Automated Test Generation for Access Control Policies
Evan Martin and Tao Xie
The 17th IEEE International Symposium on Software Reliability Engineering: Fast Abstracts (ISSRE 2006)
Raleigh, North Carolina, USA, November 6-10 2006
Abstract
Access control policies are increasingly written in specification languages such as XACML. A dedicated software component called a Policy Decision Point (PDP) receives access requests, evaluates requests against specified policies, and returns responses to inform whether access should be granted. To increase confidence in the correctness of specified policies, policy developers can conduct policy testing to probe the PDP with some typical test inputs (in the form of requests) and check test outputs (in the form of responses) against expected ones. Unfortunately, manual test generation is tedious and manually generated tests are often not sufficient to exercise various policy behaviors. In this paper we present an efficient test generation approach and its supporting tool called Targen. We evaluate the approach on policies collected from various sources in terms of structural coverage and fault-detection capability. Our results show that Targen can effectively generate tests that outperforms the existing random test generation in terms of structural coverage and fault-detection capability.