Automated Fault Localization of XACML Policies

Document Type


Publication Date




Access control policies in distributed systems, particularly implemented in the XACML standard language, are increasingly complex. Faults may exist in complex policies for various reasons such as misunderstanding of the access control requirements, omissions, and coding errors. These faults, if not removed before deployment, may lead to unauthorized accesses or denial of service. Manual localization of these faults, however, can be a challenging task. Inspired by spectrum-based fault localization for software debugging, this paper presents an approach for automatically localizing the fault(s) in a given XACML policy by exploring test coverage information of the policy elements. We investigate two test coverage criteria (i.e., reachability and firing) of policy elements and 14 scoring methods for ranking policy elements to determine the fault location(s). To evaluate the fault localization methods, we have used real-world policy files with different levels of complexity and a large number of policy mutants with one or two seeded faults. The experiment results show that the firing-based Naish2 and CBI-Inc methods are effective in fault localization of XACML policies.