Return to search

Verification and test of interoperability security policies

Nowadays, there is an increasing need for interaction in business community. In such context, organizations collaborate with each other in order to achieve a common goal. In such environment, each organization has to design and implement an interoperability security policy. This policy has two objectives: (i) it specifies the information or the resources to be shared during the collaboration and (ii) it define the privileges of the organizations' users. To guarantee a certain level of security, it is mandatory to check whether the organizations' information systems behave as required by the interoperability security policy. In this thesis we propose a method to test the behavior of a system with respect to its interoperability security policies. Our methodology is based on two approaches: active testing approach and passive testing approach. We found that these two approaches are complementary when checking contextual interoperability security policies. Let us mention that a security policy is said to be contextual if the activation of each security rule is constrained with conditions. The active testing consists in generating a set of test cases from a formal model. Thus, we first propose a method to integrate the interoperability security policies in a formal model. This model specifies the functional behavior of an organization. The functional model is represented using the Extended Finite Automata formalism, whereas the interoperability security policies are specified using OrBAC model and its extension O2O. In addition, we propose a model checking based method to check whether the behavior of a model respects some interoperability security policies. To generate the test cases, we used a dedicated tool developed in our department. The tool allows generating abstract test cases expressed in the TTCN notation to facilitate its portability. In passive testing approach, we specify the interoperability policy, that the system under test has to respect, with Linear Temporal logics. We analyze then the collected traces of the system execution in order to deduce a verdict on their conformity with respect to the interoperability policy. Finally, we show the applicability of our methods though a hospital network case study. This application allows to demonstrate the effectiveness and reliability of the proposed approaches

Identiferoai:union.ndltd.org:CCSD/oai:tel.archives-ouvertes.fr:tel-00717602
Date29 May 2012
CreatorsEl Maarabani, Mazen
PublisherInstitut National des Télécommunications
Source SetsCCSD theses-EN-ligne, France
LanguageEnglish
Detected LanguageEnglish
TypePhD thesis

Page generated in 0.0017 seconds