1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue University May 22, 2007 Joint work with: Professor Arif Ghafoor, ECE Graduate Students: Ammar Masood, ECE and K. Jayaram, CS

2 Research Question RequirementsModel Test Generation Tests Implementation How good are these tests? Finite State: Access control Statecharts: Authentication

3 Summary: Role Based Access Control Policy: Users, roles, permissions Users assigned to roles, roles to permissions. User roles activated prior to access. Static and dynamic separation of duty constraints (SSoD) based on activation and inheritance hierarchy relations. Allowable input requests for RBAC policy enforcer (e.g. assign, de-assign, activate, and de-activate)

4 Summary: Fault Model for RBAC Fault Types: FSM based (simple mutation-based) UR AssignmentPR AssignmentUR Activation UR1 UR2 UR1 UR2 UR1 UR2 Malicious Faults Counter-based I/O-based (ill-formed requests) Sequence-based

5 Summary: A: FSM-based Tests Role Based Access Control Tests generated directly from a finite state model are able to detect all faults considered. The cost-benefit ratio of FSM-based test generation is exceptionally high (~1.45x10 6 ). Experiments done using XGTRBAC: an RBAC policy enforcement implementation.

6 Summary: B: Reduced FSM-based Tests Role Based Access Control Tests generated from a reduced model have varying fault detection effectiveness (25%--100%). The cost-benefit ratio for such tests varies from 2 to 3561).

7 Summary: C: FSM-based Random Tests Role Based Access Control Tests generated randomly from a reduced model have varying fault detection effectiveness ( %). The cost-benefit ratio for such tests varies from x10 3).

8 Summary: Recommendation Role Based Access Control Use a heuristics based test generation technique combined with constrained random test generation. In addition, use white-box adequacy criteria to assess test adequacy and enhance the test generated using heuristics and random methods.

9 Summary: Authentication Transport Layer Protocol: GnuTLS Client-server application. Developed to conform to RFC Uses the TLS protocol for authenticating a user and a session. Handshake, renegotiate to establish and re-establish sessions. 30K LOC

10 Summary: Fault Model

11 Summary: Test adequacy

12 Summary: Recommendation Authentication Tests generated from statechart models must be augmented using tests generated using an orthogonal test generation technique. It might be difficult to detect malicious code using any test generation strategy that does not account for code coverage. Negative testing must be performed. [We do not have sufficient data to support this recommendation.]

13 Test Context For how many and which policies should we test?

14 RBAC Experiment: Policy Generation Map mutant to policy Mutate ACUT

15 What are we trying to show? Conformance to expected behavior:

16 Conformance Testing Procedures Used A: Transform a policy to FSM and generate tests directly. B: Use one or more heuristics to reduce the FSM and generate tests from the scaled down model. C: Randomly select paths of fixed length from the original model.

17 A: Policy--> FSM Two users (U=2), one role (R=1). Only one user can activate the role. Number of states~3 2. AS AS 21 AC 11 AC 21 AS 21 AS 11 AC 21 AC 11 AS 11 DS 11 DS 21 DC 11 DS 21 DC 11 DS 11 DS 21 DS 11 DC 21 DS 21 DS 11 DS 21 AS: assign. DS: De-assign. AC: activate. DC: deactivate. X ij : do X for user i role j. Tests: 2T(2T+1)(4T) 2T+1 T=|U|x|R|

18 B: Policy-->Heuristics-->Model H1: Separate assignment and activation H2: Use FSM for activation and single test sequence for assignment H3: Use single test sequence for assignment and activation H4: Use a separate FSM for each user H5: Use a separate FSM for each role H6: Create user groups for FSM modeling.

19 Reduced Models AS DS 21 DS AS 21 DS 11 DS 21 AC AC 21 DC 21 DC 11 AC 21 AC 11 Assignment MachineActivation Machine Heuristic 1 AS DS 11 AC 11 DC 11 AC 11 AS DS 21 AC 21 DC 21 AC 21 Heuristic 4 User u 1 MachineUser u 2 Machine

20 C: Policy-->Model-->Random tests Construct a pool RTi of n random tests of length i. Lengths of all tests in the pool RTi is close to or higher than the length of longest test generated using Procedure A. Total tests tests n is selected based on comparison with the maximum number of tests generated using the heuristics (Procedure B) Construct five test suites RTi1,…., RTi5 by randomly selecting fixed number p<n of tests from RTi p empirically chosen based on economical or statistical criterion

21 Empirical Evaluation : Setup Study carried out using the proposed functional testing methodology Stopping criterion – complete coverage of simple faults Policy meta set – comprises two policies Meta test sets – corresponding to the three procedures Test generation techniques used Heuristics: H3, H4 and H5 Random: RT4, RT6, RT10 and RT tests in each test suite RTij

22 Empirical Evaluation : Results

23 Empirical vs.Simulation

24 Future Work Test generation for TRBAC systems Extending the temporal constraints in TRBAC specification Extension of TRBC fault model Conducting an empirical evaluation Validation of global meta-policy in collaborative environments Regression testing techniques for access control systems