Upload
quintin-chilson
View
215
Download
0
Embed Size (px)
Citation preview
1
On the Limitations of Finite State Models as Sources of Tests for Access Control and Authentication
Aditya MathurProfessor of Computer Science
Purdue University
May 22, 2007
Joint work with:
Professor Arif Ghafoor, ECE
Graduate Students:
Ammar Masood, ECE and K. Jayaram, CS
2
Research Question
Requirements Model
Test Generation
Tests
Implementation
How good are these tests?
Finite State: Access controlStatecharts: Authentication
3
Summary: Role Based Access Control
Policy:
Users, roles, permissions
Users assigned to roles, roles to permissions.
User roles activated prior to access.
Static and dynamic separation of duty constraints (SSoD)
based on activation and inheritance hierarchy relations.
Allowable input requests for RBAC policy enforcer (e.g.
assign, de-assign, activate, and de-activate)
4
Summary: Fault Model for RBAC
Fault Types: FSM based (simple mutation-based)
UR Assignment PR AssignmentUR Activation
UR1 UR2 UR1 UR2UR1 UR2
Malicious Faults
Counter-based
I/O-based (ill-formed requests)
Sequence-based
5
Summary: A: FSM-based Tests
Role Based Access Control
Tests generated directly from a finite state model are able to detect all faults considered.
The cost-benefit ratio of FSM-based test generation is exceptionally high (~1.45x106).
Experiments done using XGTRBAC: an RBAC policy enforcement implementation.
6
Summary: B: Reduced FSM-based Tests
Role Based Access Control
Tests generated from a reduced model have varying fault detection effectiveness (25%--100%).
The cost-benefit ratio for such tests varies from 2 to 3561).
7
Summary: C: FSM-based Random Tests
Role Based Access Control
Tests generated randomly from a reduced model have varying fault detection effectiveness (42--100%).
The cost-benefit ratio for such tests varies from 167--200x103).
8
Summary: Recommendation
Role Based Access Control
Use a heuristics based test generation technique combined with constrained random test generation.
In addition, use white-box adequacy criteria to assess test adequacy and enhance the test generated using heuristics and random methods.
9
Summary: Authentication
Transport Layer Protocol: GnuTLS
Client-server application. Developed to conform to RFC 2246.
Uses the TLS protocol for authenticating a user and a session.
Handshake, renegotiate to establish and re-establish sessions.
30K LOC
10
Summary: Fault Model
11
Summary: Test adequacy
12
Summary: Recommendation
Authentication
Tests generated from statechart models must be augmented using tests generated using an orthogonal test generation technique.
It might be difficult to detect malicious code using any test generation strategy that does not account for code coverage.
Negative testing must be performed. [We do not have sufficient data to support this recommendation.]
13
Test Context
For how many and which policies should we test?
14
RBAC Experiment: Policy Generation
Map mutant to policy
Mutate ACUT
15
What are we trying to show?
Conformance to expected behavior:
16
Conformance Testing Procedures Used
A: Transform a policy to FSM and generate tests
directly.
B: Use one or more heuristics to reduce the FSM
and generate tests from the scaled down model.
C: Randomly select paths of fixed length from the
original model.
17
A: Policy--> FSM
Two users (U=2), one role (R=1). Only one user can activate the role. Number of states~32
.
AS11
0000
1000 0010
1100
1110
1010 0011
1011
AS21
AC11
AC21AS21
AS21 AS11AC21
AC11
AS11
DS11
DS21
DC11
DS21
DC11
DS11
DS21 DS11
DC21
DC21
DS21
DS11
DS11 DS21
AS: assign. DS: De-assign. AC: activate. DC: deactivate. Xij: do X for user i role j.
Tests: 2T(2T+1)(4T) 2T+1 T=|U|x|R|
18
B: Policy-->Heuristics-->Model
H1: Separate assignment and activation
H2: Use FSM for activation and single test sequence for assignment
H3: Use single test sequence for assignment and activation
H4: Use a separate FSM for each user
H5: Use a separate FSM for each role
H6: Create user groups for FSM modeling.
19
Reduced Models
AS11
00
10 01DS21DS11
11
AS21
DS11DS21
AC11
00
10 01
AC21
DC21DC11
AC21 AC11
Assignment Machine
Activation Machine
Heuristic 1
AS11
00
10 11
DS11 DS11
AC11
DC11
AC11
AS21
00
10 11
DS21 DS21
AC21
DC21
AC21
Heuristic 4
User u1 Machine User u2 Machine
20
C: Policy-->Model-->Random tests Construct a pool RTi of n random tests of length i.
Lengths of all tests in the pool RTi is close to or higher than the length of longest test generated using Procedure A.
Total tests tests n is selected based on comparison with the maximum number of tests generated using the heuristics (Procedure B)
Construct five test suites RTi1,…., RTi5 by randomly selecting fixed number p<n of tests from RTi p empirically chosen based on economical or statistical
criterion
21
Empirical Evaluation : Setup
Study carried out using the proposed functional testing methodology Stopping criterion – complete coverage of simple faults Policy meta set – comprises two policies Meta test sets – corresponding to the three procedures
Test generation techniques used Heuristics: H3, H4 and H5 Random: RT4, RT6, RT10 and RT100 100 tests in each test suite RTij
22
Empirical Evaluation : Results
23
Empirical vs.Simulation
24
Future Work
Test generation for TRBAC systems Extending the temporal constraints in TRBAC
specification Extension of TRBC fault model Conducting an empirical evaluation
Validation of global meta-policy in collaborative environments
Regression testing techniques for access control systems