Knowledge Resource Center for Ecological Environment in Arid Area
| Improving the Quality of Security Policies | |
| Hwang, JeeHyun | |
| 出版年 | 2014 |
| 学位类型 | 博士 |
| 导师 | Williams, Laurie A. |
| 学位授予单位 | North Carolina State University |
| 英文摘要 | Systems such as web applications, database systems, and cloud services regulate users’ access control to sensitive resources based on security policies. Organizations often manage security policies in an ad-hoc and inconsistent manner due to a lack of budget, resources, and staff. This management could cause crucial security problems such as unauthorized access to sensitive resources. A security policy is a set of restrictions and properties that specify how a computing system prevents information and computing resources from being used in violation of an organization’s security laws, rules, and practices. In computer systems, security policies are enforced to ensure correct functioning of access control such as “who” (e.g., authorized users or processes) can perform actions under “what” conditions. Policy authors may follow common patterns in specifying and maintaining security policies. Researchers applied data mining techniques for deriving (implicit) patterns such as a group of users (i.e., roles in RBAC policies) who have the same access permissions. Policy authors reuse common patterns to reduce mistakes. Anomalies of those patterns are candidates for inspection to determine whether these anomalies expose faults. Faults (i.e., misconfigurations) in security policies could result in tragic consequences, such as disallowing an authorized user to access her/his resources and allowing malicious users to access critical resources. Therefore, to improve the quality of security policies in terms of policy correctness, policy authors must conduct rigorous testing and verification during testing and maintenance phases of software development process. However, manual test-input generation and verification is an error-prone, time-consuming, and tedious task. In this dissertation, we propose approaches that help improve the quality of security policies automatically. Our research goal is to help policy authors through automated pattern mining and testing techniques in the efficient detection and removal of faults. This dissertation is comprised of three research projects where each project focuses on a specific software engineering task. The three research projects are as follows: Pattern Mining. We present an approach to mine patterns from security policies used in open source software products. Our approach applies data mining techniques on policy evolution and specification data of those security policies to identify common patterns, which represent usage of security policies. Our approach uses mined patterns as policy specification rules and detect faults in security policies under analysis as deviations from the mined patterns. Automated Test Generation. We present a systematic structural testing approach for security policies. Our approach is based on the concept of policy coverage, which helps test a policy’s structural entities (i.e., rules, predicates, and clauses) to check whether each entity is specified correctly. Our approach analyzes security policies under test and generates test cases automatically to achieve high structural coverage. These test cases can achieve high fault-detection capability (i.e., detecting faults). Automated Test Selection for Regression Testing. We present a safe-test-selection approach for regression testing of security policies. Among given initial test cases in access control systems under test, our approach selects and executes only test cases that could expose different policy behaviors across multiple versions of security policies. Our approach helps detect unexpected policy behaviors (i.e., regression faults) caused by policy changes efficiently. These three research project have resulted in the following contributions: • Patterns characterizing correlations of attributes in security policies help detect faults. • Structural coverage for security policies is closely related to fault-detection capability. An original set of test cases with higher structural coverage often achieves higher fault-detection capability. Furthermore, its reduced set of test cases while maintaining the same structural coverage achieves similar fault-detection capability with the original set. • Substantial number of test cases for regression testing can be reduced to help improve performance. |
| 英文关键词 | Access control policy Firewall policy Policy testing Quality improvement Security policy Test generationg |
| 语种 | 英语 |
| 国家 | United States |
| 来源学科分类 | Computer science |
| URL | https://pqdtopen.proquest.com/doc/1554330782.html?FMT=AI |
| 来源机构 | North Carolina State University |
| 资源类型 | 学位论文 |
| 条目标识符 | http://119.78.100.177/qdio/handle/2XILL650/248163 |
| 推荐引用方式 GB/T 7714 | Hwang, JeeHyun. Improving the Quality of Security Policies[D]. North Carolina State University,2014. |
| 条目包含的文件 | 条目无相关文件。 | |||||
| 个性服务 |
| 推荐该条目 |
| 保存到收藏夹 |
| 导出为Endnote文件 |
| 谷歌学术 |
| 谷歌学术中相似的文章 |
| [Hwang, JeeHyun]的文章 |
| 百度学术 |
| 百度学术中相似的文章 |
| [Hwang, JeeHyun]的文章 |
| 必应学术 |
| 必应学术中相似的文章 |
| [Hwang, JeeHyun]的文章 |
| 相关权益政策 |
| 暂无数据 |
| 收藏/分享 |
除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。
