An Access Control Model Based Testing Approach for Smart Card Applications: Results of the {POSÉ} Project

International audienceThis paper is about generating security tests from the Common Criteria expression of a security policy, in addition to functional tests previously generated by a model-based testing approach. The method that we present re-uses the functional model and the concretization layer developed for the functional testing, and relies on an additional security policy model. We discuss how to produce the security policy model from a Common Criteria security target. We propose to compute the tests by using some test purposes as guides for the tests to be extracted from the models. We see a test purpose as the combination of a security property and a test need issued from the know-how of a security engineer. We propose a language based on regular expressions for the expression of such test purposes. We illustrate our approach by means of the IAS case study, a smart card application dedicated to the operations of Identification, Authentication and electronic Signature

An Access Control Model Based Testing Approach for Smart Card Applications: Results of the {POSÉ} Project

International audienceThis paper is about generating security tests from the Common Criteria expression of a security policy, in addition to functional tests previously generated by a model-based testing approach. The method that we present re-uses the functional model and the concretization layer developed for the functional testing, and relies on an additional security policy model. We discuss how to produce the security policy model from a Common Criteria security target. We propose to compute the tests by using some test purposes as guides for the tests to be extracted from the models. We see a test purpose as the combination of a security property and a test need issued from the know-how of a security engineer. We propose a language based on regular expressions for the expression of such test purposes. We illustrate our approach by means of the IAS case study, a smart card application dedicated to the operations of Identification, Authentication and electronic Signature

Testvector pertinence for SCA conformance evaluation

PrésentationInternational audienceChecking the conformance of a SDR equipment to SCA specification is very challenging. We propose in this paper to deal with the issue of providing a toolchain for code certification to SCA 2.2.2 standard. First of all, static and dynamic checking should be considered for waverform and platform certification. Operating environment and board support package will be targeted also. Finally a logical architecture of a certification test bench will be presented as well as its global functional set of requirements

Automatic generation of model based tests for a class of security properties

This paper is a contribution to the problem of getting con-fident in the fact that an implementation correctly meets a security policy assigned to it. To do so, we compute tests that exercise security properties issued from the security pol-icy. We proceed by model based testing. Classically, we use a functional model that formalizes the functional specifica-tion. But we also use a second model, in the shape of secu-rity properties, that formalize a part of the security policy. Tests are computed from the security properties, with the formal functional model as an oracle. We first formalize the informal security requirements as reg-ular expressions. Then we introduce mutations in the regu-lar expressions as to reflect the specific situations in which we intend to test the security properties. These mutated regular expression are unfolded into abstract test sequences. We present a set of four mutation rules that apply to a class of properties that we call sequencing properties, and we experiment our method on a standard in the smart card domain named IAS, for Identification, Authentication and electronic Signature