1

On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication

Aditya MathurProfessor of Computer Science

Purdue University

May 22, 2007

Joint work with:

Professor Arif Ghafoor, ECE

Graduate Students:

Ammar Masood, ECE and K. Jayaram, CS

2

Research Question

Requirements Model

Test Generation

Tests

Implementation

How good are these tests?

Finite State: Access controlStatecharts: Authentication

3

Summary: Role Based Access Control

Policy:

Users, roles, permissions

Users assigned to roles, roles to permissions.

User roles activated prior to access.

Static and dynamic separation of duty constraints (SSoD)

based on activation and inheritance hierarchy relations.

Allowable input requests for RBAC policy enforcer (e.g.

assign, de-assign, activate, and de-activate)

4

Summary: Fault Model for RBAC

Fault Types: FSM based (simple mutation-based)

UR Assignment PR AssignmentUR Activation

UR1 UR2 UR1 UR2UR1 UR2

Malicious Faults

Counter-based

I/O-based (ill-formed requests)

Sequence-based

5

Summary: A: FSM-based Tests

Role Based Access Control

Tests generated directly from a finite state model are able to detect all faults considered.

The cost-benefit ratio of FSM-based test generation is exceptionally high (~1.45x106).

Experiments done using XGTRBAC: an RBAC policy enforcement implementation.

6

Summary: B: Reduced FSM-based Tests

Role Based Access Control

Tests generated from a reduced model have varying fault detection effectiveness (25%--100%).

The cost-benefit ratio for such tests varies from 2 to 3561).

7

Summary: C: FSM-based Random Tests

Role Based Access Control

Tests generated randomly from a reduced model have varying fault detection effectiveness (42--100%).

The cost-benefit ratio for such tests varies from 167--200x103).

8

Summary: Recommendation

Role Based Access Control

Use a heuristics based test generation technique combined with constrained random test generation.

In addition, use white-box adequacy criteria to assess test adequacy and enhance the test generated using heuristics and random methods.

9

Summary: Authentication

Transport Layer Protocol: GnuTLS

Client-server application. Developed to conform to RFC 2246.

Uses the TLS protocol for authenticating a user and a session.

Handshake, renegotiate to establish and re-establish sessions.

30K LOC

10

Summary: Fault Model

11

Summary: Test adequacy

12

Summary: Recommendation

Authentication

Tests generated from statechart models must be augmented using tests generated using an orthogonal test generation technique.

It might be difficult to detect malicious code using any test generation strategy that does not account for code coverage.

Negative testing must be performed. [We do not have sufficient data to support this recommendation.]

13

Test Context

For how many and which policies should we test?

14

RBAC Experiment: Policy Generation

Map mutant to policy

Mutate ACUT

15

What are we trying to show?

Conformance to expected behavior:

16

Conformance Testing Procedures Used

A: Transform a policy to FSM and generate tests

directly.

B: Use one or more heuristics to reduce the FSM

and generate tests from the scaled down model.

C: Randomly select paths of fixed length from the

original model.

17

A: Policy--> FSM

Two users (U=2), one role (R=1). Only one user can activate the role. Number of states~32

.

AS11

0000

1000 0010

1100

1110

1010 0011

1011

AS21

AC11

AC21AS21

AS21 AS11AC21

AC11

AS11

DS11

DS21

DC11

DS21

DC11

DS11

DS21 DS11

DC21

DC21

DS21

DS11

DS11 DS21

AS: assign. DS: De-assign. AC: activate. DC: deactivate. Xij: do X for user i role j.

Tests: 2T(2T+1)(4T) 2T+1 T=|U|x|R|

18

B: Policy-->Heuristics-->Model

H1: Separate assignment and activation

H2: Use FSM for activation and single test sequence for assignment

H3: Use single test sequence for assignment and activation

H4: Use a separate FSM for each user

H5: Use a separate FSM for each role

H6: Create user groups for FSM modeling.

19

Reduced Models

AS11

00

10 01DS21DS11

11

AS21

DS11DS21

AC11

00

10 01

AC21

DC21DC11

AC21 AC11

Assignment Machine

Activation Machine

Heuristic 1

AS11

00

10 11

DS11 DS11

AC11

DC11

AC11

AS21

00

10 11

DS21 DS21

AC21

DC21

AC21

Heuristic 4

User u1 Machine User u2 Machine

20

C: Policy-->Model-->Random tests Construct a pool RTi of n random tests of length i.

Lengths of all tests in the pool RTi is close to or higher than the length of longest test generated using Procedure A.

Total tests tests n is selected based on comparison with the maximum number of tests generated using the heuristics (Procedure B)

Construct five test suites RTi1,…., RTi5 by randomly selecting fixed number p<n of tests from RTi p empirically chosen based on economical or statistical

criterion

21

Empirical Evaluation : Setup

Study carried out using the proposed functional testing methodology Stopping criterion – complete coverage of simple faults Policy meta set – comprises two policies Meta test sets – corresponding to the three procedures

Test generation techniques used Heuristics: H3, H4 and H5 Random: RT4, RT6, RT10 and RT100 100 tests in each test suite RTij

22

Empirical Evaluation : Results

23

Empirical vs.Simulation

24

Future Work

Test generation for TRBAC systems Extending the temporal constraints in TRBAC

specification Extension of TRBC fault model Conducting an empirical evaluation

Validation of global meta-policy in collaborative environments

Regression testing techniques for access control systems