RealizationFigure 1 shows a classification we havedefined in Polux of the various requirements asecurity policy may contain. We are currentlydefining an integrated formalism to specifythese different requirements in a uniqueframework.A new version of MotOrBAC has been writtenin pure java and relies on the OrBAC java API.The OrBAC java API uses the Jena library torepresent the OrBAC policy through an RDFgraph and uses the Jena inference engine. TheOrBAC java API has been created to allowdeveloppers to integrate the OrBAC securitymodel into their applications.Our work on MotOrBAC also focuses on theproblem of policy deployment. Actually we areworking on policy translation mechanisms tointegrate into MotOrBAC the possibility totranslate parts of a concr<strong>et</strong>e policy inferedfrom an abstract OrBAC policy into variouslanguages used to configure security softwares(iptables for instance).Figure 1: Security policy structureThe approach suggested in the POLUX projectis to define this framework as an extension ofthe OrBAC model [1]. For a system to bedeveloped, OrBAC describes the permissions orprohibitions for people to any of the resourcesof the system (it may apply to configure afirewall as well as to define who can access agiven service or database). These rules specifypermissions or prohibitions that apply only tospecific circumstances, called contexts [2].OrBAC also provides means to specify thedifferent security policies applicable to thevarious parts of an organization (suborganizations).At the end of this specificationprocess, the security policy specifies whatshould be permitted or prohibitied in thesystem, in function of contexts, roles, activitiesand views.An administration model for the OrBAC model,called AdOrBAC [3] has also been defined anda support tool called MotOrBAC has beenimplemented and is available as an opensource software. MotOrBAC [4] is an opensource tool which can be used to write securitypolicies expressed using the OrBAC model. Itprovides functionalities to edit a policy, tod<strong>et</strong>ect and solve the potential policy conflictsand to simulate the policy.ConclusionWe plan to further develop the OrBAC model,especially to specify information flowrequirements, usage control requirements andreaction requirements. The MotOrBAC tool kitwill be extended to support the specification ofthese different requirements.References[1] A. Abou El Kalam, R. El Baida, P. Balbiani,S. Benferhat, F. Cuppens, Y. Deswarte, A.Miège, C. Saurel and G. Trouessin.Organization Based Access Control. IEEE 4thInternational Workshop on Policies forDistributed Systems and N<strong>et</strong>works (Policy2003), Lake Come, Italy, June 2003.[2] F. Cuppens and A. Miège. Modelingcontexts in the Or-BAC model . 19th AnnualComputer Security Applications Conference,Las Vegas, December 2003.[3] F. Cuppens <strong>et</strong> A. Miège. AdministrationModel for Or-BAC. International Journal ofComputer Systems Science and Engineering(CSSE), 19(4), Mai 2004.[4] F. Cuppens, N. Cuppens-Boulahia <strong>et</strong> C.Coma. MotOrBAC : un outil d’administration <strong>et</strong>de simulation de politiques de sécurité. SAR-SSI. Seignosse, France, Juin 2006.34 Extract of Pracom’s Annual Report <strong>2008</strong>
Security Testing: criteria, fault models and test generationResearch Staff : Yves Le Traon – Ph.D. Students : Tejeddine MouelhiKeywords : Security testing, security flaws, mutation analysis, test generation, security policyApplications : Information System SecurityPartners & Funding : : Tejeddine Mouelhi’s PhD thesis is co-advised with Benoit Baudry (INRIA-Rennes Br<strong>et</strong>agne Atlantique)IntroductionWhile important efforts are dedicated tosystem functional testing, very few worksstudy how to test specifically securitymechanisms implementing a security policy. Inthis thesis, we study how to adapt testingtechniques to test such security mechanisms.The testing techniques that have proven theireffectiveness in the field of functional testingare adapted in order to be applied to testsecurity mechanisms.RealizationWe applied mutation analysis to the context oftesting security policies [1]. The objective is tomake test cases efficient enough to revealerroneous implementations of a security policy.We adapted mutation analysis – which consistsof seeding security faults in the system –andproposed a fault model specific to accesscontrol security policies.Any security policy is strongly connected tosystem functionality: testing functions includesexercising many security mechanisms.However, testing functionality does not intendat putting to the test security aspects. Weproposed thus two strategies for producingsecurity policy test cases [2], depending if theyare built in complement of existing functionaltest cases or independently from them. Wealso proposed test selection criteria to produc<strong>et</strong>ests from a security policy. To quantify theeffectiveness of a s<strong>et</strong> of test cases to d<strong>et</strong>ectsecurity policy flaws, we used mutationanalysis on three empirical studies. The overallapproach has been applied to OrBAC accesscontrol policies using the associated Motorbactool (http://www.orbac.org/).In collaboration with Alexander Pr<strong>et</strong>schner,during its sabbatical at TELECOM Br<strong>et</strong>agne, webegan to study the test generation issue byproposing a new model-based approach thatuses combinatorial testing [3]. Test cases aregenerated using pair-wise testing and wecompare them to several random testgeneration. Mixed-feeling results show that wemust still study this problem.In the same collaboration, we also studied howto use security tests to d<strong>et</strong>ect hidden securitymechanisms in legacy systems [4]. In fact, ifaccess control policy decision points are notneatly separated from the business logic of asystem, the evolution of a security policy likelyleads to the necessity of changing the system’scode base. This is often the case with legacysystems. We analyzed the notion of flexibilitywhich is related to the presence of hidden andimplicit security mechanisms in the businesslogic. This first work suggested the use of atest-driven m<strong>et</strong>hodology to d<strong>et</strong>ect such hiddenmechanisms, and drive the incrementalevolution of a security policy.ConclusionAs a future work, we will focus on using m<strong>et</strong>amodelsto offer a compl<strong>et</strong>e framework toproduce, in a generic way, a tool for mutationanalysis of interoperable security policies (firstresults in [5]). We will also study and proposenew approaches to automatically generatesecurity tests targ<strong>et</strong>ing the implementation ofsecurity policies.References[1] Mouelhi Tejeddine, Le Traon Yves, BaudryBenoit: Mutation analysis for security testsqualification. Mutation'07, third workshop onmutation analysist, September 10-11, CumberlandLodge, Windsor, UK, 2007.[2] Le Traon Yves, Mouelhi Tejeddine, BaudryBenoit: Testing security policies : going beyondfunctional testing. ISSRE'07: The 18th IEEEInternational Symposium on Software ReliabilityEngineering, November 5-9, Trollhätan, Sweden,2007.[3] Mouelhi Tejeddine, Le Traon Yves, Pr<strong>et</strong>schnerAlexander: Model-Based Tests for Access ControlPolicies. ICST <strong>2008</strong> : First IEEE InternationalConference on Software, Testing, Verification andValidation, April 9-11, Lillehammer, Norway, <strong>2008</strong>.[4] Mouelhi Tejeddine, Le Traon Yves, Pr<strong>et</strong>schnerAlexander, Baudry Benoit: Test-Driven Assessmentof Access Control in Legacy Applications. ICST<strong>2008</strong> : First IEEE International Conference onSoftware, Testing, Verification and Validation(ICST), April 9-11, Lillehammer, Norway, <strong>2008</strong>.[5] Mouelhi Tejeddine, Fleurey Franck, BaudryBenoit: A Generic M<strong>et</strong>amodel For Security PoliciesMutation, SecTest 08: 1st International ICSTworkshop on Security Testing, April 9, Lillehammer,Norway, <strong>2008</strong>.<strong>Rapport</strong> d’activités Pracom 2005-2006 - Department of N<strong>et</strong>works Security Multimedia - page n°35