Start: Sep. 2011
Finish: Feb. 2014
Thesis Title: A New Approach to Automated Testing of Access Control Policies using Model Based Technique
Advisor: Dr. Behrouz Tork Ladani
Testing is one of the costly phases in the software development life-cycle, which paying not enough attention to its sound and systematic execution will cause several problems and side-effects. Test automation will reduce the cost, time, effort, and man power, as well as raising the speed, test repeatability, easy maintenance of test suite, together with the more complete test with more coverage. Model-based testing is a popular method in test automation which by relying on a model that describes the behavior of the system under test generates a set of test cases. Due to using the behavioral model, this method covers the functional requirements which correspond to the functionalities that end-user expects from the system. However, the non-functional requirements which are related to the quality of functions and system are neglected. Security is one of the most important non-functional requirements, and access control is identified as one of the main bases of security. Usually, there exist resources in the design and development of software, which require ensuring that they will be accessed only by particular people with appropriate authority. This confidence will be gained via access control. In this research, by combining the behavioral model and access control policies of a software system, the model-based testing is extended such that it will have the capability of automatic evaluation of the correctness of the implementation of access control policies. The generation of negative test cases along with positive ones will increase the possibility of detecting the unknown errors. This demonstrates the superiority of the proposed approach compared with the similar approaches. In addition, automatic extraction of the test path from the model and providing test data with the help of a constraint solver makes this method a fully automated one.
The proposed method is designed and implemented as a tool in the .NET framework which with the utilization of behavioral model and XACML access control policies, is able to generate a set of executable tests. This test suite evaluates the system under test from the user interface level and is more suitable for the programs that contain forms and are more error-prone to the access control errors. The evaluations which are performed on a library management system with a diverse set of access control rules show that the final test suite is able to discover 95 percent of the related defects.