Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Awardee:BOISE STATE UNIVERSITY
Doing Business As Name:Boise State University
PD/PI:
  • Dianxiang Xu
  • (816) 235-1193
  • dxu@umkc.edu
Award Date:09/12/2013
Estimated Total Award Amount: $ 499,771
Funds Obligated to Date: $ 515,371
  • FY 2014=$15,600
  • FY 2013=$499,771
Start Date:09/01/2013
End Date:08/31/2017
Transaction Type:Grant
Agency:NSF
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TTP: Small: Automated Conformance Testing of Access Control and Obligation Policies
Federal Award ID Number:1359590
DUNS ID:072995848
Parent DUNS ID:072995848
Program:Secure &Trustworthy Cyberspace

Awardee Location

Street:1910 University Drive
City:Boise
State:ID
ZIP:83725-0001
County:Boise
Country:US
Awardee Cong. District:02

Primary Place of Performance

Organization Name:Boise State University
Street:1910 University Dr.
City:Boise
State:ID
ZIP:83725-1135
County:Boise
Country:US
Cong. District:02

Abstract at Time of Award

Attributed-based obligatory access control is a new access control paradigm for achieving fine-grained authorization and assured system accountability. However, access control and obligation policies can be implemented incorrectly for various reasons, such as programming errors and misunderstanding about the policies. It is important to reveal discrepancy between the policy specification and the actual system implementation. The objective of this ?Transition To Practice? project is to develop an open source tool for model-based testing of attribute-based access control and obligation policies. It can build test models by integrating attribute-based access control and obligation rules with functional test models, generate test cases from the test models to meet given coverage criteria, and transform model-level test cases into executable code in a target language and test execution environment. The test code can then be executed with the system under test to exercise the access control and obligation policies. The tool is applicable to a great variety of systems due to the support for various programming languages and test execution environments. It is independent of how access control and obligation policies are implemented in the system under test. The broader impacts of this project include deployment of the tool to various academic and industry projects and involvement of students, particularly undergraduate students, in cutting-edge research.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Sung-Ju Fan Chiang, Daniel Chen, Dianxiang Xu "Conformance Testing of Balana: An Open Source Implementation of the XACML3.0 Standard" Proc. of the 28th International Conf. on Software Engineering and Knowledge Engineering (SEKE?16), v., 2016, p..

Dianxiang Xu and Shuai Peng "Towards Automatic Repair of Access Control Policies" Proc. of the 14th IEEE Conference on Privacy, Security and Trust (PST?16), v., 2016, p.485.

Dianxiang Xu, Ning Shen, Yunpeng Zhang "Detecting Incorrect Uses of Combining Algorithms in Xacml 3.0 Policies" International Journal of Software Engineering and Knowledge Engineering, v.25, 2015, p.1551.

Dianxiang Xu, Zhenyu Wang, Shuai Peng, Ning Shen "Automated Fault Localization of XACML Policies" Proc. of the 21st ACM Symposium on Access Control Models and Technologies (SACMAT?16), v., 2016, p..


Project Outcomes Report

Disclaimer

This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

Attributed-based obligatory access control is a new access control paradigm that can achieve fine-grained authorization and assured system accountability. However, incorrect implementation of access control and obligation policy can lead to serious policy violations, such as unauthorized access and unfulfilled obligations. To reveal the potential discrepancy between the policy specification and the actual system implementation, this project has developed a tool-supported approach to model-based testing of attribute-based access control and obligation policies. This approach can build test models automatically by integrating access control and obligation rules with functional test models, generate test cases from the test models to meet various coverage criteria, and automatically transform model-level test cases into executable test code in a chosen target language and test execution environment, such as Java (JUnit) and C# (NUnit), and C/C++. The approach has been implemented in the open source project MISTA (Model-based Integration and System Test Automation). It is the first model-based testing tool for conformance verification of attribute-based access control and obligation policies. To evaluate the proposed approach, we have developed an open source web-based application, GPMS (Grant Proposal Management System), as a complete case study based on XACML. XACML is an industry-standard language for specifying attribute-based access control and obligation policies. GPMS allows an academic institution to manage the internal workflow of grant proposal submissions with fine-grained access control. Our experiment has demonstrated that the proposed model-based testing approach is effective for detecting defects in both XACML policy and policy enforcement code. In addition, this project has investigated methods for coverage-based test generation, fault localization, and automatic repair of XACML policies. The results of this project have led to 11 papers, including two journal articles, seven conference and workshop publications, and two manuscripts to be submitted for publication. The two open source projects, MISTA and GPMS, are publicly available. MISTA provides a new model-based approach to automated testing of attribute-based access control and obligation policies. GPMS can be used as a benchmark for the research community to investigate and evaluate techniques for quality assurance of access control and obligation policies specified in XACML. GPMS also serves as a real-world system for teaching security courses. This project has involved six undergraduate students in research through a REU supplement and an NSF REU summer program in Software Security. These students included two females, one minority, and three from institutions with limited research resources. In addition, two research associates sponsored by this project have started an academic career in cybersecurity.


Last Modified: 10/31/2017
Modified by: Dianxiang Xu

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.