Testing Access Control Policy through Change Rule and Swap Rule Algorithm (CRSR)

Abstract

We propose an algorithm for generating mutant policies based on XACML Context Schema, known as Change Rule and Swap Rule Algorithm (CRSR). Compared to other testing techniques and tools for testing access control policies, where policy set or policy is evaluated first, our algorithm focuses on the rule and target of a policy set or policy. Our approach represents policy as a vector of bits. A boolean variable 1 represents the applicability of a policy to a request and a boolean variable 0 represents the non-applicability of a policy to a request. Correct policy evaluates to 1: indicating that all the elements, attributes ID and their values are correct. This is done using the XACML Context Schema for a policy and request. We identify and extract the rule and target from the policy and generate request by applying the proposed algorithm. The rule and target are evaluated first on the assumption that policy set specifies what policies may be applicable to a request, while a policy specifies the rules that are required for a policy to be applicable to a request. Mutants generated based on XACML Context Schema for policies using the proposed a