Automated testing of eXtensible Access Control Markup Language-based access control systems

Automated testing of eXtensible Access Control Markup Language-based access control systems

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for £75.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Software — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

The trustworthiness of sensitive data needs to be guaranteed and testing is a common activity among privacy protection solutions, even if quite expensive. Accesses to data and resources are ruled by the policy decision point (PDP), which relies on the eXtensible Access Control Markup Language (XACML) standard language for specifying access rights. In this study, the authors propose a testing strategy for automatically deriving test requests from a XACML policy and describe their pilot experience in test automation using this strategy. Considering a real two-level PDP implemented for health data security, the authors compare the effectiveness of the test plan automatically derived with the one derived by a standard manual testing process.


    1. 1)
      • 1. TAS3 Project. Trusted Architecture for Securely Shared Services.
    2. 2)
      • 2. OASIS: ‘eXtensible Access Control Markup Language (XACML) Version 2.0, February 2005.
    3. 3)
      • 3. Bertolino, A., Lonetti, F., Marchetti, E.: ‘Systematic XACML request generation for testing purposes’. Proc. SEAA, September 2010, pp. 311.
    4. 4)
      • 4. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: ‘Automatic XACML requests generation for policy testing’. Proc. ICST, April 2012, pp. 842849.
    5. 5)
      • 5. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E.: ‘The X-CREATE framework: a comparison of XACML policy testing strategies’. Proc. WEBIST, April 2012, pp. 155160.
    6. 6)
      • 6. Custodix.
    7. 7)
      • 7. Bertolino, A., Gao, J., Marchetti, E., Polini, A.: ‘Automatic test data generation for XML schema-based partition testing’. Proc. AST, May 2007, pp. 1016.
    8. 8)
      • 8. Martin, E.: ‘Automated test generation for access control policies’. Proc. OOPSLA, October 2006, pp. 752753.
    9. 9)
      • 9. Cohen, D.M., Dalal, S.R., Fredman, M.L., Patton, G.C.: ‘The AETG system: an approach to testing based on combinatiorial design’, IEEE Trans. Softw. Eng., 1997, 23, (7), pp. 437444 (doi: 10.1109/32.605761).
    10. 10)
      • 10. Ostrand, T.J., Balcer, M.J.: ‘The category-partition method for specifying and generating functional tests’, Commun. ACM, 1988, 31, (6), pp. 676686 (doi: 10.1145/62959.62964).
    11. 11)
      • 11. FedoraCommons. Fedora Commons Repository Software.
    12. 12)
      • 12. DeMillo, R.A., Lipton, R.J., Sayward, F.G.: ‘Hints on test data selection: help for the practicing programmer’, Computer, 1978, 11, (4), pp. 3441 (doi: 10.1109/C-M.1978.218136).
    13. 13)
      • 13. Martin, E., Xie, T.: ‘A fault model and mutation testing of access control policies’. Proc. WWW, May 2007, pp. 667676.
    14. 14)
      • 14. Martin, E., Xie, T.: ‘Automated test generation for access control policies via change-impact analysis’. Proc. SESS, May 2007, pp. 512.
    15. 15)
      • 15. Fisler, K., Krishnamurthi, S., Meyerovich, L.A., Tschantz, M.C.: ‘Verification and change-impact analysis of access-control policies’. Proc. ICSE, May 2005, pp. 196205.
    16. 16)
      • 16. Li, N., Hwang, J., Xie, T.: ‘Multiple-implementation testing for XACML implementations’. Proc. TAV-WEB, July 2008, pp. 2733.
    17. 17)
      • 17. Bertolino, A., Daoudagh, S., Lonetti, F., Marchetti, E., Martinelli, F., Mori, P.: ‘Testing of PolPA authorization systems’. Proc. AST, June 2012, pp. 814.
    18. 18)
      • 18. Le Traon, Y., Mouelhi, T., Baudry, B.: ‘Testing security policies: going beyond functional testing’. Proc. ISSRE, November 2007, pp. 93102.
    19. 19)
      • 19. Mallouli, W., Orset, J.-M., Cavalli, A., Cuppens, N., Cuppens, F.: ‘A formal approach for testing security rules’. Proc. SACMAT, June 2007, pp. 127132.
    20. 20)
      • 20. Li, K., Mounier, L., Groz, R.: ‘Test generation from security policies specified in or-BAC’. Proc. COMPSAC, July 2007, pp. 255260.
    21. 21)
      • 21. Pretschner, A., Mouelhi, T., Le Traon, Y.: ‘Model-based tests for access control policies’. Proc. ICST, April 2008, pp. 338347.

Related content

This is a required field
Please enter a valid email address