Coverage-Based Testing of Obligations in NGAC Systems

The administrative obligation is a unique feature of Next Generation Access Control (NGAC), a standard for implementing fine-grained attribute-based access control. It provides a programming mechanism for run-time privilege changes by attaching administrative operations to authorized access events. However, dynamic privilege change raises a major concern because the application of NGAC has the potential of "grave harm to the authorization state through error or intent." It is important to reveal potential obligation errors that lead to incorrect privileges and privilege changes. To address this issue, this paper presents a family of coverage-based test generation methods for the obligations in NGAC applications. These methods can generate obligation tests to achieve the corresponding coverage criterion (obligation coverage, action coverage, decision coverage, or factor decision coverage). Each test consists of a sequence of obligation-triggering access events. We have applied the proposed methods to three NGAC applications. The experiment results demonstrate that they have different levels of fault-detection capability and cost-effectiveness.