Draft 3
Draft 3
the original policy and each mutant policy. Note that if a 2 http://www.eclipse.org/modeling/m2t/
(JET) to generate executable shell scripts and Scheme pro-
grams for each policy under test and its corresponding set Table 1. Policies used in the case-study.
Subject # Set # Policy # Rule # Property
of mutants. The generated scripts pipe a generated Scheme
program to a command-line Scheme interpreter. The out- C ONTINUE - A 111 266 298 9
C ONTINUE - B 111 266 306 9
put of the Scheme interpreter is then piped to a trace file for
S IMPLE -P OLICY 1 2 2 3
further processing. These trace files contain the information
necessary for determining which properties hold and which
properties do not hold for the original policy and each mu-
tant policy. “living” CRE mutant. Each CRE mutant corresponds to a
specific policy rule. When a given rule changes effect (e.g.,
deny to permit), the corresponding property P ri may de-
4.3. Mutant-Killing Determination
tect a semantic change and by definition P ri kills the CRE
mutant. To elicit P ri , we manually inspect the rule’s con-
The next step is to compute the mutant-killing ratio. The text. Let S, O, and A denote the set of subjects, objects,
mutant-killing ratio is the ratio of the number of mutants and actions in a rule, respectively. A rule is in the form
killed to the total number of mutants. This ratio serves as [S ∩O ∩A → Ef f ect] where the effect is either P ermit or
a metric to quantify the quality of a set of properties with Deny. If an effect is P ermit (Deny), we generate a prop-
respect to covering a given policy. A higher mutant-killing erty that a subject S can (cannot) take an action A on re-
ratio indicates the property set interacts with or covers a source O. For a mutant policy, when the effect is changed to
higher number of rules defined in the policy. Deny (P ermit), the property may detect a semantic fault
The trace files generated by the property verification de- in the mutated policy and cover the not-covered rule being
scribed earlier are parsed in order to divide the property set mutated.
into four subsets for each mutant. A property is either true
or false (i.e., the property is satisfied or is not satisfied) with
respect to a given policy. Let P denote the set of all proper- 5. Case Study
ties. Let the set of properties satisfied by the original policy
be denoted by OT and let the set of properties not satisfied
by the original policy be denoted OF . We have applied our mutation verification tool to an ac-
cess control policy for C ONTINUE [15]. C ONTINUE is a
P = OT ∪ OF (1) web-based conference management system that supports
the submission, review, discussion, and notification phases
Similarly, given a mutant policy M , let the set of properties of conferences. The C ONTINUE policy was used as a case
satisfied by the mutant policy be denoted by MT and the set study to explore property verification and change-impact
of properties not satisfied by the mutant policy be denoted analysis for Margrave by Fisler et al. [9]. The conference
MF and by Equation 2 all properties fall into one of these management system itself has been used to manage sev-
sets. eral conferences. Table 1 lists the policies used in our case
P = MT ∪ MF (2) study. Each row corresponds to a policy and Columns 2,
3, and 4 denote the number of P OLICY S ET, P OLICY, and
For our case study described in Section 5, all properties are RULE elements in each policy, respectively. Column 5 de-
intended to be satisfied by the original policy (i.e., holding notes the number of properties used for each policy. We
true). A property that holds true for both the original policy selected these policies in our case study because these poli-
and the mutant policy cannot expose the fault in the mutant cies are available with their formal properties. The S IM -
policy because the property does not apply to the portion of PLE policy was presented in Section 2 and C ONTINUE - A
the policy that contains the fault. On the other hand, if at and C ONTINUE - B are two versions of the C ONTINUE pol-
least one property holds true for the original policy but fails icy. All three policies and property sets are available at the
to hold true for the mutant policy as formalized in Equa- Margrave web site3 .
tion 3, then the mutant is killed.
We divide the case study into two parts: the first part per-
∃p ∈ P : p ∈ OT ∩ MF (3) forms mutation verification with the CRE mutation operator
for property assessment while the second part performs mu-
tation verification with several mutation operators and the
4.4. Property Generation
additional manually specified properties for property aug-
mentation.
To increase property coverage and investigate property
verification, we manually generate additional properties for 3 http://www.cs.brown.edu/research/plt/software/
the number of killed mutants, and the mutant-killing ratio augmented property set Pnew increases mutant-killing ra-
for each policy for both the existing property set P and the tios only in the CRE mutants since the remaining mutants
augmented property set Pnew . Each row of the table cor- cannot be killed. For the C ONTINUE policy, we manually
responds to a particular mutation operator and the column specify six properties and the augmented property set Pnew
groups 1 and 2 correspond to the S IMPLE policy and the kills 78% of the CRE mutants. The two not-covered rules
C ONTINUE policy, respectively. (i.e., “living” CRE mutants) cannot be killed. Pnew also
In the case study, we do not use some mutation operators increases the mutant-killing ratios for other mutation oper-
if they result in equivalent mutants for the given policy or ators.
if the property verification tool cannot handle a particular We observed that some types of mutants cannot be killed
XACML feature. For example, we omit RCT (Rule Condi- with Pnew . For example, PSTT, CPC, and CRC mutants
tion True) and RCF (Rule Condition False) operations since and RTT, RTF, and CRC mutants are not killed. These mu-
the policies do not use that feature of rule conditions due tants may not be semantically equivalent to the original pol-
to a limitation in the current Margrave. In addition, Mar- icy. However, the property set Pnew is not sufficient to kill
grave sometimes reports errors during property verification these mutants.
of some mutants. For instance, some properties require that
certain elements exist in a given policy. Mutation opera- 6. Discussion
tions such as PSTT (Policy Set Target True) may remove
elements that are necessary in order to verify a particular We believe that our approach can be applied to assess
property. These errors correctly indicate semantic faults in the quality of a property set against policies written in lan-
mutant policies and so we consider them killed. guages other than XACML. Previous approaches converted
The PTT (Policy Target True) and PTF (Policy Target policies in one language (such as XACML) to other lan-
False) operators delete or modify the top-level policy ele- guages (such as Alloy [12], RW [23], and Description Log-
ment in the S IMPLE policy effectively; these operators re- ics [14]) that are equipped with verification tools. As our
move one of the two rules resulting in drastic semantic dif- approach requires property verification (against a policy and
ferences that are immediately detected by the both P and its mutants) provided by these verification tools, such con-
Pnew . On the other hand, the CPC (Change Policy Combin- version enables our approach to also be applicable to poli-
ing Algorithm) and CRC (Change Rule Combining Algo- cies languages other than XACML and with verification
rithm) mutation operators generate equivalent mutants (i.e., tools other than Margrave.
mutants that are semantically equivalent to the original pol- Our approach to mutation verification provides a qual-
icy) that cannot be killed. For the C ONTINUE policy, the ity assessment of a property set for a policy. If a property
CRC generates equivalent mutants. Such semantic equiv- set achieves a mutant-killing ratio of 100%, can we say that
alent mutants are detected and not considered in our case the property set is exhaustive or complete? This situation is
study. similar to statement coverage in software testing. If a test
Table 3 shows that the existing property set P can kill suite achieves 100% statement coverage for a given pro-
50% and 11% of CRE mutants in S IMPLE and C ONTINUE gram, can we say the test suite can detect all faults in the
policies, respectively. By manually specifying a property program? The answer, of course, is absolutely not. While
that mirrors the not-covered rule for the S IMPLE policy, mutation verification serves as a quality assessment for a
we can kill all CRE mutant policies. As expected, the property set and, with the CRE mutation operator, identifies
which properties interact with which rules in the policy, it oped the FIREMAN tool to detect misconfiguration of fire-
may not consider more abstract, generic properties. For ex- wall policies.
ample, P r1 of the illustrative example in Section 2 ensures There are also several verification tools available for
that a student cannot assign grades. While this property is XACML policies [1]. Hughes and Bultan [11] translated
an intuitive one of the problem domain, it is not explicitly XACML policies to the Alloy language [12], and checked
expressed in the policy itself. This particular policy con- their properties using the Alloy Analyzer. Schaad and Mof-
tains only rules that allow access whereas this property is fett [19] also leverage Alloy to check that role-based access
concerned with denying access. The fact that this property control policies do not allow roles to be assigned to users
does not interact with the rules in the policy does not im- in ways that violate separation-of-duty constraints. Zhang
ply that it is not needed. A better example is discussed in et al. [24] developed a model-checking algorithm and tool
Section 5 where a property serves as more of the best prac- support to evaluate access control policies written in RW
tice that is not related to the problem domain of the access languages, which can be converted to XACML [23]. Ko-
control. laczek [13] proposes to translate role-based access control
Future work shall investigate a means of automatically policies into Prolog for verification. Kolovski et al. [14] for-
generating various types of properties to cover more rules malize XACML policies with description logics (DL), which
and entities in an access control policy. In our case study, are a decidable fragment of the first-order logic, and exploit
we manually generated properties to cover not-covered existing DL verifiers to conduct policy verification. Fisler
rules based on the mutation verification results for the CRE et al. [9] developed Margrave, which can verify XACML
mutation operator. As we extracted these properties from policies against properties, if properties are specified, and
(explicitly expressed) not-covered rules, each of the proper- perform change-impact analysis on two versions of poli-
ties is specifically effective to kill the (previously un-killed) cies when properties are not specified. When Margrave de-
rule. But these properties may not kill other mutants. As tects property violations during policy verification, it auto-
existing properties often describe more general behaviors matically generates concrete counterexamples in the form
of a policy, further exploration of mutation operators for of specific requests that illustrate violations of the speci-
mutation verification is needed to investigate how to reflect fied properties. Similarly, when Margrave detects semantic
relevant properties (that are not necessarily specified in the differences during change-impact analysis, it automatically
policy itself) in the mutation verification process. generates specific requests that reveal semantic differences
between two versions of a policy. Most of these approaches
7. Related Work require user-specified properties to be verified. Our new ap-
proach complements these existing policy verification ap-
To the best of our knowledge, no metric has been de- proaches because our approach helps assess the quality of
fined to quantify the coverage of a policy or model by some the properties during policy verification.
property set. Our related previous approach on policy mu- Our previous work [16] proposed an approach to policy
tation testing [17] defined a fault model and corresponding property inference via machine learning. Such properties
automated mutator in order to quickly assess the quality of are often not available in practice and their elicitation is a
a test suite; the assessment results can be further used to challenging and tedious task. Furthermore, once proper-
assess test-generation and test-selection techniques in terms ties are defined, it is difficult to assess their effectiveness
of fault-detection capability. Such policy mutation testing is and identify potential problematic areas that need improve-
related to the approach proposed by Ammann et al. [3] that ment. Our mutation verification approach intends to help al-
mutates a model (corresponding to a policy in our work) leviate that challenge. Our implementation leverages Mar-
and then uses the model mutants to assess the quality of a grave’s property verification feature to verify mutant poli-
test suite. Our new approach leverages a variation of an au- cies against properties.
tomated mutator [17] in our implementation of the mutation Although various coverage criteria [25] for software pro-
verification approach. However, different from these previ- grams exist, only recently have coverage criteria for access
ous approaches on assessing the quality of a test suite, our control policies been proposed [18]. Policy coverage crite-
new approach focuses on assessing the quality of a property ria are needed to measure how well policies are tested and
set based on mutating a policy. which parts of the policies are not covered by the existing
To help ensure the correctness of policy specifications, test inputs. Martin et al. [18] defined policy coverage and
researchers and practitioners have developed formal verifi- developed a policy coverage measurement tool. Because it
cation tools for policies. Several policy verification tools is tedious for developers to manually generate test inputs
are developed specifically for firewall policies. Al-Shaer for policies, and manually generated test inputs are often
and Hamed [2] developed the Firewall Policy Advisor to not sufficient for achieving high policy coverage, they de-
classify and detect policy anomalies. Yuan et al. [22] devel- veloped several test generation techniques. Different from
these policy testing approaches, our new approach focuses [7] R. A. DeMillo, R. J. Lipton, and F. G. Sayward. Hints on test
on assessing the quality of properties in policy verification. data selection: Help for the practicing programmer. IEEE
Computer, 11(4):34–41, April 1978.
[8] D. F. Ferraiolo, D. R. Kuhn, and R. Chandramouli. Role-
8. Conclusion Based Access Control. Artech House, Inc., 2003.
[9] K. Fisler, S. Krishnamurthi, L. A. Meyerovich, and M. C.
The need for carefully controlling access to sensitive Tschantz. Verification and change-impact analysis of
information is increasing as the amount and availability access-control policies. In Proc. ICSE, pages 196–205,
of data are growing. In order to separate the semantics 2005.
of access control from the system itself, policy authors [10] G. Fraser and F. Wotawa. Using model-checkers for
mutation-based test-case generation, coverage analysis and
increasingly specify access control policies in declarative
specification analysis. In Proc. ICSEA, pages 16–21, 2006.
languages such as XACML. Doing so facilitates managing, [11] G. Hughes and T. Bultan. Automated verification of access
maintaining, and analyzing policies. To increase confidence control policies. Technical Report 2004-22, Department of
in the correctness of specified policies, policy authors can Computer Science, University of California, Santa Barbara,
formally verify policies against a property set. Policy veri- 2004.
fication is an important technique for high assurance of the [12] D. Jackson, I. Shlyakhter, and M. Sridharan. A micromodu-
correct specification of access control policies. Since the ef- larity mechanism. In Proc. ESEC/FSE, pages 62–73, 2001.
fectiveness of the verification process is directly dependent [13] G. Kolaczek. Specification and verification of constraints in
on the quality of the properties, we have proposed a novel role based access control for enterprise security system. In
approach called mutation verification to assess the quality Proc. WETICE, pages 190–195, 2003.
[14] V. Kolovski, J. Hendler, and B. Parsia. Analyzing web ac-
of a property set in verification of access control policies.
cess control policies. In Proc. WWW, pages 677–686, 2007.
We have implemented a tool for the approach being applied [15] S. Krishnamurthi. The CONTINUE server (or, how i admin-
on XACML policies. We applied our mutation verification istered PADL 2002 and 2003). In Proc. PADL, pages 2–16,
tool to policies and properties from a real-world software 2003.
system. Our experiences show that the performance of the [16] E. Martin and T. Xie. Inferring access-control policy proper-
property verification is encouraging and mutation verifica- ties via machine learning. In Proc. POLICY, pages 235–238,
tion can scale to sufficiently large access control policies. 2006.
Furthermore, mutation verification is a complementary ap- [17] E. Martin and T. Xie. A fault model and mutation testing
proach to property verification by aiding in the elicitation of of access control policies. In Proc. WWW, pages 667–676,
2007.
properties.
[18] E. Martin, T. Xie, and T. Yu. Defining and measuring policy
coverage in testing access control policies. In Proc. ICICS,
Acknowledgment pages 139–158, 2006.
[19] A. Schaad and J. D. Moffett. A lightweight approach to
specification and analysis of role-based access control ex-
This work is supported in part by NSF grant CNS-
tensions. In Proc. SACMAT, pages 13–22, 2002.
0716579 and its NIST supplement. [20] F. Somenzi. CUDD: CU Decision Diagram Package.
http://vlsi.colorado.edu/˜fabio/CUDD/.
References [21] Y. L. Traon, T. Mouelhi, and B. Baudry. Testing security
policies: Going beyond functional testing. In Proc. ISSRE,
[1] OASIS eXtensible Access Control Markup Language pages 93–102, 2007.
(XACML). http://www.oasis-open.org/ [22] L. Yuan, J. Mai, Z. Su, H. Chen, C.-N. Chuah, and P. Mo-
committees/xacml/, 2005. hapatra. FIREMAN: A toolkit for FIREwall Modeling and
[2] E. Al-Shaer and H. Hamed. Discovery of policy anomalies ANalysis. In Proc. S&P, pages 199–213, May 2006.
in distributed firewalls. In Proc. INFOCOM, pages 2605– [23] N. Zhang, M. Ryan, and D. P. Guelev. Synthesising verified
2616, 2004. access control systems in XACML. In Proc. FMSE, pages
[3] P. Ammann and P. E. Black. A specification-based coverage 56–65, 2004.
metric to evaluate test sets. In Proc. HASE, pages 239–248, [24] N. Zhang, M. Ryan, and D. P. Guelev. Evaluating access
1999. control policies through model checking. In Proc. InfoSec,
[4] P. E. Ammann, P. E. Black, and W. Majurski. Using model pages 446–460, 2005.
checking to generate tests from specifications. In Proc. [25] H. Zhu, P. A. V. Hall, and J. H. R. May. Software unit test
ICFEM, pages 46–54, 1998. coverage and adequacy. ACM Comput. Surv., 29(4):366–
[5] T. A. Budd and A. S. Gopal. Program testing by specifica- 427, 1997.
tion mutation. Computer Languages, 10(1):63–73, 1985.
[6] N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The Pon-
der policy specification language. In Proc. POLICY, pages
18–38, 2001.