Donia El Kateb

Selection of regression system tests for security policy evolution

As security requirements of software often change, developers may modify security policies such as access control policies (policies in short) according to evolving requirements. To increase confidence that the modification of policies is correct, developers conduct regression testing. However, rerunning all of existing system test cases could be costly and time-consuming. To address this issue, we develop a regression-test-selection approach, which selects every system test case that may reveal regression faults caused by policy changes. Our evaluation results show that our test-selection approach reduces a substantial number of system test cases efficiently.

Similarity testing for access control

Abstract Context Access control is among the most important security mechanisms, and XACML is the de facto standard for specifying, storing and deploying access control policies. Since it is critical that enforced policies are correct, policy testing must be performed in an effective way to identify potential security flaws and bugs. In practice, exhaustive testing is impossible due to budget constraints. Therefore the tests need to be prioritized so that resources are focused on their most relevant subset. Objective This paper tackles the issue of access control test prioritization. It proposes a new approach for access control test prioritization that relies on similarity. Method The approach has been applied to several policies and the results have been compared to random prioritization (as a baseline). To assess the different prioritization criteria, we use mutation analysis and compute the mutation scores reached by each criterion. This helps assessing the rate of fault detection. Results The empirical results indicate that our proposed approach is effective and its rate of fault detection is higher than that of random prioritization. Conclusion We conclude that prioritization of access control test cases can be usefully based on similarity criteria.

Refactoring access control policies for performance improvement

In order to facilitate managing authorization, access control architectures are designed to separate the business logic from an access control policy. To determine whether a user can access which resources, a request is formulated from a component, called a Policy Enforcement Point (PEP) located in application code. Given a request, a Policy Decision Point (PDP) evaluates the request against an access control policy and returns its access decision (i.e., permit or deny) to the PEP. With the growth of sensitive information for protection in an application, an access control policy consists of a larger number of rules, which often cause a performance bottleneck. To address this issue, we propose to refactor access control policies for performance improvement by splitting a policy (handled by a single PDP) into its corresponding multiple policies with a smaller number of rules (handled by multiple PDPs). We define seven attribute-set-based splitting criteria to facilitate splitting a policy. We have conducted an evaluation on three subjects of real-life Java systems, each of which interacts with access control policies. Our evaluation results show that (1) our approach preserves the initial architectural model in terms of interaction between the business logic and its corresponding rules in a policy, and (2) our approach enables to substantially reduce request evaluation time for most splitting criteria.

Generic cloud platform multi-objective optimization leveraging models@run.time

Cloud computing promises scalable hosting by offering an elastic management of virtual machines which run on top of hardware data centers. This elastic management as a cornerstone of PaaS (Platform As A Service) has to deal with trade-offs between conflicting requirements such as cost and quality of service. Solving such trade-offs is a challenging problem. Indeed, most of PaaS providers consider only one optimization axis or ad-hoc multi-objective resolution techniques using domain specific heuristics. This paper aims at proposing a generic approach to build cloud optimization by combining modeling and search based paradigms. Our approach is two-fold: 1) To reason about a cloud environment, we use a Models@run.time approach to have an abstraction layer of a cloud configuration that supports monitoring capabilities and represents cloud intrinsic parameters like cost, load information, etc. 2) We use a search-based algorithm to navigate through cloud candidate configuration solutions in order to solve the Cloud Multi-objective Optimization Problem (CMOP). We validate our approach based on a case study that we define with our cloud provider partner EBRC as representative of a dynamic management problem of heterogeneous distributed cloud nodes. We implement a prototype of our PaaS supervision framework using Kevoree, a Models@run.time platform. The prototype shows the efficiency of our approach in terms of finding possible cloud configurations in reasonable time. The prototype is flexible since it enables an easy reconfiguration of the cloud customer optimization objectives.

A toolchain for model-based design and testing of access control systems

In access control systems, aimed at regulating the accesses to protected data and resources, a critical component is the Policy Decision Point (PDP), which grants or denies the access according to the defined policies. Due to the complexity of the standard languag-e, it is recommended to rely on model-driven approaches which allow to overcome difficulties in the XACML policy definition. We provide in this paper a toolchain that involves a model-driven approach to specify and generate XACML policies and also enables automated testing of the PDP component. We use XACML-based testing strategies for generating appropriate test cases which are able to validate the functional aspects, constraints, permissions and prohibitions of the PDP. An experimental assessment of the toolchain and its use on a realistic case study are also presented.

Cloud Providers Viability: How to Address it from an IT and Legal Perspective?

A major part of the commercial Internet is moving towards a cloud paradigm. This phenomenon has a drastic impact on the organizational structures of enterprises and introduces new challenges that must be properly addressed to avoid major setbacks. One such challenge is that of cloud provider viability, that is, the reasonable certainty that the Cloud Service Provider (CSP) will not go out of business, either by filing for bankruptcy or by simply shutting down operations, thus leaving its customers stranded without an infrastructure and, depending on the type of cloud service used, even without their applications or data. This article attempts to address the issue of cloud provider viability, proposing some ways of mitigating the problem both from a technical and from a legal perspective.

Inroads in Testing Access Control

In the last few years, a plethora of research has addressed security testing issues. Several commercial tools have emerged to provide security testing services. Software security testing goes beyond functional testing to reveal flaws and vulnerabilities in software design and behavior. Access control is a major pillar in computer security. This chapter pursues the goal of describing the landscape in the research area of access control testing. We provide an outline of the different existing research over the literature according to the taxonomy reflecting the different phases of common software testing processes (generation, selection, prioritization, quality assessment, regression). We also provide an outline of some existing initiatives that support usage control besides access control by testing obligation policies. Finally, we point out future research directions that emerge from the current research study. Through this work, we aim at providing useful guidelines for software testers to improve the current trends in access control testing.

Optimizing Multi-objective Evolutionary Algorithms to Enable Quality-Aware Software Provisioning

Elasticity is a key feature for cloud infrastructures to continuously align allocated computational resources to evolving hosted software needs. This is often achieved by relaxing quality criteria, for instance security or privacy because quality criteria are often conflicting with performance. As an example, software replication could improve scalability and uptime while decreasing privacy by creating more potential leakage points. The conciliation of these conflicting objectives has to be achieved by exhibiting trade-offs. Multi-Objective Evolutionary Algorithms (MOEAs) have shown to be suitable candidates to find these trade-offs and have been even applied for cloud architecture optimizations. Still though, their runtime efficiency limits the widespread adoption of such algorithms in cloud engines, and thus the consideration of quality criteria in clouds. Indeed MOEAs produce many dead-born solutions because of the Darwinian inspired natural selection, which results in a resources wastage. To tackle MOEAs efficiency issues, we apply a process similar to modern biology. We choose specific artificial mutations by anticipating the optimization effect on the solutions instead of relying on the randomness of natural selection. This paper introduces the Sputnik algorithm, which leverages the past history of actions to enhance optimization processes such as cloud elasticity engines. We integrate Sputnik in a cloud elasticity engine, dealing with performance and quality criteria, and demonstrate significant performance improvement, meeting the runtime requirements of cloud optimization.

Cloud providers viability

A major part of the commercial Internet is moving toward the cloud paradigm. This phenomenon has a drastic impact on the organizational structures of enterprizes and introduces new challenges that must be properly addressed to avoid major setbacks. One such challenge is that of cloud provider viability, that is, the reasonable certainty that the Cloud Service Provider (CSP) will not go out of business, either by filing for bankruptcy or by simply shutting down operations, thus leaving its customers stranded without an infrastructure and, depending on the type of cloud service used, even without their applications or data. This article attempts to address the issue of cloud provider viability, defining a possible way of modeling viability as a non-functional requirement and proposing some approaches that can be used to mitigate the problem, both from a technical and from a legal perspective. By introducing a structured perspective into the topic of cloud viability, describing the risks, factors and possible mitigators, the contribution of this work is twofold: it gives the customer a better understanding to determine when it can rely on the cloud infrastructure on the long term and what precautions it should take in any case, and provides the CSP with means to address some of the viability issues and thus increase its customers’ trust.

Conviviality-driven access control policy

Abstract Nowadays many organizations experience security incidents due to unauthorized access to information. To reduce the risk of such incidents, security policies are often employed to regulate access to information. Such policies, however, are often too restrictive, and users do not have the rights necessary to perform assigned duties. As a consequence, access control mechanisms are perceived by users as a barrier and thus bypassed, making the system insecure. In this paper, we draw a bridge between the social concept of conviviality and access control. Conviviality has been introduced as a social science concept for ambient intelligence and multi-agent systems to highlight soft qualitative requirements like user-friendliness of systems. To bridge the gap between conviviality and security, we propose a methodological framework for updating and adapting access control policies based on conviviality recommendations. Our methodology integrates and extends existing techniques to assist system designers in the derivation of access control policies from socio-technical requirements of the system, while taking into account the conviviality of the system. We illustrate our framework using the Ambient Assisted Living use case from the HotCity of Luxembourg.