%5$!(0,0()(!,)(H$.!&'!%5$!H&&4$*,!*.1)($,%#!@8A!

%5*%!()#%!H$!$C*4)*%$/!%&!?.)$!'&.!%5$!$S-.$##0&,!%&!H$!2&,#0/$.$/!?.)$;!\$!#$%!

;!%&!<M!8JF!*,/!8]F!

" 75*,1$9&102*4Q),2+&,!@79QA!J!.$-4*2$#!*!4&102*4!'),2+&,!@5;8+,<>+,;%<=A!R0%5!*,&%5$.!&,$;!\$!#$%!%5$!;!*.1)($,%!&'!;%<=!'),2+&,!$P)*4!%&!<!'&.20,1!%5$!'),2+&,!$C*4)*+&,!*4R*=#!%&!?.)$!

" "//G&%Q),2+&,!@"GQA!J!*//#!%5$!;&/!'),2+&,!*#!3.#%!'),2+&,!&'!$*25!7&,/0+&,!$4$($,%!

92

11-07-2013

47


Our new Mutation operators (cont.)

" K$(&C$G&%Q),2+&,!@KGQA!J!/$4$%$#!%5$!;&/!'),2+&,!/$3,$/!0,!%5$!2&,/0+&,!

" 75*,1$7&(-*.0#&,Q),2+&,!@77QA!J!.$-4*2$#!*!2&(-*.0#&,!'),2+&,!@/$-"%"?712+,/$-"%9("1/"(%/@1#+,/$-"%9("1/"(%/@1#%&(%"?712+,/$-"%2"**%/@1#+,/$-"%2"**%/@1#%&(%,,"?712A!R0%5!*,&%5$.!&,$!

" Q0.#%E$.(0%K)4$!@QEKA!J!(&C$#!0,!$*25!-&402=!%5$!.)4$#!5*C0,1!*!E$.(0%!$D$2%!

H$'&.$!%5&#$!&,$#!5*C0,1!*!W$,=!$D$2%

" Q0.#%W$,=K)4$!@QWKA!J!(&C$#!0,!$*25!-&402=!%5$!.)4$#!5*C0,1!*!W$,=!$D$2%!

H$'&.$!%5&#$!&,$#!5*C0,1!*!E$.(0%!$D$2%!!

93


"//G&%Q),2+&,!@"GQA!$S*(-4$! X&4/!-&402=!


8)%*%$/!-&402=!

<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:not"> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Apply> </Condition> </Rule> <Rule RuleId="rule2" Effect="Deny"></Rule> </Policy>

A request with read or write will be allowed A request with read or write will be denied

94

11-07-2013

48


Q0.#%W$,=K)4$!@QWKA!$S*(-4$! X&4/!-&402=!@$C*4)*%$!.)4$F!*,/!%5$,!.)4$:A!!


8)%*%$/!-&402=!@$C*4)*%$!.)4$:!*,/!%5$,!.)4$FA!!<Policy RuleCombiningAlgId="first-applicable" PolicyId="policyExample"> <Target> <Resource> <AttributeValue>http://library.com/record/</AttributeValue> </Resource> </Target> <Rule RuleId="rule2" Effect="Deny"></Rule> <Rule RuleId="rule1" Effect="Permit"> <Condition> <Apply FunctionId="function:string-is-in"> <Apply FunctionId="function:string-one-and-only"> <ActionAttributeDesignator AttributeId="action:id" DataType="string"/> </Apply> <Apply FunctionId="function:string-bag"> <AttributeValue DataType="string">write</AttributeValue> <AttributeValue DataType="string">read</AttributeValue> </Apply> </Apply> </Condition> </Rule> </Policy>

A request with read or write will be allowed A request with read or write will be denied since the first rule will be applied

95


XACMUT

Mutation operators for XACML policies

Proposal1

PSTT PSTF

PTT PTF

RTT RTF RCT

RCF

CPC

CRC

CRE

New operators

RUF AUF CNOF

CLF ANF CCF

FPR FDR

Proposal2

PPD RPT ANR RER

96

11-07-2013

49


XACMUT Main Interface

97


Experimental Setting

#M %E #M %E #M %E #M %E

Policy #Rule #Cond #Sub #Res #Act #Funct #TS Proposal1 Proposal2 New

Operators

Total

demo-5 3 2 2 3 2 4 39 18 67 43 21 37 86 98 54

demo-11 3 2 2 3 1 5 35 16 63 29 21 32 84 77 56

demo-26 2 1 1 3 1 4 32 13 31 28 14 31 77 72 44

student1 2 0 5 2 2 2 85 12 75 336 58 85 98 433 67

student2 2 0 11 2 2 2 24 23 70 6 50 29 67 58 67

create-doc 3 2 1 2 1 3 8 14 86 3 67 19 74 36 78

read-doc 4 3 2 4 1 3 7 17 53 4 0 26 54 47 49

delete-doc 3 2 1 3 1 3 6 14 57 3 0 21 57 38 53

university1 3 0 24 3 3 2 203 18 72 109 85 61 97 188 88

university2 3 0 23 3 3 2 33 12 75 56 79 37 95 105 84

M: Mutants E: Test suite Effectiveness TS: Test Suite derived using Targen

98

11-07-2013

50


And now…

Forget everything you have just learned about XACML-based control of access, because ….

is the new big thing ahead !!!

99


Usage Control Model: Beyond Access Control

Traditional Access Control

time

Before usage

Pre decision Ongoing decision

Ongoing usage

Mutability of attributes

Pre update Ongoing update

Post update

After usage

100

11-07-2013

51


Usage Control Model (UCON)*

Is based on: Authorizations

Obligations

Conditions

Mutability of Attributes

Continuous policy enforcement

* Defined by J. Park and R. Sandhu, The UCON Usage Control Model. ACM Trans. On Information and System Security, 7(1), 2004

101


Policy Language (based) on Process Algebra (PolPA)*

• A formal policy language for UCON

• An operational language based on process description languages

• The idea is to describe the allowed sequences of actions

(commands)

• Policies can thus be formally verified, compared, minimized,

refined

*F. Martinelli and P. Mori, “On usage control for grid systems,” Future Generation Computer Systems, vol. 26, no. 7, pp. 1032–1042, 2010

102

11-07-2013

52


Usage control commands

tryaccess(s, r, a): performed by subject s when performing a new access

request (s, r, a)

permitaccess/denyaccess(s, r, a): performed by the system when

granting/denying the access request (s, r, a)

endaccess(s, r, a): performed by subject s when ending an access (s, r, a)

revokeaccess(s, r, a): performed by the system when revoking an ongoing

access (s, r, a)

update(attribute): updating a subject or an object attribute

Commands composition operators: ., or, par

103


Example of PolPA Policy

104

11-07-2013

53


PolPA Authorization System

105


Testing Purpose

PDP

Policies

Test Suite

SUT

Oracle

reply

request request

request request

verdict

PDP (Policy Decision Point): evaluates the requests against the usage control policies

106

11-07-2013

54


How to do PDP testing?

Emulate a possible PEP by issuing tryaccess and endaccess commands to the PDP

107


Which test approach?

# A test case (request) is a sequence of commands (tryaccess/endaccess)

with a variable number of action parameters

# Traditional combinatorial approaches are not suitable since they do not

specifically address the commands order

# We propose:

# a fault model and the corresponding mutation operators classes for PolPA language

# a test cases derivation strategy from the fault model

108

11-07-2013

55


A. Apply fault-model mutation classes to the PolPA policy (FMM)

B. Derive a set of mutants (each mutant is a faulty policy) (FPG)

C. Apply test case generation strategy to each policy (gold policy

and all derived faulty policies) (TCG)

D. Execute test cases (TD)

E. Analyze test results (TO)

Testing procedure

109


Change Composition Operator (CCO) implements a violation of the order of execution of the commands

Change Command (CC) implements faults in the execution of a command

Change Guard String Predicate (CGSP) implements a wrong management of the values of string parameters

Change Guard Integer Predicate (CGIP) implements a wrong management of the values of integer parameters

Mutation classes

110

11-07-2013

56


Depth-first visit of the policy

111


Depth-first visit of the faulty policy (CCO class)

112

11-07-2013

57


Experimental Data

#Mutants #Executed Test cases

#Faults

Policy - 2 0

Mutant Class

CCO 14 45 0

CC 56 84 9

CGSP 4 8 0

CGIP 4 8 0

Total 78 175 9

# for 9 test cases (of 84) the responses were not the expected ones

# all faults given by test cases derived by mutants having 2

tryaccess(user_id, R1, A(x1, x2))

# PDP implementation allows for tryaccess an arbitrary number of

times (specific application constraint)

113


We have covered:

! XML-based testing and TAXI tool ! XACML combinatorial testing and X-CREATE tool ! XACML mutations and XACMUT tool ! Usage-control systems and testing of Polpa

quite enough for today!

114

11-07-2013

58


What after?

Concerning access control -- we are integrating the tools into a continuous

framework -- supporting the policy developer after a problem

is detected in debugging the policy Concerning usage control -- provide support for continuous on-line testing

(already ongoing) -- towards standardized U-XACML

115


not only technology

humans

116

11-07-2013

59


Social engineering

' People are generally considered the weakest link in information assurance

' As organizations improve their security processes and technologies, more and more attackers focus on exploiting human errors or ingenuity

' So-called social engineering malware is rising as the most successful tactic: it manipulates the natural human tendency to trust Figure from Sherly Abraham, InduShobha

Chengalur-Smith, An overview of social engineering malware: Trends, tactics, and implications, Technology in Society, 32 (3), 2010, 183–196

117


So the message is:

- Stay informed on the technology - Adopt best practice and protect your data, - Test your security mechanisms, and..

- Stay alert!

118

11-07-2013

60


Question time

119