Your browser does not support JavaScript!

On-line tracing of XACML-based policy coverage criteria

On-line tracing of XACML-based policy coverage criteria

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Software — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Currently, eXtensible Access Control Markup Language (XACML) has becoming the standard for implementing access control policies and consequently more attention is dedicated to testing the correctness of XACML policies. In particular, coverage measures can be adopted for assessing test strategy effectiveness in exercising the policy elements. This study introduces a set of XACML coverage criteria and describes the access control infrastructure, based on a monitor engine, enabling the coverage criterion selection and the on-line tracing of the testing activity. Examples of infrastructure usage and of assessment of different test strategies are provided.


    1. 1)
      • 3. Calabrò, A., Lonetti, F., Marchetti, E.: ‘Access control policy coverage assessment through monitoring’. Proc. of Computer Safety, Reliability, and Security – SAFECOMP Workshops, Trento, Italy, 2017, pp. 373383.
    2. 2)
      • 2. Ammann, P., Offutt, J.: ‘Introduction to software testing’ (Cambridge University Press, 2016).
    3. 3)
      • 19. Bertolino, A., Daoudagh, S., Lonetti, F., et al: ‘Testing of PolPA-based usage control systems’, Softw. Qual. J., 2014, 22, (2), pp. 241271.
    4. 4)
      • 4. Shahid, M., Ibrahim, S., Mahrin, M.N.: ‘A study on test coverage in software testing’, Advanced Informatics School, 2011.
    5. 5)
      • 10. Bertolino, A., Daoudagh, S., Lonetti, F., et al: ‘Automated testing of eXtensible access control markup language-based access control systems’, IET Softw., 2013, 7, (4), pp. 203212.
    6. 6)
      • 23. Mouelhi, T., El Kateb, D., Le Traon, Y.: ‘Chapter five-inroads in testing access control’, Adv. Comput., 2015, 99, pp. 195222.
    7. 7)
      • 5. Bertolino, A., Le Traon, Y., Lonetti, F., et al: ‘Coverage-based test cases selection for XACML policies’. Proc. of ICST Workshops, Cleveland, OH, USA, 2014, pp. 1221.
    8. 8)
      • 17. Zhang, Y., Zhang, B.: ‘A new testing method for XACML 3.0 policy based on ABAC and data flow’. Proc. of 13th IEEE Int. Conf. on Control Automation (ICCA), Ohrid, Macedonia, July 2017, pp. 160164.
    9. 9)
      • 18. Xu, D., Wang, Z., Peng, S., et al: ‘Automated fault localization of XACML policies’. Proc. of the 21st ACM on Symp. on Access Control Models and Technologies, New York, NY, USA, 2016, SACMAT ‘16, ACM, pp. 137147.
    10. 10)
      • 15. Kaur, A., Goyal, S.: ‘A genetic algorithm for regression test case prioritization using code coverage’, Int. J. Comput. Sci. Eng., 2011, 3, (5), pp. 18391847.
    11. 11)
      • 9. Bertolino, A., Calabrò, A., Lonetti, F., Di Marco, A., Sabetta, A.: ‘Towards a model-driven infrastructure for runtime monitoring’. Proceedings of SERENE, Geneva, Switzerland, 2011, pp. 130144, Springer.
    12. 12)
      • 8. Martin, E., Xie, T., Yu, T.: ‘Defining and measuring policy coverage in testing access control policies’. Proc. of Int. Conf. on Information and Communications Security, Raleigh, NC, USA, 2006, (Springer, Berlin), pp. 139158.
    13. 13)
      • 24. Carvallo, P., Cavalli, A.R., Mallouli, W., et al: ‘Multi-cloud applications security monitoring’. Proc. of Int. Conf. on Green, Pervasive, and Cloud Computing, Cetara, Italy, 2017, (Springer, Berlin), pp. 748758.
    14. 14)
      • 6. Bertolino, A., Daoudagh, S., Lonetti, F., et al: ‘Automatic XACML requests generation for policy testing’. Proc. of ICST, IEEE, Montreal, Canada, 2012, pp. 842849.
    15. 15)
      • 13. Drools Fusion: Complex Event Processor.
    16. 16)
      • 22. Pretschner, A., Mouelhi, T., Le Traon, Y.: ‘Model-based tests for access control policies’. Proc. of ICST, 2008, pp. 338347.
    17. 17)
      • 16. Leon, D., Podgurski, A.: ‘A comparison of coverage-based and distribution-based techniques for filtering and prioritizing test cases’. Proc. of ISSRE, Denver, CO, USA, 2003, pp. 442453.
    18. 18)
      • 12. Microsystems S., Sun's XACML Implementation., 2006.
    19. 19)
      • 21. Martin, E., Xie, T.: ‘Automated test generation for access control policies’. Supplemental Proc. of 17th Int. Symp. on Software Reliability Engineering (ISSRE), Raleigh, NC, USA, November 2006.
    20. 20)
      • 1. OASIS. eXtensible Access Control Markup Language (XACML) Version 2.0.
    21. 21)
      • 20. Daoudagh, S., Lonetti, F., Marchetti, E.: ‘Assessment of access control systems using mutation testing’. Proc. of TELERISE, Florence, Italy, 2015, pp. 813.
    22. 22)
      • 11. Bertolino, A., Lonetti, F., Marchetti, E.: ‘Systematic XACML request generation for testing purposes’. Proc. of 36th EUROMICRO Conf. on Software Engineering and Advanced Applications (SEAA), Lille, France, 2010, pp. 311.
    23. 23)
      • 14. FEDORA: Fedora Commons Repository Software.
    24. 24)
      • 7. Martin, E.: ‘Automated test generation for access control policies’. Proc. of OOPSLA, Portland, OR, USA, 2006, pp. 752753.

Related content

This is a required field
Please enter a valid email address