1 Testing Security Rules with Decomposable Activities Wissam Mallouli and Ana Cavalli GET/INT, 9 rue Charles Fourier, 91011 Evry Cedex, France {wissam.mallouli,ana.cavalli}@int-edu.eu Abstract—Checking that a security policy has been correctly deployed over a network is a key issue for system administrators. Specification and testing of such policies constitute fundamental steps in the development of a secure system. To address both challenges, we propose a framework to describe how modalities such as permissions, prohibitions and obligations -involving decomposable activities- can be integrated in a functional EFSM specification of a system to obtain a new specification of the system that takes into account the security policy. Then, we propose a method to automatically derive test sequences to test the implementation, using a dedicated tool developed in our laboratory. Finally, we apply our framework to a Weblog system case study to demonstrate its reliability. Index Terms—Security Policy, Extended Finite State Machine, SDL, Verification and Testing, Test Generation. I. I NTRODUCTION In modern networks, the heterogeneity and the increasing distribution of the applications make security management complex. In order to give a global understandable view of network security, we make an abstraction from the technical constraints by using security policy rules. These rules express the security objectives of the network and specify the desired behavior of the system. In such networks, it is quite difficult to verify whether a system implementation conforms to its policy. However, if no one can ensure of this conformance, the global security can not be guaranteed anymore. Most current works only concentrate on defining meta- languages in order to express security policies and provide unambiguous rules. [3] and [9] are typical examples of such generic policy description models. Indeed, they do not depend on the functional specification of the system. But, they suggest several concepts to describe the security policy independently of the system implementation. Once the security policy is formally specified, it is essential to prove that the target system implements this policy either by (1) injecting this policy in the studied system or (2) by formally specifying the target system and generating proofs that this system implements the security policy or (3) by considering several strategies of formal tests. This last methodology will be explored in this paper. In this paper, we propose an approach that makes it possible to validate security rules. This approach manipulates three different inputs: a functional specification of the system based on a well-know mathematically-based formalism: Extended Finite State Machine [14], a specification of the security policy (based on the OrBAC model [3]) that we would like to apply on this system, and finally an implementation of the system. We want to obtain a new specification of the system that takes into consideration the security policy (we call it: secure functional specification), and then to generate tests to check whether the implementation of the system conforms to the secure functional specification. This paper distinguishes itself from classical conformance testing work (see for instance [4]) by several significant dif- ferences. In fact, we propose an approach to integrate security rules involving decomposable activities within the functional specification of a system. Thus, we describe how modalities such as prohibitions, authorizations, obligations and delegation can be integrated in an EFSM, either by restricting predicates or by adding transitions and states. Then, we propose a method to automatically derive test sequences from a set of rules as well as an approach to restrict the number of test objectives required to perform verification. But, we do not address issues like checking the consistency of the security policy which is out of the scope of this paper. We assume that this issue has been checked. There are several techniques to achieve this goal (see for instance [7]). The remainder of this paper is organized as follows. In section II, we discuss the related work tackling with the description and the validation of security policies. Section III presents the basic notions used for the management of security rules. In section IV, we expose the approach to integrate these security rules within an existing specification in EFSM as well as the relative algorithms. In section V, we present a case study: a weblog with security features, as well as the results through generated test objectives. In section VI, we present extensions of the approach. And finally, section VII concludes the paper and introduces the future work. II. RELATED WORK Most work related to security policy can be divided into two parts: the description of the policy itself and the verification of rules. In many systems, there is no real policy specification outside of a description in terms of low-level mechanisms such as access control lists. Thereafter, the analysis of access- control leads to the definition of a number of access control models, which could provide a formal representation of secu- rity policies, and in some cases, it allows the proof of access control properties. With the great majority of models, security rules are defined with modalities like permission, prohibition and obligation that express the possible constraints on the behavior of the system [8]. Among these models, we can