Testing Access Control Policies JeeHyun Hwang 1 Evan Martin 1 Tao Xie 1 Vincent C. Hu 2 1 Department of Computer Science, North Carolina State University, Raleigh, NC 27695-8206 2 Computer Security Division, National Institute of Standards and Technology, Gaithersburg, MD 20899-8930 {jhwang4,eemartin}@ncsu.edu xie@csc.ncsu.edu vhu@nist.gov Abstract As software systems become more and more complex, and are deployed to manage a large amount of sensitive in- formation and resources, specifying and managing correct access control policies is critical and yet challenging. Pol- icy testing is an important means to increasing confidence in the correctness of specified policies and their implemen- tations for access control. There are two types of policy testing. In the first type, the artifacts under test are pol- icy specifications and the main testing goal is to assure the correctness of the policy specifications. In the second type, the artifacts under test are policy implementations and the main testing goal is to assure the conformance between the policy specifications and implementations. Both types of policy testing supply typical test inputs (requests) to the ar- tifacts under test and subsequently check test outputs (re- sponses) against expected ones. This article presents recent approaches on policy testing in five main categories: fault models, testing criteria, test generation, test oracles, and model-based testing. Keywords: Policy Testing, Security Policies, Access Con- trol Policies, Access Control Models, Coverage Criteria, Test Generation, Test Oracles 1 Introduction Access control is one of the most fundamental and widely used privacy and security mechanisms for a system to share information in dynamic and distributed environ- ments. Access control mechanisms control which principals such as users or processes have access to which resources in a system. Access control policies (or policies for sim- plicity) can be specified in programming languages or pol- icy specification languages and retrofitted or implemented in a particular access control implementation. Policies need to be carefully designed and implemented to prevent data from unauthorized access. Correctly specifying policies is crucial because correct implementation and enforcement of policies by systems are based on the premise that the policy specifications are correct. However, specifying and managing access control poli- cies are not trivial; it is common that a system’s privacy and security are compromised due to the misconfiguration of ac- cess control policies instead of the failure of cryptographic primitives or protocols. The problem becomes increasingly severe as software systems become more and more com- plex, and are deployed to manage a large amount of sen- sitive information and resources that are organized into so- phisticated structures. A policy implementation handles an access request and determines if an access to a resource is permitted based on the specified policies. Correct policy implementations of policy specifications are not an easy task. For exam- ple, in distributed systems, a variety of multiple policy im- plementations must be integrated to control administration, users, databases, and various services. Most of the pol- icy decision functionalities are distributed and may include dynamic policy decisions or different domain-specific pol- icy implementations. Policy implementations can be im- plemented in various ways (explicitly or implicitly) such as configurable components and program code. In a legacy system, policy implementations may adopt domain-specific access control mechanisms. In such a system, policy imple- mentations may include policies in program code as being entangled with other functionalities. This entangled code is difficult to analyze, modify, and test for the policies in code. Thus, when policy requirements change, the devel- opers may need to modify the entangled functionalities to comply with the change, and it is not trivial to identify and adapt the corresponding program code. Moreover, policy implementations may include security vulnerabilities: the developers may seed malicious code (such as “backdoors” and malfunctions) in a system, or the developers may mis- represent or forget important access authorization enforce- ments. Therefore, both policy specifications and implemen- tations must undergo rigorous verification and validation through systematic testing to ensure that the policy speci- fications and implementations truly encapsulate the desires 1