Towards Automatic Repair of Access Control Policies

Document Type

Conference Proceeding

Publication Date




Access control policies written in the XACML standard language tend to be complex due to the great variety of attribute types and operations for fine-grained access control. The complexity not only increases the likelihood of having authorization faults in access control policies, but also makes it challenging to find and fix these faults. This paper presents an approach for automating the process of debugging XACML policies. It consists of two main techniques: fault localization and mutation-based policy repair. Fault localization aims to find the most suspicious policy elements according to the correlation between the execution information of policy elements and the test execution results. Mutation-based policy repair aims to modify the suspicious policy elements by using well-defined mutation operators. Our empirical studies have used a large number of faulty policies with one or two seeded faults. Our approach was able to repair all of them automatically. We have also compared several scoring methods for ranking suspicious policy elements. The results show that Naish2 and CBI-Inc are very efficient for automatic repair.