Yehia Elrakaiby

Testing Obligation Policy Enforcement Using Mutation Analysis

The support of obligations with access control policies allows the expression of more sophisticated requirements such as usage control, availability and privacy. In order to enable the use of these policies, it is crucial to ensure their correct enforcement and management in the system. For this reason, this paper introduces a set of mutation operators for obligation policies. The paper first identifies key elements in obligation policy management, then presents mutation operators which injects minimal errors which affect these aspects. Test cases are qualified w.r.t. their ability in detecting problems, simulated by mutation, in the interactions between policy management and the application code. The use of policy mutants as substitutes for real flaws enables a first investigation of testing obligation policies in a system. We validate our work by providing an implementation of the mutation process: the experiments conducted on a Java program provide insights for improving test selection.

Security@Runtime: A Flexible MDE Approach to Enforce Fine-grained Security Policies

In this paper, we present a policy-based approach for automating the integration of security mechanisms into Java-based business applications. In particular, we introduce an expressive Domain Specific modeling Language (Dsl), called Security@Runtime, for the specification of security configurations of targeted systems. The Security@Runtime Dsl supports the expression of authorization, obligation and reaction policies, covering many of the security requirements of modern applications. Security requirements specified in security configurations are enforced using an application-independent Policy Enforcement Point Pep)- Policy Decision Point (Pdp) architecture, which enables the runtime update of security requirements. Our work is evaluated using two systems and its advantages and limitations are discussed.

Formal specification and management of security policies with collective group obligations

Obligations are an essential element of security policies since they enable the specification of many security requirements such as availability, privacy, usage control and data protection. In everyday life, the fulfillment of obligations is often the responsibility of more than one subject, e.g., “All patients must be checked by one of the doctors”. Obligations may also be fulfilled in different ways, e.g., “Every customer should pay either in cash or by check”. Current security policy languages do not enable the specification of these intuitive and much needed requirements. In this paper, we show how policy languages can be extended to support the specification of these requirements which we call group obligations. To clarify the semantics of group obligations, we introduce state-based models for both group and individual obligations and show how group obligations can be managed according to change in the state of individual obligations. We formalize the semantics of the model and interactions between individual and group obligations by introducing a policy-enforcement language LE. LE enables the formal description of the application domain and the policy and provides operational semantics for policy management. Moreover, we discuss termination and determinism of policy enforcement in the proposed framework and show how different sanction/reaction policies may be activated when group obligations are violated.

A PEP-PDP Architecture to Monitor and Enforce Security Policies in Java Applications

Security of Java-based applications is crucial to many businesses today. In this paper, we propose an approach to completely automate the generation of a security architecture inside of a target Java application where advanced security policies can be enforced. Our approach combines the use of Aspect-Oriented Programming with the Policy Enforcement Point (PEP) - Policy Decision Point (PDP) paradigm and allows the runtime update of policies.

Access control enforcement testing

A policy-based access control architecture comprises Policy Enforcement Points (PEPs), which are modules that intercept subjects access requests and enforce the access decision reached by a Policy Decision Point (PDP), the module implementing the access decision logic. In applications, PEPs are generally implemented manually, which can introduce errors in policy enforcement and lead to security vulnerabilities. In this paper, we propose an approach to systematically test and validate the correct enforcement of access control policies in a given target application. More specifically, we rely on a two folded approach where a static analysis of the target application is first made to identify the sensitive accesses that could be regulated by the policy. The dynamic analysis of the application is then conducted using mutation to verify for every sensitive access whether the policy is correctly enforced. The dynamic analysis of the application also gives the exact location of the PEP to enable fixing enforcement errors detected by the analysis. The approach has been validated using a case study implementing an access control policy.

Towards a Full Support of Obligations in XACML

Policy-based systems rely on the separation of concerns, by implementing independently a software system and its associated security policy.