An automated model-based test oracle for access control systems

In the context of XACML-based access control systems, an intensive testing activity is among the most adopted means to assure that sensible information or resources are correctly accessed. Unfortunately, it requires a huge effort for manual inspection of results: thus automated verdict derivation is a key aspect for improving the cost-effectiveness of testing. To this purpose, we introduce XACMET, a novel approach for automated model-based oracle definition. XACMET defines a typed graph, called the XAC-Graph, that models the XACML policy evaluation. The expected verdict of a specific request execution can thus be automatically derived by executing the corresponding path in such graph. Our validation of the XACMET prototype implementation confirms the effectiveness of the proposed approach.Comment: 7 page

GRADUATION: a GDPR-based mutation methodology

Adopting the General Data Protection Regulation (GDPR) enhances different business and research opportunities that evidence the necessity of appropriate solutions supporting specification, processing, testing, and assessing the overall (personal) data management. This paper proposes GRADUATION (GdpR-bAseD mUtATION) methodology for mutation analysis of data protection policies test cases. The new methodology provides generic mutation operators about the currently applicable EU Data Protection Regulation. The preliminary implementation of the steps involved in the GDPR-based mutant derivation is also described

Damages and Benefits of Certification: A perspective from an Independent Assessment Body

The paper investigates on the nature of software certification and its reasons of being. The numerous factors that impact on the achievement of its purposes are discussed, and also compared in the cases of Proprietary Software and Open Source Software. Some relevant features of a certification process for Open Source Software are finally proposed

Process Scenarios in Open Source Software Certification

Certification of Open Source Software (OSS) presents inherent trade-offsdue to the necessity of precisely identifying both a product and an independent certificationagent, and on the other of maintain the peculiar, valuable OSS characteristicof being available to an unlimited multiplicity of actors for trial, use and change.This is an intriguing challenge, usually solved by removing from the picture thecertifying agent and providing an intrinsic certification by means of rigorous, reapplicableproperty demonstrations, adopting Formal Methods (FM) in expressingand verifying the code. As such approach, yet quite valuable and good-promising,has some restrictions (such as the limited set of provable product qualities), we proposeto tackle the problem by analysing the various processes executed by differentOSS stakeholders, including the process of an independent Certification Body. Inthe paper some kinds of representative scenarios in which such processes interleaveare presented and discussed. The aim is to introduce a process-centered perspectivefor OSS that can stimulate research to further understand and mitigate the mentionedtrade-offs

A Decentralized Solution for Combinatorial Testing of Access Control Engine

In distributed environments, information security is a key factor and access control is an important means to guarantee confidentiality of sensitive and valuable data. In this paper, we introduce a new decentralized framework for testing of XACML-based access control engines. The proposed framework is composed of different web services and provides the following functionalities: I) generation of test cases based on combinatorial testing strategies; ii) decentralized oracle that associates the expected result to a given test case, i.e. an XACML request; and finally, iii) a GUI for interacting with the framework and providing some analysis about the expected results. A first validation confirms the efficiency of the proposed approach

Automatic XACML requests generation for policy testing

Abstract-Access control policies are usually specified by the XACML language. However, policy definition could be an error prone process, because of the many constraints and rules that have to be specified. In order to increase the confidence on defined XACML policies, an accurate testing activity could be a valid solution. The typical policy testing is performed by deriving specific test cases, i.e. XACML requests, that are executed by means of a PDP implementation, so to evidence possible security lacks or problems. Thus the fault detection effectiveness of derived test suite is a fundamental property. To evaluate the performance of the applied test strategy and consequently of the test suite, a commonly adopted methodology is using mutation testing. In this paper, we propose two different methodologies for deriving XACML requests, that are defined independently from the policy under test. The proposals exploit the values of the XACML policy for better customizing the generated requests and providing a more effective test suite. The proposed methodologies have been compared in terms of their fault detection effectiveness by the application of mutation testing on a set of real policies

A systematic review on cloud testing

A systematic literature review is presented that surveyed the topic of cloud testing over the period (2012-2017). Cloud testing can refer either to testing cloud-based systems (testing of the cloud), or to leveraging the cloud for testing purposes (testing in the cloud): both approaches (and their combination into testing of the cloud in the cloud) have drawn research interest. An extensive paper search was conducted by both automated query of popular digital libraries and snowballing, which resulted into the final selection of 147 primary studies. Along the survey a framework has been incrementally derived that classifies cloud testing research along six main areas and their topics. The paper includes a detailed analysis of the selected primary studies to identify trends and gaps, as well as an extensive report of the state of art as it emerges by answering the identified Research Questions. We find that cloud testing is an active research field, although not all topics have received so far enough attention, and conclude by presenting the most relevant open research challenges for each area of the classification framework.This paper describes research work mostly undertaken in the context of the European Project H2020 731535: ElasTest. This work has also been partially supported by: the Italian MIUR PRIN 2015 Project: GAUSS; the Regional Government of Madrid (CM) under project Cloud4BigData (S2013/ICE-2894) cofunded by FSE & FEDER; and the Spanish Government under project LERNIM (RTC-2016-4674-7) cofunded by the Ministry of Economy and Competitiveness, FEDER & AEI

COVID-19 & privacy: Enhancing of indoor localization architectures towards effective social distancing

Abstract The way people access services in indoor environments has dramatically changed in the last year. The countermeasures to the COVID-19 pandemic imposed a disruptive requirement, namely preserving social distance among people in indoor environments. We explore in this work the possibility of adopting the indoor localization technologies to measure the distance among users in indoor environments. We discuss how information about people's contacts collected can be exploited during three stages: before, during, and after people access a service. We present a reference architecture for an Indoor Localization System (ILS), and we illustrate three representative use-cases. We derive some architectural requirements, and we discuss some issues that concretely cope with the real installation of an ILS in real-world settings. In particular, we explore the privacy and trust reputation of an ILS, the discovery phase, and the deployment of the ILS in real-world settings. We finally present an evaluation framework for assessing the performance of the architecture proposed