Testing Delegation Policy via Mutation Analysis

MUTATION WORKSHOP @ ICST 2013
Testing Delegation Policy via Mutation Analysis
Phu H. Nguyen, Mike Papadakis, and Iram Rubab | March 18, 2013
SnT – Interdisciplinary Centre for Security, Reliability and Trust
University of Luxembourg
www.securityandtrust.lu

Outline
Background & Motivation
Access Control
Delegation
A motivative example
Formal deﬁnitions of Access Control & Delegation Policy model
AC & Delegation Policy model
Advanced Delegation Features
A set of delegation mutant operators
A proof-of-concept implementation & some preliminary results
Conclusion & future work
Outline Motivation Deﬁnitions Delegation Features Mutant Operators Preliminary Results Conclusion
Phu H. Nguyen, Mike Papadakis, and Iram Rubab – Testing Delegation Policy via Mutation Analysis March 18, 2013 2/22

Background
Access Control (AC)
Aims at administering users access to resources by enforcing AC
policy.
An AC policy consists of a set of AC rules.

Background
Access Control (AC)
Aims at administering users access to resources by enforcing AC
policy.
An AC policy consists of a set of AC rules.
Delegation
An important aspect of AC.
Plays a key role in the administration mechanism [BGTCCBB10].
“Normal” users themselves allowed to grant some authorizations by
delegation.

A Motivative Example
Library Management System
Books can be borrowed and returned on working days. When the
library is closed, users can not borrow books. When a book is
already borrowed, a user can make a reservation for this book.
User accounts managed by an administrator (create, modify and
remove accounts for new users). A secretary who can order books,
add them in the LMS when they are delivered.
The director of the library has the same accesses than the secretary
and he can also consult the accounts of the employees. The
administrator and the secretary can consult all accounts of users. All
users can consult the list of books in the library.
Three types of users: public users who can borrow 5 books for 3
weeks, students who can borrow 10 books for 3 weeks and teachers
who can borrow 10 books for 2 months.

An Example of AC policy
AC policy
Entities: roles, activities, views and contexts.
Policy: combinations of the entities with a status (permission/deny).

Some Delegation Situations
Simple delegation
The director delegates her/his permission of consulting personnel
accounts to a secretary during her/his absence.
A secretary delegates her/his role to a librarian.
Library
Management
System
add new books
create borrower
account
consult borrower
account
create borrow
account
<<delegatee>>
Librarian (Jane)
Access rights
Access rights
<<delegation>>
create borrow account
can access
can access
<<delegator>>
Secretary (Alice)

Some Delegation Situations (cont.)
Advanced delegation
A secretary transfers her/his role to a librarian.
A secretary is allowed to delegate his/her role to a librarian only and
to one librarian at a given time.
The director can delegate, on behalf of a secretary, the secretary’s
role to a librarian (e.g. during the secretary’s absence).
If a librarian empowered in role secretary by delegation is no longer
able to perform this task, then he/she can/cannot delegate, again,
this role to another librarian.
Users can always revoke their own delegations.
The director can revoke users from their delegated roles.
The role administrator is not delegable.
And so on.

Formal Definitions
Definition (Access Control Policy Model)
Let U be a set of users, P be a set of permissions, and C be a set of
contexts. An access control policy AC is defined as a
user-permission-context assignment relation: AC ✓ U ⇥ P ⇥ C. A user u
is granted permission p in a given context c if and only if (u, p, c) 2 AC.

Formal Definitions
Definition (Access Control Policy Model)
contexts. An access control policy AC is defined as a
user-permission-context assignment relation: AC ✓ U ⇥ P ⇥ C. A user u
is granted permission p in a given context c if and only if (u, p, c) 2 AC.
Delegation
Built on top of an access control policy.
A delegation policy is composed of delegation rules.
Two levels of delegation rules: master-level vs. user-level.
Who has the right to delegate which permission to whom, and in which
context.
Who is delegating to whom which permission, and in which context.

Delegation Policy Model
Deﬁnition (Master-Level Delegation)
contexts. A master-level delegation policy MD is deﬁned as a
user-user-permission-context assignment relation: MD ✓ U ⇥ U ⇥ P ⇥ C.
A delegation of a permission p from a user u1 to a user u2 in a given
context c can be performed if and only if (u1, u2, p, c) 2 MD.

Delegation Policy Model
Definition (Master-Level Delegation)
contexts. A master-level delegation policy MD is defined as a
user-user-permission-context assignment relation: MD ✓ U ⇥ U ⇥ P ⇥ C.
A delegation of a permission p from a user u1 to a user u2 in a given
context c can be performed if and only if (u1, u2, p, c) 2 MD.
Definition (User-Level Delegation)
contexts. A user-level delegation policy UD is defined as a
user-user-permission-context assignment relation: UD ✓ U ⇥ U ⇥ P ⇥ C.
A user u2 can have a permission p by delegation from a user u1 in a
given context c if and only if (u1, u2, p, c) 2 UD.

Context
Security context associated with AC and Delegation rules [CCB07]
The Temporal context that depends on the time at which a subject
is requesting for an access to the system.
The Spatial context that depends on the subject location, e.g. a
delegated permission is only active when the delegatee is at office.
The User-declared context that depends on the subject objective
(or purpose).
The Prerequisite context saying that a permission is delegated to a
subject, but only if some specific conditions (often stored in a
database) are satisfied, e.g. no more concurrent delegation of a
specific permission allowed exceeding a (predefined) threshold.
The Provisional context that depends on previous actions the
subject has performed in the system.

Monotonicity of Delegation
Whether or not the delegator can still use the permission while
delegating it.

delegating it.
grantDelegation(u1, u2, p, c) :
pre (u1, p, c) 2 AC ^ (u2, p, c) /2 AC ^ (u1, u2, p, c) 2 MLD
body AC := AC [ {(u2, p, c)}; ULD := ULD [ {(u1, u2, p, c)} end
post (u1, p, c) 2 AC ^ (u2, p, c) 2 AC ^ (u1, u2, p, c) 2 ULD

delegating it.
grantDelegation(u1, u2, p, c) :
body AC := AC [ {(u2, p, c)}; ULD := ULD [ {(u1, u2, p, c)} end
post (u1, p, c) 2 AC ^ (u2, p, c) 2 AC ^ (u1, u2, p, c) 2 ULD
transferDelegation(u1, u2, p, c) :
body AC := AC {(u1, p, c)}; AC := AC [ {(u2, p, c)};
ULD := ULD [ {(u1, u2, p, c)} end
post (u1, p, c) /2 AC ^ (u2, p, c) 2 AC ^ (u1, u2, p, c) 2 ULD

Advanced Delegation Features (cont.)
Temporary Delegation
Its context is associated with some time constraint, only active while
the time constraint is satisﬁed.

Temporal context: c := c&vacation_period(startDate, endDate)
vacation_period(startDate, endDate) :
startDate  endDate ^ afterDate(startDate) ^ beforeDate(endDate)

Some Others
Multiple Delegation

Some Others
Multiple Delegation
Multi-step Delegation

Some Others
Multiple Delegation
User-speciﬁc Delegation

Some Others
Multiple Delegation
User-speciﬁc Delegation
Revocation

Delegation Mutant Operators
Role-Based Access Control (RBAC)
introduces a set of role
decomposes the relation AC into user-role assignment UR ✓ U ⇥ R,
and role-permission-context assignment RPC ✓ R ⇥ P ⇥ C.
Thus, AC = UR RPC.

Delegation Mutant Operators
Role-Based Access Control (RBAC)
introduces a set of role
decomposes the relation AC into user-role assignment UR ✓ U ⇥ R,
and role-permission-context assignment RPC ✓ R ⇥ P ⇥ C.
Thus, AC = UR RPC.
Basic Delegation Mutant Operators
The Permission Delegation Operator (PDM): to replace the
permission being delegated by another permission of the delegator.
PDM(u1, u2, p1a, c) :
pre (u1, u2, p1a, c) 2 ULD ^ (u1, r1) 2 UR ^ (u2, r2) 2
UR ^ (r1, p1a, c) 2 RPC ^ (r1, p1b, c) 2 RPC
body ULD := ULD {(u1, u2, p1a, c)} [ {(u1, u2, p1b, c)} ;
AC := AC [ {(u2, p1b, c)} end
post (u2, p1b, c) 2 AC ^ (u1, u2, p1b, c) 2 ULD

Basic Delegation Mutant Operators
(cont.)
The Role Delegation Operator (RDM)
The Role Delegation Operator (RDM) is used to simulate errors in
delegation of roles.
RDM(u1, u2, r1, c) :
pre (u1, r1) 2 UR ^ (u2, r2) 2 UR ^ (u3, r3) 2 UR ^ r1 6= r2 6=
r3 ^ (u1, u2, r1, c) 2 ULD
body ULD := ULD {(u1, u2, r1, c)} [ {(u3, u2, r3, c)} ;
UR := UR [ {(u2, r3)} end
post (u2, r3) 2 UR ^ (u3, u2, r3, c) 2 ULD

Advanced Delegation Mutant Operators
Monotonic Delegation Operators
The Transfer to Grant Delegation Operator (T2G) and the Grant to
Transfer Delegation Operator (G2T).
G2T(u1, u2, p, c&IsMonotonic) :
pre (u1, p, c) 2 AC ^ (u1, u2, p, c&IsMonotonic) 2 ULD
body ULD :=
ULD{(u1, u2, p, c&IsMonotonic)}[{(u1, u2, p, c&IsNonMonotonic)}
end
post (u1, p, c) /2 AC ^ (u1, u2, p, c&IsNonMonotonic) 2 ULD
T2G(u1, u2, p, c&IsNonMonotonic) :
pre (u1, p, c) /2 AC ^ (u1, u2, p, c&IsNonMonotonic) 2 ULD
body ULD :=
ULD {(u1, u2, p, c&IsMonotonic)} [ {(u1, u2, p, c&IsMonotonic)}
end
post (u1, p, c) 2 AC ^ (u1, u2, p, c&IsMonotonic) 2 ULD

(cont.)
Context-based Delegation Operators
e.g. Temporal Delegation Operator (TDM) to mutate the duration of
temporal delegation.
Role-Speciﬁc Delegation Operators
Role Delegation Off-Target 1 Operator (RDOT1).
Role Delegation Off-Target 2 Operator (RDOT2)
Permission-Speciﬁc Delegation Operators
Non-Delegable Permission Delegation Operator (NDPD) to mutate a
permission delegation by changing the delegated permission from
delegable to non-delegable.

(cont.)
Multiple Delegation Operator
Multiple Delegation Operator (MultiD).
Multi-step Delegation Operator
Re-delegation Operator (ReD) add a new delegation rule into the
policy where the delegating permission/role must not be re-delegated
any more (stepCounter = 0).
Delegation Removal Operator
Tests should be able to detect that a delegation rule is missing.
Delegation Removal Operator (DR) that removes one of the
delegation rules.

Model-Driven Adaptive Delegation
[NNK+
13]
Access Control
Service
Transformation
&
Adaptation
Delegation
Management Service
Resource
Proxy
Components
Role Proxy
Components
User Proxy
Components
Business
Components
Base model – Business
Logic mappings service
Native XML-DB
Server
Security
policy
model
Base
model
Business
Logic DB
Server
Authenticate
Component
Adaptive
Execution
Platform
Business
ComponentsBusiness Logic
Components
Resource
Proxy
Components
Role Proxy
Components
User Proxy
Components

3-Layer Architecture reﬂecting Security
Policy
Personnel
Account
Service
Borrower
Account
Service
Book
Service
Personnel
Account
Resource
Borrower
Account
Resource
Book
Resource
Admin
Secretary
Librarian
Director
Student
Sam
Bob
Jane
Bill
Mary
consult
update
delete
create
consult
update
delete
create
deliver
fix
borrow
reserve
return
User layer Role layer Resource layer Business layer

Mutation Process
Transform
&
adapt
Resource
Proxy
Components
Role Proxy
Components
User Proxy
Components
Business
Components
Access Control
policy
Business
Logic model
Authenticate
Component
Adaptive
Execution
Platform
Business
Components
Business
Logic
Components
Resource
Proxy
Components
Role Proxy
Component
s
User Proxy
Components
Delegation
policy
Test
cases
Access Control
policy
Mutants
Mutants
Mutants
Mutate
Compose

Preliminary Results
Table: Some preliminary mutation analysis results
Test Case Killed Mutants Live Mutants
TC1 PDM (wrong permission) RDM (delegator fault)
TC2 PDM (wrong permission) RDM (delegator replaced)
TC3 T2G (wrong type) PDM, RDM (wrong delegator)
TC4 PDM (permission replaced) TDM (CE,CR)
TC5 TDM (CE,CR) PDM, RDM

Conclusion
Problem & Proposed Solution
Testing Delegation Policy with Advanced Delegation Features.
Delegation Mutant Operators and Mutation Analysis.
Discussion
Semantic delegation mutant operators are necessary to enable
mutation analysis for testing delegation.
“Meaningful” test cases should be generated for testing delegation.
Future work
A thorough empirical study using the proposed mutant operators.
Automatically generation of test cases for killing the proposed
mutants, based on [PM12, PM11].
The integration of Model-Based Testing.

References
Meriam Ben-Ghorbel-Talbi, Frederic Cuppens, Nora Cuppens-Boulahia, and Adel Bouhoula.
A delegation model for extended rbac.
International Journal of Information Security, 9(3):209–236, June 2010.
Frédéric Cuppens and Nora Cuppens-Boulahia.
Modeling contextual security policies.
International Journal of Information Security, 7(4):285–305, November 2007.
Phu H. Nguyen, Gregory Nain, Jacques Klein, Tejeddine Mouelhi, and Yves Le Traon.
Model-Driven Adaptive Delegation.
In Proceedings of the Aspect-Oriented Software Development conference MODULARITY: aosd?13. ACM, 2013.
Mike Papadakis and Nicos Malevris.
Automatically performing weak mutation with the aid of symbolic execution, concolic testing and search-based testing.
Software Quality Journal, 19(4):691–723, 2011.
Mike Papadakis and Nicos Malevris.
Mutation based test case generation via a path selection strategy.
Information & Software Technology, 54(9):915–932, 2012.
Thanks to the Fonds National de la Recherche (FNR), Luxembourg
for supporting this work!

Questions?
The end
Thank you for your attention!

Testing Delegation Policy via Mutation Analysis

Recommended

Recommended

More Related Content

Similar to Testing Delegation Policy via Mutation Analysis

Similar to Testing Delegation Policy via Mutation Analysis (20)

More from Phu H. Nguyen

More from Phu H. Nguyen (11)

Recently uploaded

Recently uploaded (20)

Testing Delegation Policy via Mutation Analysis