ASE


Testing and Verification of Security Policies

[Summary]         [People]         [Publications]         [Presentations]         [Software]         [Subjects]         [Sponsors]

PROJECT SUMMARY

Access control is one of the most fundamental and widely used privacy and security mechanisms at both application and network levels. Given the high importance and delicacy of security policies, ensuring the correctness of security policies is important, and yet difficult. A tiny error in security policies could lead to irreparable, if not tragic, consequences. Therefore, identifying discrepancies between policy specifications and their intended function is a crucial task. To achieve this goal, security policies must undergo systematic, rigorous testing and verification to ensure that they truly represent the intention of their policy authors. This project develops novel techniques and tools for testing and verification of security policies including XACML and firewall policies as well as security models. 

.

PEOPLE

Faculty
    Tao Xie (Principal Investigator)

Graduate Students
    JeeHyun Hwang (PhD Student)
    Nuo Li (PhD Exchange Student)
    Evan Martin (PhD Candidate)

Undergraduate Student
    Bellanov Apilli

Collaborators
    Alex Liu (MSU)
     Vincent Hu, Rick Kuhn, and the ACTS group (NIST)
    Ting Yu (NCSU)


PUBLICATIONS

  1. Vincent Hu, Richard Kuhn, and Tao Xie. Property Verification for Generic Access Control Models. In Proceedings of IEEE/IFIP International Symposium on Trust, Security and Privacy for Pervasive Applications (TSP 2008), Shanghai, China, , December 2008. [BibTeX]
  2. Evan Martin, JeeHyun Hwang, Tao Xie, and Vincent Hu. Assessing Quality of Policy Properties in Verification of Access Control Policies. In Proceedings of 24th Annual Computer Security Applications Conference (ACSAC 2008), Anaheim, California, December 2008. [BibTeX]
  3. JeeHyun Hwang, Tao Xie, Fei Chen, and Alex X. Liu. Systematic Structural Testing of Firewall Policies. To appear in Proceedings of the 27th IEEE International Symposium on Reliable Distributed Systems (SRDS 2008), Napoli, Italy, October 2008. [PDF][BibTeX]
  4. Alex X. Liu, Fei Chen, JeeHyun Hwang, and Tao Xie. XEngine: A Fast and Scalable XACML Policy Evaluation Engine. In Proceedings of the International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS 2008), Annapolis, Maryland, pp. 265-276, June 2008. [PDF][BibTeX]
  5. Nuo Li, JeeHyun Hwang, and Tao Xie. Multiple-Implementation Testing for XACML Implementations. To appear iProceedings of the Workshop on Testing, Analysis and Verification of Web Software (TAV-WEB 2008)Seattle, WA, July 2008. [PDF][BibTeX]
  6. Vincent Hu, Rick Kuhn, and Tao Xie. Property Verification for Access Control Models via Model Checking. North Carolina State University Department of Computer Science Technical report TR-2008-1, January 4, 2008. [PDF][BibTex]
  7. Vincent C. Hu, Evan Martin, JeeHyun Hwang, and Tao Xie. Conformance Checking of Access Control Policies Specified in XACML. In Proceedings of the 1st IEEE International Workshop on Security in Software Engineering (IWSSE 2007), Beijing, China, July 2007. [PDF][Slides][BibTeX]
  8. Evan Martin and Tao Xie. Automated Test Generation for Access Control Policies via Change-Impact Analysis. In Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems (SESS 2007)Minneapolis, MN, pp. 5-11, May 2007. [PDF][BibTeX]
  9. Evan Martin. Testing and Analysis of Access Control Policies. In Companion Proceedings of the 29th International Conference on Software Engineering (ICSE 2007), Doctoral Symposium, Minneapolis, MN, pp. 75-76, May 2007. [PDF]
  10. Evan Martin and Tao Xie. A Fault Model and Mutation Testing of Access Control Policies. In Proceedings of the 16th International Conference on World Wide Web (WWW 2007), Security, Privacy, Reliability, and Ethics Track, Banff, Alberta, Canada, pp. 667-676, May 2007. [PDF][Slides][BibTeX]
  11. Evan Martin, Tao Xie, and Ting Yu. Defining and Measuring Policy Coverage in Testing Access Control Policies. In Proceedings of the 8th International Conference on Information and Communications Security (ICICS 2006), Raleigh, NC, pp. 139-158, December 2006. [PDF][BibTeX]
  12. Evan Martin and Tao Xie. Automated Test Generation for Access Control Policies. In Supplemental Proceedings of the 17th IEEE International Conference on Software Reliability Engineering (ISSRE 2006), Fast Abstracts, Raleigh, NC, November 2006. [PDF][BibTeX]
  13. Evan Martin. Automated test generation for access control policies. In Proceedings of the 20th Annual ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (Companion) (OOPSLA 2006), ACM SIGPLAN Student Research Competition, Portland, Oregon, USA, pp. 752-753, October 2006. [PDF]
  14. Evan Martin and Tao Xie. Inferring Access-Control Policy Properties via Machine Learning. In Proceedings of the 7th IEEE Workshop on Policies for Distributed Systems and Networks (POLICY 2006), London, Ontario Canada, pp. 235-238, June 2006. [PDF][BibTeX]

    15. Submitted for Publications
  1. JeeHyun Hwang, Tao Xie, and Vincent C. Hu. Detection of Multiple-Duty-Related Security Leakage in Access Control Policies. Submitted for publication.
  2. JeeHyun Hwang, Evan Martin, Tao Xie, and Vincent C. Hu. Policy-Based Testing. Entry submitted for publication in the Encyclopedia of Software Engineering. [PDF]

PRESENTATIONS

  1. Tao Xie.Systematic Testing and Verification of Security Policies. Invited talk. National Institute of Standards and Technology (NIST) Computer Security Division Seminar, August 2008. [Slides]
  2. Tao Xie. Conformance Checking of Access Control Policies Specified in XACML. Workshop presentation, the 1st IEEE International Workshop on Security in Software Engineering (IWSSE 2007), Beijing, China, July 2007.
  3. Evan Martin. Automated Test Generation for Access Control Policies via Change-Impact Analysis. Workshop presentation, the 3rd International Workshop on Software Engineering for Secure Systems (SESS 2007)Minneapolis, MN, May 2007.
  4. Evan Martin. Testing and Analysis of Access Control Policies. Conference doctoral Symposium presentation. the 29th International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, May 2007.
  5. Tao Xie. A Fault Model and Mutation Testing of Access Control Policies. Conference presentation, the 16th International Conference on World Wide Web  (WWW 2007), Security, Privacy, Reliability, and Ethics Track, Banff, Alberta, Canada, May 2007.
  6. Evan Martin. Defining and Measuring Policy Coverage in Testing Access Control Policies. Conference presentation, the 8th International Conference on Information and Communications Security (ICICS 2006), Raleigh, NC, December 2006.
  7. Evan Martin. Automated Test Generation for Access Control Policies. Conference fast abstract presentation, the 17th IEEE International Conference on Software Reliability Engineering (ISSRE 2006), Fast Abstracts, Raleigh, NC, November 2006.
  8. Evan MartinAutomated test generation for access control policies. Conference ACM SIGPLAN SRC presentation, the 20th Annual ACM SIGPLAN International Conference on Object-Oriented Programming, Systems, Languages, and Applications (Companion) (OOPSLA 2006), ACM SIGPLAN Student Research Competition, Portland, Oregon, USA, October 2006.
  9. Evan Martin. Inferring Access-Control Policy Properties via Machine Learning. Workshop presentation, the 7th IEEE Workshop on Policies for Distributed Systems and Networks (POLICY 2006), London, Ontario Canada, June 2006.
  10. Tao Xie. Towards Systematic Testing of Access Control Policies. Invited talk, Foundation of Software Engineering Group, Microsoft Research, April 2006.

    11.

SOFTWARE
  1. XEngine: A Fast and Scalable XACML Policy Evaluation Engine
  2. Multiple-Implementation Testing Tool for XACML Implementations
  3. Poco: Policy Coverage Meausrement Tool
  4. Targen: Request Generation Based on Target Constraints
  5. Mutver: Policy Mutation Verification Tool

POLICY BENCHMARKS

SPONSORS

National Science Foundation Award CNS-0716579Cyber Trust Program (08/01/2007-07/31/2010)