1 Testing Implementations Of Access Control Systems (New Proposal) Ammar Masood: Graduate Student Arif Ghafoor (ECE) and Aditya Mathur (CS) Purdue University,

Slides:



Advertisements
Similar presentations
Verification and Validation
Advertisements

Presentation by Prabhjot Singh
Formal Modelling of Reactive Agents as an aggregation of Simple Behaviours P.Kefalas Dept. of Computer Science 13 Tsimiski Str Thessaloniki Greece.
Formalizing Security Requirements for Grids Syed Naqvi 1,2, Philippe Massonet 1, Alvaro Arenas 2 1 Centre of Excellence in Information and Communication.
Software Quality Assurance Plan
CSC 480 Software Engineering
1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue.
Automated Analysis and Code Generation for Domain-Specific Models George Edwards Center for Systems and Software Engineering University of Southern California.
A GOAL-BASED FRAMEWORK FOR SOFTWARE MEASUREMENT
ECE Synthesis & Verification1 ECE 667 Spring 2011 Synthesis and Verification of Digital Systems Verification Introduction.
Chapter 9 & 10 Database Planning, Design and Administration.
Scheduling with Optimized Communication for Time-Triggered Embedded Systems Slide 1 Scheduling with Optimized Communication for Time-Triggered Embedded.
Software Testing and Reliability Testing Real-Time Systems Aditya P. Mathur Purdue University May 19-23, Corporation Minneapolis/St Paul,
Testing Implementations of Access Control and Authentication Graduate Students: Ammar Masood, K. Jayaram School of Electrical and Computer Engineering.
1 Scalable and Effective Test Generation for Access Control Systems Ammar Masood School of Electrical & Computer Engineering Purdue University 11 th September,
End-to-End Design of Embedded Real-Time Systems Kang G. Shin Real-Time Computing Laboratory EECS Department The University of Michigan Ann Arbor, MI
Outline Types of errors Component Testing Testing Strategy
5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.
Software Engineering Tools and Methods Presented by: Mohammad Enamur Rashid( ) Mohammad Rashim Uddin( ) Masud Ur Rahman( )
Types and Techniques of Software Testing
Handouts Software Testing and Quality Assurance Theory and Practice Chapter 11 System Test Design
Verification and Validation
Privacy By Design Sample Use Case Privacy Controls Insurance Application- Vehicle Data.
Romaric GUILLERM Hamid DEMMOU LAAS-CNRS Nabil SADOU SUPELEC/IETR ESM'2009, October 26-28, 2009, Holiday Inn Leicester, Leicester, United Kingdom.
Foundations of Software Testing
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
Software Testing: |Art - Practice|=? Aditya Mathur Purdue University Department of Computer Science SERC Showcase Ball State University Muncie, IN November.
1 Software Testing (Part-II) Lecture Software Testing Software Testing is the process of finding the bugs in a software. It helps in Verifying and.
CLEANROOM SOFTWARE ENGINEERING.
Ron Kratzke, Vitech Corporation MBSE for System Testing Managing the development of system testing using the principles of Model.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
1SAS 03/ GSFC/SATC- NSWC-DD System and Software Reliability Dolores R. Wallace SRS Technologies Software Assurance Technology Center
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
Chapter 2: Software Process Omar Meqdadi SE 2730 Lecture 2 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Modeling Dynamic Role- based Access Constraints using UML Khaled Alghathbar George Mason University, USA and King Saud University, Riyadh, Saudi Arabia.
1 MultiCom, a platform for the design and the evaluation of interactive systems. MultiCom, a platform for the design and the evaluation of interactive.
Reliable Design of Safety Critical Systems Dr. Abhik Roychoudhury School of Computing
Research Heaven, West Virginia A Compositional Approach for Validation of Formal Models Bojan Cukic, Dejan Desovski West Virginia University NASA OSMA.
Programming Models & Runtime Systems Breakout Report MICS PI Meeting, June 27, 2002.
Model-Driven Analysis Frameworks for Embedded Systems George Edwards USC Center for Systems and Software Engineering
Framework for the Development and Testing of Dependable and Safety-Critical Systems IKTA 065/ Supported by the Information and Communication.
An Introduction to Software Engineering. Communication Systems.
Formalized Model Development & Test Generation: Key Role of Abstraction Bernard P. Zeigler Arizona Center for Integrative Modeling and Simulation (ACIMS)
Historical Aspects Origin of software engineering –NATO study group coined the term in 1967 Software crisis –Low quality, schedule delay, and cost overrun.
The System and Software Development Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Natallia Kokash (Accepted for PACO’2011) ACG, 31/05/ Input-output conformance testing for channel-based connectors 1.
Model Checking and Model-Based Design Bruce H. Krogh Carnegie Mellon University.
An Introduction to Software Engineering Support Lecture.
IV&V Facility 26SEP071 Validation Workshop Dr. Butch Caffall Director, NASA IV&V Facility 26SEP07.
Fault Tolerance Benchmarking. 2 Owerview What is Benchmarking? What is Dependability? What is Dependability Benchmarking? What is the relation between.
Software Development Problem Analysis and Specification Design Implementation (Coding) Testing, Execution and Debugging Maintenance.
UNIT-1 SOFTWARE PRODUCT AND PROCESS: Introduction – S/W Engineering paradigm – Verification – Validation – Life cycle models – System engineering –
Verification of FT System Using Simulation Petr Grillinger.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Policy Evaluation Testbed Vincent Hu Tom Karygiannis Steve Quirolgico NIST ITL PET Report May 4, 2010.
Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
SEESCOASEESCOA SEESCOA Meeting Activities of LUC 9 May 2003.
1 The Software Engineering Education at CSULA Jiang Guo Jose M. Macias June 4, 2010.
1 Visual Computing Institute | Prof. Dr. Torsten W. Kuhlen Virtual Reality & Immersive Visualization Till Petersen-Krauß | GUI Testing | GUI.
Model Checking Early Requirements Specifications in Tropos Presented by Chin-Yi Tsai.
©Ian Sommerville 2000Software Engineering, 6th edition. Chapter 19Slide 1 Verification and Validation l Assuring that a software system meets a user's.
1 Testing Implementations of Access Control and Authentication Graduate Students: Ammar Masood K. Jayaram School of Electrical and Computer Engineering.
Automated Software Testing
Authors: Maria de Fatima Mattiello-Francisco Ana Maria Ambrosio
Topic for Presentaion-2
Model-Driven Analysis Frameworks for Embedded Systems
Jayaram KR Graduate Student - Computer Science Purdue University
Decentralized Model-Based Testing of Distributed Systems
Automated Analysis and Code Generation for Domain-Specific Models
Presentation transcript:

1 Testing Implementations Of Access Control Systems (New Proposal) Ammar Masood: Graduate Student Arif Ghafoor (ECE) and Aditya Mathur (CS) Purdue University, West Lafayette SERC Showcase, June 7-8, 2006 Motorola Labs, Schaumburg, IL

2 Research Objectives To develop, experiment with and study the effectiveness of techniques for the generation of tests to validate conformance of implementations of access control policies (in particular Role Based Access Control [RBAC] with or without temporal constraints)

3 Related Work R. Chandramouli. M. Blackburn. Automated Testing of Security Functions using a combined Model & Interface driven Approach. Proc. 37th Hawaii International Conference on System Sciences, pp , 2004 J. Springintveld, F. Vaandrager and P.R. D'Argenio. Testing timed automata. Theoretical Computer Science, 254(1-2), pp , 2001 A. En-Nouaary, R. Dssouli and F. Khendek. Timed Wp method: testing real time systems. IEEE Transactions on Software Engineering, 28(11), pp – 1038, K.G. Larsen, M. Mikucionis and B. Nielsen. Online Testing of Real-time Systems Using UPPAAL. Formal Approaches to Testing of Software. Linz, Austria. September 21, 2004

4 Proposed Test Infrastructure Access Control policy Policy verifier plugin Policy (internal representation) Policy model Policy tests Modeling plugin Test generator plugin Test harness IUT

5 Challenges Modeling: Naïve FSM or timed automata models are prohibitively large even for policies with 10 users and 5 roles (and 3 clocks). How to reduce model size and the tests generated? Test generation: How to generate tests to detect (ideally) all policy violation faults that might lead to violation of the policy? Test execution: Distributed policy enforcement?

6 Proposed Approach Express behavior implied by a policy as an FSM. Apply heuristics to scale down the model. Use the W- method, or its variant, to generate tests from the scaled down model. Generate additional tests using a combination of stress and random testing aimed at faults that might go undetected due to scaling.

7 Sample Model Two users, one role. Only one user can activate the role. Number of states≤3 2. AS AS 21 AC 11 AC 21 AS 21 AS 11 AC 21 AC 11 AS 11 DS 11 DS 21 DC 11 DS 21 DC 11 DS 11 DS 21 DS 11 DC 21 DS 21 DS 11 DS 21 AS: assign. DS: De-assign. AC: activate. DC: deactivate. X ij : do X for user i role j.

8 Heuristics H1: Separate assignment and activation H2: Use FSM for activation and single test sequence for assignment H3: Use single test sequence for assignment and activation H4: Use a separate FSM for each user H5: Use a separate FSM for each role H6: Create user groups for FSM modeling.

9 Reduced Models AS DS 21 DS AS 21 DS 11 DS 21 AC AC 21 DC 21 DC 11 AC 21 AC 11 Assignment MachineActivation Machine Heuristic 1 AS DS 11 AC 11 DC 11 AC 11 AS DS 21 AC 21 DC 21 AC 21 Heuristic 4 User u 1 MachineUser u 2 Machine

10 Tests Generated

11 Fault Model

12 Claim The proposed method for generating the complete behavior model and tests guarantees a test set that detects all faults in the IUT that correspond to the proposed fault model when the number of states in the IUT is correctly estimated.

13 Future Research Modeling: Handling timing constraints? (timed automata, fault model, heuristics) Experimentation: With large/realistic policies to assess the efficiency and effectiveness of the test generation methods. Prototype tool development

14 Schedule Month 1: Extend the un-timed Fault Model for temporal RBAC Months 2-4: Study applicability/extensions in existing timed automata test generation techniques for complete fault coverage with respect to the timed fault model Months: 5-8: Develop techniques to reduce the cost of testing (Number of test cases) Months 9-11: Perform a case study to verify the efficacy of the finally proposed approach. Month 12: Final report.

15 Deliverables A methodology for testing access control implementations that employ temporal constraints. Evaluation of the methodology through a case study. A set of recommendations on the implementation of the methodology as an integral part of the software development lifecycle.

16 Budget- Year 1 Salaries (faculty + graduate student): $30,000 Travel: $8,000 Miscellaneous: $2000 Indirect costs: $10,000 Total: $50,000

17

18 Sequential Steps to a Verified Implementation Step 1 Security Testing Access Control Policy Specifications Specification verification Consistent Specifications Policy Implementation Access Control System Implementation Security Verified Implementation Step 2 Step 3

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.