Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute...
-
Upload
eileen-king -
Category
Documents
-
view
216 -
download
0
Transcript of Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute...
![Page 1: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/1.jpg)
Model Based TestingModel Based Testing for Security Checking for Security Checking
Wissam Mallouli and Prof. Ana CavalliNational Institute of Telecommunications, France
November 21, 2007
![Page 2: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/2.jpg)
2
OutlineOutline
• Introduction
• Active/Passive Testing
• Active Testing Technique– Preliminaries
– An integration based approach
– The integration methodology
– Use case : a Weblog
• Passive Testing Technique– Ongoing Work
• Conclusion
![Page 3: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/3.jpg)
3
Introduction and motivationIntroduction and motivation
• Security as critical issue• Need to define a security policy• A security policy is a set of rules that
regulates the nature and the context of actions that can be performed within a system, according to specific roles.
• If the one of rules in the security policy is not respected, all the system can be vulnerable.
![Page 4: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/4.jpg)
4
Introduction and motivationIntroduction and motivation
• Checking if a system implements its security policy• Generating proofs• Injecting the policy within the system implementation• Model Based testing methods• etc
![Page 5: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/5.jpg)
5
OutlineOutline
• Introduction
• Active/Passive Testing
• Active Testing Technique– Preliminaries
– An integration based approach
– The integration methodology
– Use case : a Weblog
• Passive Testing Technique– Ongoing Work
• Conclusion
![Page 6: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/6.jpg)
6
Active TestingActive Testing
IUTIUT Active Tester
Verdict:PASS,FAIL,INCONC.
Formal Specification
Formal Specification
Test SuitesTest
Suites
Automatic test generation based on formal descriptions
Functional &Security
Functional &Security
![Page 7: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/7.jpg)
7
Conformance Testing(1/2)Conformance Testing(1/2)
• Check if the implementation of a system conforms to its specification
System(S)
System(I)
I
I
O
O1=O???
![Page 8: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/8.jpg)
8
Conformance Testing (2/2) Conformance Testing (2/2)
Generation of a : - reasonable test scenarios number (Execution)
- Complete (to cover all the system transitions)
S S’i/o
S S’i/o
Specification
S S’i/o’
Implementation
S S’’i/o
Implementation
Specification
Output error transfer error
![Page 9: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/9.jpg)
9
Passive TestingPassive Testing
IUTIUT
Passive Tester
Verdict:PASS,FAIL,INCONC.
Security Properties
Specification
Security Properties
Specification
System UserSystem User
PO TraceCollection
![Page 10: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/10.jpg)
10
OutlineOutline
• Introduction
• Active/Passive Testing
• Active Testing Technique– Preliminaries
– An integration based approach
– The integration methodology
– Use case : a Weblog
• Passive Testing Technique– Ongoing Work
• Conclusion
![Page 11: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/11.jpg)
11
Problem Inputs/OutputProblem Inputs/Output
Formal specification EFSM (without security)
Security Requirements
OrBAC Interpretation
test Scenarios
System Implementation Execution
Formal specification EFSM (with security)
OrBAC
SDL
Access Control Security Rules
![Page 12: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/12.jpg)
12
EFSM Formalism (1/2)EFSM Formalism (1/2)
• Extended Finite States Machine is a 6-tuple M=(I,O,S0,S,û,T) where:• I is a non empty set of input symbols• O is a non empty set of output symbols• S is a non empty set of states• S0 S is the initial state∈• û is a vector denoting a finite set of variables• T is a set of transitions
• A transition t is a 6-tuple t =(s,q,i,o,P,A) where :• s is the current state• q is the next state• i I is an input symbol∈• o O is an output symbol∈• P(û) is a predicate on the current values of the variables• A(û) is a sequence of actions over the variables
An EFSM is an automaton with variables and predicates
![Page 13: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/13.jpg)
13
EFSM Formalism (2/2)EFSM Formalism (2/2)
S0 S2
S1 S3
a/y
a/y
b/yb/y
b/y
a/x
b/y
a/x
A(X0)
P(X0) true
S=(S0,S1,S2,S3) I=(a,b) O=(x,y)
![Page 14: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/14.jpg)
14
Orbac (1/2)Orbac (1/2)
• An access and usage control model• Obligation/Permission/Prohibition
Copyright http://www.orbac.org
Role Activity
Subject Action
View
Object
![Page 15: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/15.jpg)
15
Orbac (2/2)Orbac (2/2)
• Permission/Prohibition/Obligation (S,R,A,V,C)
• This rule means that within the system S, the role R is permitted/prohibited/obliged to perform the activity A targeting the objects of view V in the context C.
![Page 16: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/16.jpg)
16
Orbac Interpretation to Fit the EFSM Orbac Interpretation to Fit the EFSM Formalism (1/2)Formalism (1/2)
• Permission (system1, role1, call delete, text, input=req_delete(text) and text_exists=true)
• The activity and the context have to be described in the same language of the functional specification of the system.
• In our case, we used SDL language and call and input= are SDL commands
![Page 17: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/17.jpg)
17
Orbac Interpretation to Fit the EFSM Orbac Interpretation to Fit the EFSM Formalism (2/2)Formalism (2/2)
• If the roles and variables are not already defined in the initial specification, precise definitions have to be added (type, default value, etc.).
• A rule context is divided into two parts: • an EFSM context with conditions related to the
position in the EFSM (e.g. input=a) • a variables context with conditions related to
variables values (e.g. variable1=0).
![Page 18: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/18.jpg)
18
Activity DefinitionActivity Definition
• refers to a possible action within the EFSM functional description of the system. It can be either :– An Atomic Activity : is a basic part of an
EFSM transition. It is defined as an SDL command like an input, a task or an output etc.
– A Decomposable Activity : is an activity which can be composed of a set of atomic activities.
• It can correspond to one transition (1_tr activity) or to a set of transitions (n_tr activity)
![Page 19: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/19.jpg)
19
Decomposable ActivityDecomposable Activity
S0 S1
S3
S2 S4
S5
S7 S8
S6
IT1Partial EFSM Activity (S1:S6)
IT2
IT3
ST1
ST2
ET1
ET2
OT1 OT2
ST : Starting TransitionIT : Intermediate TransitionET : Ending TransitionOT : Outgoing Transition
![Page 20: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/20.jpg)
20
Our approach main ideaOur approach main idea
Formal specification EFSM (without security)
Security Intuitions
OrBAC Interpretation
test Scenarios
System Implementation Execution
Formal specification EFSM (with security)
SDL
![Page 21: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/21.jpg)
21
Integration methodologyIntegration methodology
• To parse the EFSM specification• For each transition, to identify the rules that
• map the activity and the EFSM context in the case of permissions and prohibitions
• map the EFSM context in the case of obligations
![Page 22: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/22.jpg)
22
IM : ProhibitionIM : Prohibition
• Example of 1_transition activity• Prohibition (S, R, T, _ , C) where C is a
variables context• The activity T exists in the functional specification• To restrain the predicate
S1 S2A/X, if (P), T
S1 S2A/X, if (P (C R)), T∧ ∨
![Page 23: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/23.jpg)
23
IM : ProhibitionIM : Prohibition
• Example of n_transition activity : • Prohibition (S, R, Activity1, _ , C)
S0 S1
S3
S2 S4
S5
S7 S8
S6
IT1
IT2
IT3
ST1
ST2
ET1
ET2
OT1 OT2
Act1= falseAct1=True
Act1=True
Act1= false Act1= false
P:= P ((Act1 (VARc R)) Act1)∧ ∧ ∨ ∨
P:= P ((Act1 (VARc R)) Act1)∧ ∧ ∨ ∨
![Page 24: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/24.jpg)
24
IM : Prohibition AlgorithmIM : Prohibition Algorithm• Require: The permission with role R, variable context V ARc and activity i that maps the transition(s).
• if (1_Tr activity) then
• Revise the associated predicated to the transition: P := P ∧ ( ¬ V ARc ∨ ¬ R)
• (Note that if no predicate is associated to this transition, we create a new one P := ¬ V ARc ∨¬ R)
• end if
• if (n_Tr activity) then
• Add the task Acti := true; to the STS.
• Add the task Acti := false; to the OTS
• Duplicate the ETS into ETS1 and ETS2
• Revise the associated predicated to the ETS1: P := P Acti ∧ ∧ ( ¬ V ARc ∨ ¬ R)
• Revise the associated predicated to the ETS2: P := P ∧ (Acti = false)
• Add the task Acti := false; to the ETS1.
• end if
• If many prohibitions : logical product
![Page 25: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/25.jpg)
25
IM : PermissionIM : Permission
• Example of 1_transition activity : • Permission (S, R, T, _ , C) where C a condition
related to variables• The activity T exists in the functional specification• To restrain the predicate
S1 S2A/X, if (P), T
S1 S2A/X, if (P C R), T∧ ∧
![Page 26: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/26.jpg)
26
IM : PermissionIM : Permission
• Example of n_transition activity : • Permission (S, R, Activity1, _ , C)
S0 S1
S3
S2 S4
S5
S7 S8
S6
IT1
IT2
IT3
ST1
ST2
ET1
ET2
OT1 OT2
Act1= falseAct1=True
Act1=True
Act1= false Act1= false
P:= P ((Act1 C R) Act1)∧ ∧ ∧ ∨
P:= P ((Act1 C R) Act1)∧ ∧ ∧ ∨
![Page 27: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/27.jpg)
27
IM : Permission AlgorithmIM : Permission Algorithm
• Require: The permission with role R, variable context V ARc and activity i that maps the transition(s).
• if (1_Tr activity) then
• Revise the associated predicated to the transition: P := P ∧ (V ARc R∧ )
• (Note that if no predicate is associated to this transition, we create a new one P := V ARc R∧ )
• end if
• if (n_Tr activity) then
• Add the task Acti := true; to the STS.
• Add the task Acti := false; to the OTS
• Duplicate the ETS into ETS1 and ETS2
• Revise the associated predicated to the ETS1: P := P Acti ∧ ∧ (V ARc R∧ )
• Revise the associated predicated to the ETS2: P := P ∧ (Acti = false)
• Add the task Acti := false; to the ETS1.
• end if
• If many permissions : logical sum
![Page 28: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/28.jpg)
28
IM : Obligation (1/2)IM : Obligation (1/2)
• Example : Obligation (S, R, new_activity, _, (Input = A) and C )• Assumption : new_activity is a new activity• New_activity can be formally described using a
partial EFSM (OS EOS)• To determine the Cut Point• To add the activity and to connect transitions
![Page 29: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/29.jpg)
29
IM : Obligation (2/2)IM : Obligation (2/2)
• Example : Obligation (S, R, new_activity, _, (Input = A) and C )
S1 S2A/X, if (P), T
OS EOSB/Y, , T’
Input A if (P), T, Output X
CutPoint
new_activity
S1 S2A/-, if (P)
OS EOSB/Y, if (C R) , T’∧ -/X, T
-/X, if (C R) , T∨_ _C1
C3
C2
![Page 30: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/30.jpg)
30
MI : Algorithme ObligationMI : Algorithme Obligation
• Input : EFSM M , Obligation and new activity
1. To restrain all transitions from OS with (role and ‘variables context’)
2. For each transition that maps the ‘EFSM context’, identify the Cut Point
3. Create transitions C1, C2 et C3
![Page 31: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/31.jpg)
31
The main ideaThe main idea
Formal specification EFSM (without security)
Security Intuitions
OrBAC Interpretation
test Scenarios
System Implementation Execution
Formal specification EFSM (with security)
SDL
![Page 32: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/32.jpg)
32
Testing methodologyTesting methodology
• A methodology based on the ISO9646 standard
• Description of the system behavior using a formal language : SDL (ObjectGEODE)
• Characterization of test objectives and test generations (security oriented objectives) (SIRIUS)
• Definition of testing architecture• Execution
![Page 33: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/33.jpg)
33
Case study : WeblogCase study : Weblog
Definition :• A weblog is a website where entries are written
in chronological order and displayed in reverse chronological order.
• Blogs provide commentary or news on a particular subject such as food, politics, or local news; some function as more personal online diaries. The ability for readers to leave comments in an interactive format is an important part of many blogs. (Wikipedia)
![Page 34: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/34.jpg)
34
Weblog : formal specificationWeblog : formal specification
![Page 35: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/35.jpg)
35
Weblog : SDLWeblog : SDL
StateInputPredicate
TaskOutputState
![Page 36: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/36.jpg)
36
Specification VerificationSpecification Verification
• Model Checking• Exhaustive simulation• Absence of deadlocks and livelocks …• Guided simulation
![Page 37: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/37.jpg)
37
Security policy definitionSecurity policy definition
• 3 possibles roles : administrator, blogger and visitor
• An administrator can do any thing• A blogger can only read and write but not delete• A visitor can only read• To write or delete, the user has to be
authenticated
![Page 38: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/38.jpg)
38
Security rules in OrBACSecurity rules in OrBAC
• Obligation (Website, visitor, Authentication, _ , input = AddPostReq)
• Permission (Website, admin, ‘Deleting Comment’, Comment, _ )
• Prohibition (Website, visitor, ‘Adding Comment’, Comment, _ )
• …
![Page 39: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/39.jpg)
39
Rules integration (1/3)Rules integration (1/3)
• Obligation (Website, visitor, Authentication, _ , input = AddPostReq)
![Page 40: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/40.jpg)
40
Rules integration (2/3)Rules integration (2/3)
• Permission (Website, admin, ‘Deleting Comment’, Comment, _ )
![Page 41: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/41.jpg)
41
Rules integration (3/3)Rules integration (3/3)
• Prohibition (Website, anonymous, ‘Adding Comment’, Comment, _ )
![Page 42: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/42.jpg)
42
Specifications: Before/AfterSpecifications: Before/After
States Transitions
Signals Lines
Before 3 15 15 350
After 4 23 18 594
![Page 43: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/43.jpg)
43
Test objectives determinationTest objectives determination
• Written in SDL• Combinative choices • Ex : An administrator tries to add a
content, the activity is permitted and the content is added.
• 17 test objectives that represents 95% of the specification transitions.
![Page 44: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/44.jpg)
44
Generation of test scenariosGeneration of test scenarios
• Using SIRIUS test generation tool• A tool based on Hit-or-Jump algorithm that
allows to avoid combinative explosion• BFS (Breath First Search)• Quick generation (3s) and short scenarios (7
transitions)• Test scenarios can be provided in TTCN or MSC
standard. => Portability
![Page 45: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/45.jpg)
45
OutlineOutline
• Introduction
• Active/Passive Testing
• Active Testing Approach– Preliminaries
– An integration based approach
– The integration methodology
– Use case : a Weblog
• Passive Testing Approach– Ongoing Work
• Conclusion
![Page 46: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/46.jpg)
46
Our AimOur Aim
• Definition of Passive test techniques for security checking
• Detection of violations of security policies
![Page 47: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/47.jpg)
47
Security Rules SpecificationSecurity Rules Specification
• A formalism well adapted passive testing• Syntax inspired by Nomad (Non atomic
actions and deadlines)• Specification of permissions, prohibitions
and obligations concerning non atomic actions using a combination of deontic and temporal logics
![Page 48: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/48.jpg)
The proposed model• Generalities
• Inspired from Nomad.
• Specification of permissions, prohibitions and obligations related to non atomic actions.
• A set of modalities defined in specific contexts.
• Adapted for passive testing (monitoring).
48
![Page 49: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/49.jpg)
• Simple syntax based on actions which are defined as:
Entity1 ! [?,*] Msg(Param1,Param2,…,ParamN) Entity2Entity1: Source or destination of the message (server,client,DB…etc)
! : sending messages.?: receipt of messages.*:exchanges of messages between two entities
Msg(Param1,Param2,…,ParamN) :to represent the most important characteristics of the exchanged message (transport protocol used , message type…etc)
Entity2: Source or destination of the message (server,client,DB…etc)
The proposed model• Syntax & semantic
49
![Page 50: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/50.jpg)
Example: Usr1 ! Msg(https,AuthReq) ServerA
The proposed model• Syntax & semantic
50
![Page 51: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/51.jpg)
• If α and β are actions then (α;β) and (α ;*;β) are actions.
(α;β) : α followed by β.
(α ;*;β): α followed by β, but not immediately.• A propositional variable is a formula.
• If α is an action then start(α) and done(α) are formulae.
• If A and B are formulae then A B and A B are formulae.
The proposed model• Syntax & semantic
51
![Page 52: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/52.jpg)
• If A is a formula then A , A, n A, ӨA, Өn A are formulae.
A Next on the trace ,A nA In the next n messages in the trace, AӨ A Previously in the trace, AӨn A In the n previous messages in the trace, A
The proposed model• Syntax & semantic
52
![Page 53: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/53.jpg)
• If A is a formula then О d A , О d A are formulae.
О d A d units of time ago, A was true.
О d A A will be true in the next d units of time.
d represents a real time and can be expressed in milliseconds, in seconds or in minutes.
The proposed model• Syntax & semantic
53
![Page 54: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/54.jpg)
Diontic modalities
• If A is a formula, then O (A), P (A) and F (A ) are formulae.
O (A) : A is obligatory. P (A) : A is permitted. F (A ) : A is forbidden.
• If C is a context then, O (A|C), P (A|C) and F (A|C) are also formulae.
O (A|C) : A is obligatory in context C.P (A|C) : A is permitted in context C.F (A|C) : A is forbidden in context C.
The proposed model• Syntax & semantic
54
![Page 55: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/55.jpg)
Some examplesExamples of permissions
P (start(client1 ? Msg(FTP) ServerA))
P (start( usr ! Msg(ReqWrite,fich1.doc)ServerA | Ө(done(usr ! Msg(AuthReq)ServerA);*; done(usr ? Msg(AuthOK)ServerA);*; done(usr ? Msg(DisconnectReq)ServerA ) )
55
![Page 56: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/56.jpg)
Examples of obligations
O (start(ServerA * Msg(https)ServerB))
O (start(Δ ! Msg(https,disconnectReq)ServerA) | Ө done (Δ ? Msg(https,AuthOK)
O (start(ServerA ! Msg(DisconnectOK)Δ) | О 3min done(ServerA ? Msg(*)Δ))
Some examples
56
![Page 57: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/57.jpg)
Examples of prohibitions
F (start(ServerA * Msg(*)ServerB))
F (start(ServerA ? Msg(Req)*) | О10000 done(ServerA ? Msg(Req)*) )min5
F (start(ServerA ? Msg(https,AuthReq) Δ ) | О3 done (Δ ! Msg(https,AuthReq)ServerA)s30
Some examples
57
![Page 58: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/58.jpg)
Comments
• A model completely adapted for passive testing.
• Could be used to specify security policies related to any communication system.
58
![Page 59: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/59.jpg)
Passive Testing MethodologyPassive Testing Methodology
![Page 60: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/60.jpg)
60
Test EngineTest Engine
![Page 61: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/61.jpg)
61
SAP Case StudySAP Case Study
• 13 rules have been selected to be specified in our formalism
• 2 Obligations• 3 Prohibitions• 8 Permissions
![Page 62: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/62.jpg)
62
ResultsResults
• Trace file of the Audit application (25000 lines)
03.04.2005,10:20:25,600,HACKERW,FK02,S826-01,AU3,Transaction FK02 Started
Date heure
ClientUser ID
Trans. code
Terminal
Message ID
Message
![Page 63: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/63.jpg)
63
ResultsResults
• The system checks its security policy
![Page 64: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/64.jpg)
64
ResultsResults
• Modifications in the Audit File
![Page 65: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/65.jpg)
65
Conclusion and future workConclusion and future work
• The security testing is still complex• Automatic test generation for access control
security rules (permission, prohibition, and obligation)
• Handling decomposable activities• 3 algorithms• Weblog and “A Travel Agency” case studies • Passive testing (ongoing work)
![Page 66: Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007.](https://reader035.fdocuments.net/reader035/viewer/2022070401/56649f1f5503460f94c37de1/html5/thumbnails/66.jpg)
66
Questions ?Questions ?