2015 QPRC

Title: Covering Arrays and Access Control Policies

Author: JeeHyun Hwang, SAS Institute Inc.

Abstract: This presentation describes combinatorial test generation, where test requests are generated based on covering arrays for access control policies. Security issues are critical when dealing with internet based applications. Access control policies are widely used to counteract these issues. A policy is specified to govern whether access is granted or denied. In policy testing, the test input is a request, and the test output is its response against a policy. The correct specification of the policies is a very challenging problem. Policy testers can manually check whether a response is expected. To automate this process, we can adopt and use combinatorial test generation, where test requests are generated on t-way combinations of attribute values considering their interactions. We show a tool to help correctly specify and implement access control policies. We show the effectiveness of combinatorial test generation by measuring fault detection capability.