Attributed-based obligatory access control is a new access control paradigm for achieving fine-grained authorization and assured system accountability. However, access control and obligation policies can be implemented incorrectly for various reasons, such as programming errors and misunderstanding about the policies. It is important to reveal discrepancy between the policy specification and the actual system implementation. The objective of this ?Transition To Practice? project is to develop an open source tool for model-based testing of attribute-based access control and obligation policies. It can build test models by integrating attribute-based access control and obligation rules with functional test models, generate test cases from the test models to meet given coverage criteria, and transform model-level test cases into executable code in a target language and test execution environment. The test code can then be executed with the system under test to exercise the access control and obligation policies. The tool is applicable to a great variety of systems due to the support for various programming languages and test execution environments. It is independent of how access control and obligation policies are implemented in the system under test. The broader impacts of this project include deployment of the tool to various academic and industry projects and involvement of students, particularly undergraduate students, in cutting-edge research.
