An automatic test case generator for evaluating implementation of access control policies

One of the main requirements for providing software security is the enforcement of access control policies, which is sometimes referred to as the heart of security. The main purpose of access control policies is to protect resources of the system against unauthorized accesses. Any error in the implementation of access control policies may lead to undesirable outcomes. Hence, we should ensure that these policies are properly implemented. For testing the implementation of access control policies, it is desired to use automated methods. In fact, these methods are faster and more reliable solutions for assessment of the software systems. Although several researches are conducted for automated testing of the specification of access control policies at the design phase, there is not enough research on testing their implementation. In addition, since access control is amongst non-functional requirements of the system, it is not easy to test them along with other requirements of the system by usual methods. To address this challenge, in this paper, we propose an automated method for testing the implementation of access control in a system. This method, as a model based technique, is able to extract test cases for evaluating the access control policies of the system under test. To generate test cases automatically, a combination of behavior model of the system and the specification of access control policies that is written in XACML, are used. The experimental results show that the proposed approach is able to kill the mutants and cover most of the code that is related to access control policies.