24
1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue University May 22, 2007 Joint work with: Professor Arif Ghafoor, ECE Graduate Students: Ammar Masood, ECE and K. Jayaram, CS

1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

Embed Size (px)

Citation preview

Page 1: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

1

On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication

Aditya MathurProfessor of Computer Science

Purdue University

May 22, 2007

Joint work with:

Professor Arif Ghafoor, ECE

Graduate Students:

Ammar Masood, ECE and K. Jayaram, CS

Page 2: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

2

Research Question

Requirements Model

Test Generation

Tests

Implementation

How good are these tests?

Finite State: Access controlStatecharts: Authentication

Page 3: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

3

Summary: Role Based Access Control

Policy:

Users, roles, permissions

Users assigned to roles, roles to permissions.

User roles activated prior to access.

Static and dynamic separation of duty constraints (SSoD)

based on activation and inheritance hierarchy relations.

Allowable input requests for RBAC policy enforcer (e.g.

assign, de-assign, activate, and de-activate)

Page 4: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

4

Summary: Fault Model for RBAC

Fault Types: FSM based (simple mutation-based)

UR Assignment PR AssignmentUR Activation

UR1 UR2 UR1 UR2UR1 UR2

Malicious Faults

Counter-based

I/O-based (ill-formed requests)

Sequence-based

Page 5: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

5

Summary: A: FSM-based Tests

Role Based Access Control

Tests generated directly from a finite state model are able to detect all faults considered.

The cost-benefit ratio of FSM-based test generation is exceptionally high (~1.45x106).

Experiments done using XGTRBAC: an RBAC policy enforcement implementation.

Page 6: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

6

Summary: B: Reduced FSM-based Tests

Role Based Access Control

Tests generated from a reduced model have varying fault detection effectiveness (25%--100%).

The cost-benefit ratio for such tests varies from 2 to 3561).

Page 7: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

7

Summary: C: FSM-based Random Tests

Role Based Access Control

Tests generated randomly from a reduced model have varying fault detection effectiveness (42--100%).

The cost-benefit ratio for such tests varies from 167--200x103).

Page 8: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

8

Summary: Recommendation

Role Based Access Control

Use a heuristics based test generation technique combined with constrained random test generation.

In addition, use white-box adequacy criteria to assess test adequacy and enhance the test generated using heuristics and random methods.

Page 9: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

9

Summary: Authentication

Transport Layer Protocol: GnuTLS

Client-server application. Developed to conform to RFC 2246.

Uses the TLS protocol for authenticating a user and a session.

Handshake, renegotiate to establish and re-establish sessions.

30K LOC

Page 10: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

10

Summary: Fault Model

Page 11: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

11

Summary: Test adequacy

Page 12: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

12

Summary: Recommendation

Authentication

Tests generated from statechart models must be augmented using tests generated using an orthogonal test generation technique.

It might be difficult to detect malicious code using any test generation strategy that does not account for code coverage.

Negative testing must be performed. [We do not have sufficient data to support this recommendation.]

Page 13: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

13

Test Context

For how many and which policies should we test?

Page 14: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

14

RBAC Experiment: Policy Generation

Map mutant to policy

Mutate ACUT

Page 15: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

15

What are we trying to show?

Conformance to expected behavior:

Page 16: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

16

Conformance Testing Procedures Used

A: Transform a policy to FSM and generate tests

directly.

B: Use one or more heuristics to reduce the FSM

and generate tests from the scaled down model.

C: Randomly select paths of fixed length from the

original model.

Page 17: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

17

A: Policy--> FSM

Two users (U=2), one role (R=1). Only one user can activate the role. Number of states~32

.

AS11

0000

1000 0010

1100

1110

1010 0011

1011

AS21

AC11

AC21AS21

AS21 AS11AC21

AC11

AS11

DS11

DS21

DC11

DS21

DC11

DS11

DS21 DS11

DC21

DC21

DS21

DS11

DS11 DS21

AS: assign. DS: De-assign. AC: activate. DC: deactivate. Xij: do X for user i role j.

Tests: 2T(2T+1)(4T) 2T+1 T=|U|x|R|

Page 18: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

18

B: Policy-->Heuristics-->Model

H1: Separate assignment and activation

H2: Use FSM for activation and single test sequence for assignment

H3: Use single test sequence for assignment and activation

H4: Use a separate FSM for each user

H5: Use a separate FSM for each role

H6: Create user groups for FSM modeling.

Page 19: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

19

Reduced Models

AS11

00

10 01DS21DS11

11

AS21

DS11DS21

AC11

00

10 01

AC21

DC21DC11

AC21 AC11

Assignment Machine

Activation Machine

Heuristic 1

AS11

00

10 11

DS11 DS11

AC11

DC11

AC11

AS21

00

10 11

DS21 DS21

AC21

DC21

AC21

Heuristic 4

User u1 Machine User u2 Machine

Page 20: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

20

C: Policy-->Model-->Random tests Construct a pool RTi of n random tests of length i.

Lengths of all tests in the pool RTi is close to or higher than the length of longest test generated using Procedure A.

Total tests tests n is selected based on comparison with the maximum number of tests generated using the heuristics (Procedure B)

Construct five test suites RTi1,…., RTi5 by randomly selecting fixed number p<n of tests from RTi p empirically chosen based on economical or statistical

criterion

Page 21: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

21

Empirical Evaluation : Setup

Study carried out using the proposed functional testing methodology Stopping criterion – complete coverage of simple faults Policy meta set – comprises two policies Meta test sets – corresponding to the three procedures

Test generation techniques used Heuristics: H3, H4 and H5 Random: RT4, RT6, RT10 and RT100 100 tests in each test suite RTij

Page 22: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

22

Empirical Evaluation : Results

Page 23: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

23

Empirical vs.Simulation

Page 24: 1 On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication Aditya Mathur Professor of Computer Science Purdue

24

Future Work

Test generation for TRBAC systems Extending the temporal constraints in TRBAC

specification Extension of TRBC fault model Conducting an empirical evaluation

Validation of global meta-policy in collaborative environments

Regression testing techniques for access control systems