Bernard Stepien

Formal correctness of conflict detection for firewalls

We describe the formalization of a correctness proof for a conflict detection algorithm for firewalls in the Coq Proof Assistant. First, we give formal definitions in Coq of a firewall access rule and of an access request to a firewall. Formally, two rules are in conflict if there exists a request on which one rule would allow access and the other would deny it. We express our algorithm in Coq, and prove that it finds all conflicts in a set of rules. We obtain an OCaml version of the algorithm by direct program extraction. The extracted program has successfully been applied to firewall specifications with over 200,000 rules.

Formal specification of telephone systems in LOTOS: The constraint-oriented style approach

Abstract The LOTOS constraint-oriented style allows the design of well-structured, implementation-independent specifications of distributed systems. As an example, we provide a small, didactically-oriented specification of a simple telephone service. The design of the specification is based on three types of constraints, i.e. global constraints, end-to-end constraints and local constraints. The structure of the specification, as well as its design method, are described in some detail. We conclude with a discussion of the specification debugging method.

Automated Testing of XML/SOAP Based Web Services

Web services provide seamless connections from one software application to another over private intranets and the Internet. The major communication protocol used is SOAP, which in most cases is XML over HTTP. The exchanged data follow precise format rules in the form of XML Document Type Definitions or more recently the proposed XML Schemas. Web service testing considers functionality and load aspects to check how a Web service performs for single clients and scales as the number of clients accessing it increases. This paper discusses the automated testing of Web services by use of the Testing and Test Control Notation TTCN-3. A mapping between XML data descriptions to TTCN-3 data is presented to enable the automated derivation of test data. This is the basis for functional and load tests of XML interfaces in TTCN-3. The paper describes the mapping rules and prototypical tools for the development and execution of TTCN-3 tests for XML/SOAP based Web services.

Structural models for specifying telephone systems

Two approaches, resource-oriented and constraint-oriented, for structuring telephone systems specifications, are presented. Both approaches express behaviour by collections of communicating processes, using the language LOTOS. However, requirements are distributed differently among processes. Examples are taken from specifications of telephone systems, first basic, and then with features. The features used as examples are call forwarding, originating call screening, and three-way calling. The two structuring methods are compared.

Advantages of a non-technical XACML notation in role-based models

As applications requiring access control and the environments in which they operate in become more complex, an acute need for better ways to manage access control rules has arisen. Decentralized access control, for example, requires sophisticated techniques for conflict detection and for managing rules across multiple applications with different rule formats. XACML is an OASIS standard whose interoperability qualities help in solving the latter problem. XACML has its own limitations, however. In particular, although it has the expressive power to specify very complex conditions like those needed in the ABAC (Attribute Based Access Control) model, users tend to avoid using its full power because of its verbosity. In this paper, we show how a non-technical notation we have proposed in our earlier work resolves this difficulty and allows users to work with a very compact and readable form of XACML rules, thus allowing them to take advantage of XACMLs full expressive power. This expressive power can be exploited to write policies that are better organized. It can be easier, for example, to write a single possibly complex rule to cover a particular aspect of a policy as opposed to distributing the complexity over several rules with simpler conditions. As a result, policies are smaller, more compact, and easier to understand. Policy development becomes more manageable, allowing users to concentrate on the more central issue of choosing the model (RBAC, ABAC, PBAC or other) that is best suited to a particular application and policy. We show that using the full expressive power to better organize policies has a significant positive impact on PDP performance.

Framework testing of web applications using TTCN-3

Functional testing of web applications has become increasingly complex. Browser-based interfaces incorporate rich, client-side scripting that is increasingly independent of server-side application logic. At the same time, the server side application logic interacts with reusable components for key elements (security, shopping cart, product catalog, order processing) within the framework of a component-based architecture, using beans and web services. In this paper, we illustrate how a test specification approach using a language like TTCN-3 can be used to define test cases at different levels of abstraction that are more robust in the face of volatile presentation and implementation details. A case study of a shopping cart scenario with order processing is used as an illustration. Features of TTCN-3 are demonstrated, including a powerful matching mechanism that allows a separation between behavior and the conditions governing behavior. As well, TTCN-3’s data types and set-based operations allow one to track and verify the information management done by a web application, independent of implementation details. These features allow a tester to take a systematic approach to testing web applications but requires more sophistication and skills. The advantages and challenges of a test specification approach are characterized in comparison to approaches based on unit testing and test automation tools.

A Non-technical User-Oriented Display Notation for XACML Conditions

Ideally, access control to resources in complex IT systems ought to be handled by business decision makers who own a given resource (e.g., the pay and benefits section of an organization should decide and manage the access rules to the payroll system). To make this happen, the security and database communities need to develop vendor-independent access management tools, useable by decision makers, rather than technical personnel detached from a given business function. We have developed and implemented such tool, based on XACML. The XACML is an important emerging tool for managing complex access control applications. As a formal notation, based on an XML schema representing the grammar of a given application, XACML is precise and non-ambiguous. But this very property puts it out of reach of non-technical users. We propose a new notation for displaying and editing XACML rules that is independent of XML, and we develop an editor for it. Our notation combines a tree representation of logical expressions with an accessible natural language layer. Our early experience indicates that such rules can be grasped by non-technical users wishing to develop and control rules for accessing their own resources.

PerfTTCN, a TTCN language extension for performance testing

This paper presents a new approach to test the performance of communication network components such as protocols, services, and applications under normal and overload situations. Performance testing identifies performance levels of the network components for ranges of parameter settings and assesses the measured performance. A performance test suite describes precisely the performance characteristics that have to be measured and procedures how to execute the measurements. In addition, the performance test configuration including the configuration of the network component, the configuration of the network, and the network load characteristics is described. PerfTTCN — an extension of TTCN — is a formalism to describe performance tests in an understandable, unambiguous and reusable way with the benefit to make performance test results comparable. First results on the description and execution of performance tests will be presented.

Strategies for Reducing Risks of Inconsistencies in Access Control Policies

Managing access control policies is a complex task. We argue that much of the complexity is unnecessary and mostly due to historical reasons. There are number of legacy policy specification languages that all have limitations of some kind. These limitations have forced policy implementers to use certain styles of writing policies, often resulting in inconsistencies. The detection and resolution of these inconsistencies has been widely researched and many solutions have been found. This paper highlights new possibilities for avoiding inconsistencies, drawing on the expressive power allowed in the condition field of rules in modern languages such as XACML. In particular, we show that making use of this expressive power has many advantages—it allows organizations to considerably reduce the number of policies and rules required to protect company assets; it provides improved views and summaries of related policies; and it allows increased scalability of analysis tools, such as tools that detect inconsistencies and tools that perform audits to verify compliance to regulations. Such tools are increasingly important in the current environment where the number of regulations governing company security continues to grow. In addition, we show how our user-friendly representation for the XACML language facilitates the use of complex conditions by increasing their readability. This increased readability has the additional benefit of allowing non-technical users to better understand the implementation of their policies. These factors all contribute to a lower risk of inconsistencies in policies.

Feature interaction detection using backward reasoning with LOTOS

The problem of detecting feature interactions in telephone systems design is addressed. The method proposed involves specification of the features in LOTOS, and uses an analysis technique called backward reasoning. This is is implemented in LOTOS by a combination of backward and forward execution. A tool to help carry out backward execution is presented. A detailed example of the use of the technique is given, involving the three-way-calling and call-waiting features.