Detecting Errors in NGAC Policies via Fault-Based Testing

Next Generation Access Control (NGAC) is a standard for implementing dynamic attribute-based access control. It allows access events to trigger programmed administrative obligations and change access privileges during policy execution. However, complex obligations in an NGAC application have the pot...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on dependable and secure computing Vol. 22; no. 1; pp. 263 - 278
Main Authors Chen, Erzhuo, Dubrovenski, Vlad, Xu, Dianxiang
Format Journal Article
LanguageEnglish
Published Washington IEEE 01.01.2025
IEEE Computer Society
Subjects
Access control
Analytical models
Authorization
Error analysis
Error correction
Error detection
Fault detection
Faults
Manuals
mutation
NGAC
obligation
Policies
Programming
Testing
Urban areas
Online AccessGet full text

Cover

More Information
Summary:Next Generation Access Control (NGAC) is a standard for implementing dynamic attribute-based access control. It allows access events to trigger programmed administrative obligations and change access privileges during policy execution. However, complex obligations in an NGAC application have the potential of "grave harm to the authorization state through error or intent." The existing work on NGAC policy testing and verification has limited effectiveness in detecting obligation errors. To address this limitation, we present a novel fault-based testing approach to determining the presence or absence of errors in NGAC policies. It hypothesizes potential errors (faults) in the given policy according to a comprehensive fault model, represents the corrected versions by policy mutants, and validates the hypotheses by generating and executing distinguishing tests. The distinguishing test of a mutant ensures that the mutant and the policy yield distinct execution results - the hypothetical error is present in the policy if the policy's execution result is wrong. We have implemented the approach based on the NGAC reference implementation and applied it to two case studies, including the first fully-fledged NGAC application with sophisticated obligations. The experiment results demonstrate that (a) the subject policies are absent from all hypothetical faults, and (b) all faulty policies represented by the mutants are revealed by fault-based tests. The results also show that the obligation tests targeting individual faults have effectively revealed multi-fault errors. Thus, the proposed approach can help detect potential errors in the development process of NGAC applications.
Bibliography:ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2024.3395187