A Formal Validation Approach for XACML 3.0 Access Control Policy

Access control systems represent a security mechanism to regulate the access to system resources, and XACML is the standard language for specifying, storing and deploying access control policies. The verbosity and complexity of XACML syntax as well as the natural language semantics provided by the standard make the verification and testing of these policies difficult and error-prone. In the literature, analysis techniques and access control languages formalizations are provided for verifiability and testability purposes. This paper provides three contributions: it provides a comprehensive formal specification of XACML 3.0 policy elements; it leverages the existing policy coverage criteria to be suitable for XACML 3.0; and it introduces a new set of coverage criteria to better focus the testing activities on the peculiarities of XACML 3.0. The application of the proposed coverage criteria to a policy example is described, and hints for future research directions are discussed.


Introduction
Security is a challenging issue in modern networked systems where a huge amount of data are managed and exchanged in everyday life. In particular, the privacy and confidentiality attributes of personal and critical data require adequate security mechanisms to be put in place [1]. In this context, access control systems represent an important component for the overall security because they are able to mediate all requests of access. This ensures the protection of data and assures that only the intended, i.e., authorized users can access them. In particular, specific rules can be defined for establishing under which conditions a subject's access request to a resource can be permitted or denied.
In this context, attribute-based access control (ABAC) [2] systems are the adopted means for enhancing a fine-grained access control. ABAC relies on the combination of various attributes of authorization elements into access control decisions. In the literature, there are several languages for specifying access control policies [3], and among them, the OASIS eXtensible Access Control Markup Language (XACML) [4] is the most commonly used standard in many real-world systems for defining ABAC policies in the XML-based syntax. The XACML language is also widely used to guarantee access control decisions for the distributed Internet of Things (IoT) environments [5,6].
The management of real access control policies is in practice difficult and errorprone [7] due to the verbosity and complexity of the XACML syntax. Faults in the access control policies are very critical because they could open the path to security flaws: either denying accesses that should be authorized or allowing accesses to non-authorized users.
Thus, verification and validation become key issues for XACML policies specification and their implementation [8].
However, in the literature, the commonly available test cases' generation approaches for XACML policies leverage combinatorial methodologies [9][10][11][12]. With the adoption of these methodologies, the generated number of test cases rapidly grows according to the policy complexity.
The execution of a large number of test cases can drastically increase the cost and effort of the testing phase especially for what concerns the oracle definition, i.e., checking the test results and deciding whether they are correct or not.
In practice, in the context of access control systems, except for some attempts to automatically derive the oracle from the XACML policy model [13], this oracle derivation is usually performed manually, because the complexity of the XACML language makes the use of automated support very difficult. Given the real constraints on testing budget, a key issue in the testing of XACML policies is to reduce as much as possible the number of tests to be executed while trying to maximize the fault detection effectiveness of the reduced test suite.
The main goal of this paper is to address this specific issue by proposing some testing coverage criteria specifically conceived on the peculiarities of the XACML 3.0 language that is the current standard language for access control policies definition. To define these XACML 3.0-based coverage criteria, we first provide a formal definition of the main elements of the XACML 3.0 language. The proposed XACML 3.0-based coverage criteria will guide the testing activities and enhance the trustworthiness of XACML-based access control systems.
As stated in the literature, coverage information can provide an indication of the effectiveness of the executed test cases and can guide the generation of test cases [14]. However, some empirical results [15] show that the performance of the reduced test suite could vary according to the considered program and the adopted coverage criterion.
In this paper, we provide some examples of how the proposed coverage criteria could be useful in addressing problems and inconsistencies in policy specification. In particular, we start from a formal definition of XACML syntax and semantics, and then, we show its use for enabling the understanding of XACML standard intentions and allow rigorous analysis techniques for verifiability and testability purposes.
Some attempts to provide formal reasoning techniques for the analysis and verification of policies have been provided [16][17][18][19][20]. They mainly focus on specific aspects of the language or design new expressive languages whose formal foundations enable toolsupported analysis and enforcement of access control policies.
In this paper, starting from the work of [16], we refine the definition of the abstract syntax and semantics of XACML 3.0 standard. According to this formal definition, we define a formal specification of the coverage process of the elements of the XACML policy and provide some coverage criteria that is useful to assess the XACML policy.
In particular, we select as the specification language the abstract syntax of the Context Free Grammar (CFG) [21], because it provides a precise mathematical definition that clearly rules out the XACML language. Additionally, the formalization provided by the CFG is a machine readable specification, which can be easily implemented in an automatic way.
Summarizing, the main contributions of this paper are: (i) to derive a rigorous formalization of XACML 3.0 standard leveraging context-free grammar [21], extending and revising the proposal of [16], and (ii) to formally define some policy coverage criteria for XACML 3.0 policy testing.
We also discuss possible ways to adopt the defined coverage criteria for improving the verifiability and testability of the policy such as: (i) the derivation of XACML requests according to the defined coverage criteria; (ii) the reduction (or selection) of a given test suite according to defined coverage criteria and its effect on fault detection; (iii) finally, the coverage measurement of the XACML policy in order to detect uncovered or redundant parts of the policy as well as guide the development of further test cases, which can improve the quality of policy testing.
The remainder of this paper is organized as follows. Section 2 introduces the XACML language. Section 3 presents the related work. Section 4 presents the formalization of XACML 3.0 policy elements, while Section 5 presents the formalization of the XACML request. Section 6 presents the coverage definition of XACML 3.0 policy elements, whereas Section 7 shows the definition of some coverage criteria and their application to a policy example. Finally, Section 8 concludes the paper, also hinting at future work.
2. Access Control Policies in XACML 3.0 XACML 3.0 language is a de facto standardized specification language for ruling the system access in an XML format. It relies on two main concepts: the XACML policy used for modeling the access requirements of a protected system; and the XACML request used for requiring the access to a protected resource. In the access control system, the request is evaluated against the policy to allow (or deny) the access to the resource. In the following, more details about these two concepts are provided.
An XACML policy is characterized by a tree structure having as its root the PolicySet and as children one (or more) PolicySet(s) or Policy elements. The latter includes: a Target, which specifies the execution constraints in terms of the subjects, resources, actions, and environments on which the policy can be applied; and a set of rules having also in turn a target, a condition and a rule-combining algorithm. Usually, the target is represented by a conjunctive sequence of AnyOf clauses. In particular, each AnyOf clause is a disjunctive sequence of AllOf clauses, and each AllOf clause is a conjunctive sequence of match predicates, and each match predicate compares attribute values in a request with the policy attributes. Both match predicates and rule conditions use different logical expressions and a variety of predefined functions and data types on subject, resource, action, and environment.
Only when a request satisfies the target of the PolicySet or Policy, the associated set of rules can be evaluated; otherwise, it is skipped.
Considering in detail the structure of a rule, its main elements are: the Target and the Condition, i.e., a set of Boolean functions used for establishing when the request is applicable to the rule. In this last case, the outcome of the rule is the rule effect (Permit or Deny). If the request is not applicable to the rule, the evaluation outcome is NotApplicable or Indeterminate in case of error.
The combining algorithms (either the PolicyCombiningAlgorithm or RuleCombiningAlgorithm) define how to combine the evaluation results in order to provide a unique evaluation outcome (access result). As an example, the deny-overrides algorithm establishes that Deny takes the precedence regardless of any other rules evaluation. Therefore, it will return Deny if there is a rule that is evaluated to Deny. It will return Permit if there is at least a rule that is evaluated to Permit, and all the other rules are evaluated to NotApplicable. Alternatively, an Indeterminate result is provided as the outcome if there is an error in the evaluation of a rule with the Deny effect, and the other policy rules with the Deny effect are not applicable.
Similarly, the first-applicable algorithm forces the rules evaluation in the order in which they are listed in the policy. The final outcome will be the effect of the first applicable rule (i.e., Permit or Deny). In all the cases, if the evaluation of the rule target (or the rule condition) is False, the next rule in the order will be evaluated until no further rule in the order exists, and the final NotApplicable result is provided.
For the evaluation, all attribute and element values describing the subject, resource, action, and environment of an access request are considered and compared with the attribute and element values of the policy.
The above-described access control mechanism relies on the standardized access control system architecture represented in Figure 1

Related Work
This work spans over two main research directions: XACML formalization (Section 3.1) and coverage criteria for testing purposes (Section 3.2). Moreover, in Section 3.3, the specific advancements of our work with respect to the SotA are presented.

XACML Formalization
Access control languages formalization has recently been the subject of extensive research, and several attempts have been provided to analyze and formalize XACML policies.
Margrave is a popular propositional logic analysis tool for XACML policy verification [22]. Logic programming systems and description logics (DL) have been used to model XACML policy constraints and roles hierarchies [23,24]. Specifically, the work in [24] extends the analysis services offered by Margrave leveraging full First-Order logic XACML analysis tools (such as Alloy [25]). It is able to cover the analysis of role hierarchies and role cardinality as well as analysis of policy redundancy.
Bryans explores the use of process algebra for formalizing and analyzing XACML language, presenting the core concepts of XACML using Communicating Sequential Processes (CSP) [26]. Other woks propose different formalization approaches for capturing the semantics of XACML constructs [27][28][29] and specifying an access control meta-model to derive access control policies or rule-based policies [30][31][32].
Other approaches to enable the automated verification of access control policies rely on SAT solver. Specifically, the authors of [33] present a formal model defining the semantics of the XACML access control language; then, they define ordering relations on access control policies that are used to automatically verify properties of the policies by translating them to boolean satisfiability problems and then applying a sat solver.
Masi et al. in [17] define a formal expressive access control policy language denoted as FACPL, supporting automated specification, analysis, and the enforcement of access control policies. It refines and extends XACML language and relies on a rigorously defined denotational semantics that allows for the management of missing attributes and formalization of combining algorithms. For enabling automated policies analysis, they introduce a constraint formalism based on Satisfiability Modulo Theories (SMT) formulae, which has been proven to be more effective than other ones, such as decision diagrams or description logic.
A more recent work [13] aims to formalize XACML policies by using a typed graph, called the XAC-Graph. Then, this XAC-Graph is used for both XACML requests generation and automated model-based oracle derivation.
Finally, the work in [16] differently from the previous approaches focuses on the last standard version of XACML that is XACML 3.0 and provides a formally defined semantics for XACML 3.0 components evaluation and standard combining operators, proposing new directions for the XACML standard extension.
Our proposal revises and extends the work of [16], proving a complete definition of the abstract syntax and semantics of XACML 3.0 standard, leveraging context-free grammars. Moreover, differently from all the mentioned formalization approaches, our work focuses more on policy testing than the verification of policies properties. For this, we use the proposed formalization to define some policy coverage criteria that can enhance the effectiveness of policy testing activity.

Coverage-Based Policy Testing
Coverage metrics represent an effective way to assess the test quality and compare different testing solutions. The aim of adequacy criteria is to evaluate a specific testing strategy by measuring the percentage of the exercised elements in the program or in its specification.
In the literature, test coverage is adopted for different purposes: (i) enhancing the test suite with additional test cases in order to exercise elements that have not been tested; (ii) test set augmentation and test set minimization in the context of regression testing [34]; (iii) selection of test cases and evaluation of test cases effectiveness [35]; (iv) test cases prioritization [36], aiming to reorder test cases so that the tests with a higher priority can be executed before those with a lower priority; and finally, (v) software maintenance [34]. The authors of [34] propose a systematic survey of coverage-based testing, whereas the work in [37] focuses on coverage criteria for state-based testing.
Many solutions for test coverage measurement and analysis have been proposed. They are based on the adopted policy specification language. The work in [38] provides a first attempt of coverage criterion for XACML policies. It defines three different structural coverage metrics able to reduce the generated test sets and validates the effects of this test's reduction in terms of fault detection.
An extension of the coverage solution presented in [38] is proposed in [39]. This work defines an XACML-based smart coverage selection approach that focuses on the policy rules coverage and provides a formalization of the proposed coverage criterion relying on the Rule Target Set concept, i.e., the union of the target of the rule, and all enclosing policy and policy sets targets. The main concept of the proposed criterion is that in order to match the rule target, the requests must first match the enclosing policy and policy sets targets.
Cirg (Change-Impact Request Generation) [40] is for instance a framework able to generate access requests through the change-impact analysis of two synthesized versions of an XACML policy and allows a reduction of the number of tests based on policy structural coverage. The work in [41] leverages mutation analysis and coverage analysis to perform regression testing of security policies.
More recently, in [12], a family of coverage criteria for XACML policies, including Modified Condition/Decision Coverage (MC/DC), has been presented and evaluated through mutation analysis in order to establish the most effective one in terms of fault detection. In [42], a proposal for the continuous tracing of policy execution and corresponding coverage criteria has been presented in order to detect inconsistencies in the policy specification and provide support for policies updates if new events occur.
Differently from previous solutions, our proposal provides a rigorous formalization of coverage of XACML 3.0 elements and formally specifies four additional coverage criteria specifically conceived for XACML 3.0 policy testing purposes.

SotA Advancements
In order to clarify the position of our paper with respect to the State of the Art, we report the analysis of the related works in the last 10 years in Table 1. In particular, in the first column, we provide the reference of the paper and the publication year; in the column labeled Paper contribution, we summarize the main contribution of the considered related work; in the column labeled Language/Formalism, we report the target specification language; in the columns labeled Access control formalization and Coverage metrics/ measures, we specify if the paper focuses on the formalization or on the coverage metrics and measures, respectively. Finally, in the last column labeled Our advancement with respect to SotA, we provide the advancements of our paper with respect to the considered related work. In the last row of the table, we provide the classification of our contribution.
As shown in the table, most of the related works focus on the possible formalization of the access control policy and its constructs either considering XACML or ABAC/R-BAC specification language. Coverage criteria and metrics have been rarely analyzed or improved during these last 10 years.
As evidenced by the table, the related works are strictly divided into two categories: either they focus on the formalization or they provide coverage criteria. To the best of our knowledge, as evidenced in the last row of the table, our paper is the first attempt to combine the two categories with the purpose of providing a comprehensive process useful for both developers and testers.

Formalization of Primary XACML 3.0 Elements
In this section, we provide the formalization of the XACML standard for describing security access control policies. Starting from the seminal work of [16], we provide here the definition of the abstract syntax of XACML 3.0 standard (Section 4.1), the specification of the XACML grammar (Section 4.2), and an example of policy formalization (Section 4.3).

XACML 3.0 Primary Elements
In this section, we introduce the alphabet of the grammar we use to describe the structure of an XACML access control policy. In particular, we extend and revise the XACML syntax introduced in [16], so to better represent the coverage concepts of this paper. For aim of completeness, we report in Table 2 the symbols we use in this paper for the definition of the grammar. Resource's attribute Syntactic category ⊂ E X category for producing only expressions that obtain a boolean result A Apply element E X Expression element E X f un Syntactic category ⊂ E X category for producing only expressions that are functions F un Function element E f f ect Effect that can be p ermit or d eny An initial formalization of the syntactical categories is the one illustrated in Table 3. It focuses on the syntactical sets that can be identified in an XACML access control specification and uses the Kleene star operator for deciding whether a string belongs to a grammar or not.
According to this formalization, given a policy P having a set of n rules R = {R 1 , . . . , R n }, and a Policy target T P possibly empty, the Boolean satisfiability (SAT) of the policy can be defined as: In the similar way, the Boolean satisfiability (SAT) of each of the policy rules, generically indicated with R, can be defined as:

XACML 3.0 Grammar
Formally, a context-free grammar [21] is defined by a quadruple: Λ is the set of symbols, called alphabet; -V is the finite set of the syntactical categories; -S is the main syntactical category; -P is the set of all productions, where each production, in the case of context-free grammars (which is the one we need for XACML 3.0) is a finite relation: where A ∈ V, α ∈ (Λ ∪ V) * (the asterisk represents the Kleene star). Applying the above definition to the XACML 3.0 access control language, we have: the set Λ is a subset of all the possible elements of the XACML 3.0, and it is defined as The main syntactical category S is defined as: The set of all productions P is defined in Table 4.
→ s tring e qual | s tring g reater t han | s tring l ess t han | s tring g reater t han o r e qual | s tring l ess t han o r e qual i nteger e qual | i nteger g reater t han | i nteger l ess t han | i nteger g reater t han o r e qual | i integer l ess t han o r e qual E ffect → p ermit | d eny }

Example of Policy and Its Formalization
In this section, we provide an example of policy representation through the grammar introduced in the previous section. The sample policy considered is shown in Listing 1. In this case, starting from S = {P S}, the policy can be expressed by the following production: 1-160 In Listing 1, the PolicySet element contains: two Policy elements (Policy1 and Policy2 at line 30 and line 96 of Listing 1 respectively), the declaration of the policy-combining algorithm considered that in this case is first applicable (line 8), and a policy set Target element (lines 12-29 of Listing 1) that specifies that the subject element must be an integer less than 15. This can be expressed as: i nteger l ess t han a v a s F irst A pplicable P 1 P 2 i nteger l ess t han a v a s F irst A pplicable P 1 P 2 30-95 Each of the policies in the policy set has in turn a Target element and a Rule element. In particular, Policy1 specifies that the rule-combining algorithm considered is first applicable (line 32), the policy Target element (lines 39-56 of listing 1) specifies that the subject element must be equal to the integer 10. This can be expressed as: . This can be expressed as: D eny F un a v A ttr C hoice C → D eny i nteger g reater t han a v a d C → D eny i nteger g reater t han a v a d E X bool → D eny i nteger g reater t han a v a d A → D eny i nteger g reater t han a v a d A E X → D eny i nteger g reater t han a v a d A E X a d → D eny i nteger g reater t han a v a d E X fun a v a d → D eny i nteger g reater t han a v a d i nteger g reater t han a v a d D eny i nteger g reater t han a v a d i nteger g reater t han a v a d 96-159 Similarly, Policy2 specifies that the rule-combining algorithm considered is first applicable (line 97), whereas the Target element (lines 104-121 of Listing 1) specifies that the subject element must be less than the integer 9 and there is a Rule element. This can be expressed as: F irst A pplicable i nteger l ess t han a v a s R 2 F irst A pplicable i nteger l ess t han a v a s R 2 122-158 The Rule2 element returns the Permit effect (line 123) in case: (i) the subject element is less than 7 as declared in the rule Target (lines 124-142 of Listing 1) and (ii) the subject element is less than 3 as declared in the rule Condition (lines 143-157 of Listing 1). This can be expressed as: P ermit F un a v A ttr C hoice C → P ermit i nteger l ess t han a v a d C → P ermit i nteger l ess t han a v a d E X bool → P ermit i nteger l ess t han a v a d A → P ermit i nteger l ess t han a v a d A E X → P ermit i nteger l ess t han a v a d A E X a v → P ermit i nteger l ess t han a v a d E X fun a d a v → P ermit i nteger l ess t han a v a d i nteger l ess t han a d a v P ermit i nteger l ess t han a v a d i nteger l ess t han a d a v Basically, if we see the parsing procedure of this policy as an automaton, we obtain: P S P S i nteger l ess t han a v a s F irst A pplicable F irst A pplicable i nteger e qual a v a s D eny i nteger g reater t han a v a d i nteger g reater t han a v a d F irst A pplicable i nteger l ess t han a v a s P ermit i nteger l ess t han a v a d i nteger l ess t han a d a v i nteger l ess t han a v a s F irst A pplicable F irst A pplicable i nteger e qual a v a s D eny i nteger g reater t han a v a d i nteger g reater t han a v a d F irst A pplicable i nteger l ess t han a v a s P ermit i nteger l ess t han a v a d i nteger l ess t han a d a v In addition, for this example, the parsing procedure returns a positive result, that is, the policy is fully covered by the grammar; this means that the policy is syntactically correct.

Definition of the Request Structure
In this section, we provide the formalization of the XACML request information (such as attribute values, ID, and so on) necessary for being evaluated by a policy. In particular, in Figure 2, the generic request structure is represented, which contains:

XACML-Based Coverage Definition
In this section, we detail the concepts of coverage of the XACML 3.0 grammar elements. Considering therefore a request R and an element of XACML 3.0 grammar, the following coverage function can be introduced.

Definition 1 (Coverage function).
Let el XACML be an XACML 3.0 component and R a request element, such that R = {A 1 , . . . , A n } We define the function cov : el X ACML × R → b where b ∈ {T rue , F alse }.
In practice, this function establishes if the request can be evaluated or not by the considered element.
Following a more intuitive way of coverage analysis, in the remainder of this section, we provide the coverage of each of the grammar elements starting from the basic ones.

Covering Match and Condition
Let M = f MatchID (v, c, a) be a Match element where f MatchID is an identifier of the Match function, v is the embedded AttributeValue, c is the attribute Category related to v, and a is an AttributeChoice (defined before, that can be mutually or exclusively, an AttributeDesignator or an AttributeSelector). Covering the Match element with a request R = {A 1 , . . . , A n } is defined as follows: Note that in the definition, f MatchID appears twice: the former one for the syntax element of Match component, while the latter indicates the coverage of the f MatchID function.
In this case, considering the request of Listing 2 which has a subject with value 10, it is able to cover the f MatchID of the Policy Set of Listing 1.
Considering instead the coverage of the condition element, let C be a Condition and R be a request; then, it is possible to define: Considering the policy of Listing 1 and the request of Listing 2, the request covers the condition expressed in the first rule with the value true because it contains a value greater than 2.

Covering AllOf, AnyOf and Target
Let M be a Match, A a AllOf, E a AnyOf, and T a Target. Suppose that allof(A id ) : {M 1 , . . . , M n }, n ≥ 1 is an AllOf element and ∀i, M i is a Match element. The coverage of AllOf element A id over a request R is as follows: Suppose that anyof(E id ) : {A 1 , . . . A n }, n ≥ 1 is an AnyOf element and ∀i, A i is a AllOf element. The coverage of AnyOf element E id over a Request R is defined as follows: Suppose that target(T id ) : {E 1 , . . . , E n }, n ≥ 0 is a Target element and ∀i, E i is an AnyOf element. The coverage of Target T id over a Request R is defined with the following equation: Considering the policy of Listing 1, the target of Rule1 and the request of Listing 2, the request covers the AllOf, the AnyOf and the Target elements of this rule with the values true. Indeed, the value 10 of the request matches the function string equal of the AllOf element, and because the AnyOf and the Target contain only an element, consequently, the request covers also these last.

Covering Rule
Let R be a Rule, T a Target, C a Condition, E an Effect (with possible values: permit and deny).
Suppose that rule(R) = {T , C, E}. The coverage of Rule element R id over a request R is determined as follows: Considering the policy of Listing 1 and the request of Listing 2, the request covers the Rule1 since it covers with a true value both the Target and Condition of Rule1.

Covering Policy
Let P be a Policy, T a Target, R 1 , . . . R n a sequence of Rules and comb id a Combining Algorithm.
Suppose that policy(P id ) = T , R 1 , . . . R n , comb id . We define with R the coverage over a request R of the sequence of Rules : Then, the coverage of Policy P id over a request R is defined as follows: The coverage of the sequence of Rules, defined by R, depends on the chosen Combining Algorithm comb id . The semantic within the combining algorithm bound to the coverage of R over a request R can be formally defined is this way: • If comb id = f a , then the algorithm that must be applied is the first-applicable: If comb id = oo a , then the algorithm that must be applied is the only-one-applicable: If comb id = p o , then the algorithm that must be applied is the permit-overrides: If comb id = d o then the algorithm that must be applied is the deny-overrides: Considering the policy of Listing 1 and the request of Listing 2, the request covers Policy1, since it covers with true value both the Target of the policy and the first applicable rule that is Rule1.

Covering PolicySet
Let P S be a PolicySet, comb id a Combining Algorithm, T a target, P 1 , . . . , P n a sequence of Policy and PolicySet. Suppose that policyset(P S id ) = comb id , T , P 1 , . . . , P n We define P as the coverage over a request R of the sequence of Policy and PolicySet: P = cov(P 1 , R), . . . , cov(P n , R) Then, the covering of PolicySet P S id is defined as follows: We do not formally provide here the definition of policy-combining algorithm because the semantic can be easily deduced from that already provided for the rule-combining algorithm over a request presented in the previous section.
Considering the policy of Listing 1 and the request of Listing 2, the request covers the PolicySet, since it covers with a true value both the Target of the PolicySet and the first applicable policy that is Policy1.

Coverage Criteria
Considering the coverage concepts introduced in the previous section, several criteria can be defined for testing purposes. In this section, we introduce some of them considering different ways in which a target and a condition element could be exercised during the requests evaluation. Specifically, some basic coverage criteria are: either having all the policy Target  where comb ps is the Combining Algorithm, T P S is the target of the policy set, and P 1 , . . . , P n a sequence of Policy elements. Let each of the P id be a policy(P id ) = T P id , R 1 , . . . R h , comb p where T P id is the Target of the policy, R 1 , . . . R h is the set of Rules and comb p is the Combining Algorithm. Finally, let each R id be a rule(R id ) = {T R id , C, E} where T R id is the Target of the rule, C is the Condition, and E is the Effect. The set of requests RQ covers the criterion of the Policy targets true if for each of the target elements included in the policy P S (T P S, T P id , T R id ) there exists at least an RQ i that covers the target with the true value. where comb ps is the Combining Algorithm, T P S is the target of the policy set and P 1 , . . . , P n is a sequence of Policy elements. Let each of the P id be a policy(P id ) = T P id , R 1 , . . . R h , comb p where T P id is the Target of the policy, R 1 , . . . R h is the set of Rules and comb p is the Combining Algorithm. Finally, let each R id be a rule(R id ) = {T R id , C, E} where T C id is the Target of the rule, C is the Condition, and E is the Effect. The set of requests RQ covers the criterion of the Policy targets true and false if for each of the target element included in the policy P S (T P S, T P id , T R id ), there exists at least an RQ i that covers the target with the true value and at least an RQ j that covers the target with the false value. According to the target coverage defined in the previous section, if a Target element is empty, it is always covered with T rue . From a practical point of view, the True evaluation of a Target element requires a request that makes at least one element AnyOf to True; in case of the AnyOf element of the AllOf elements, a request is necessary that makes all the Match elements True (in our analysis, the Match elements are the leaves of the tree with the Policy or PolicySet component as the root). In a similar way, two additional criteria that refine the previous ones can be defined. They focus on the evaluation of the condition and can be formulated in the following. where comb ps is the Combining Algorithm, T P S is the target of the policy set and P 1 , . . . , P n is a sequence of Policy elements. Let each of the P id be a policy(P id ) = T P id , R 1 , . . . R h , comb p where T P id is the Target of the policy, R 1 , . . . R h is the set of Rules and comb p is the Combining Algorithm. Finally, let each of R id be a rule(R id ) = {T R, C id , E} where T R is the Target of the rule, C id is the Condition and E is the Effect. The set of requests RQ covers the criterion of the Policy conditions true if for each of the condition elements included in the rule R (T R, C id , E), there exists at least an RQ i that covers the condition with the true value. where comb ps is the Combining Algorithm, T P S is the target of the policy set and P 1 , . . . , P n is a sequence of Policy elements. Let each of the P id be a policy(P id ) = T P id , R 1 , . . . R h , comb p where T P id is the Target of the policy, R 1 , . . . R h is the set of Rules and comb p is the Combining Algorithm. Finally, let each R id be a rule(R id ) = {T R, C id , E} where T R is the Target of the rule, C id is the Condition, and E is the Effect. The set of requests RQ covers the criterion of the Policy conditions true and false if for each of the condition elements included in the rule R (T R, C id , E), there exists at least an RQ i that covers the condition with the true value and at least an RQ j that covers the condition with the false value.

Application Example of Coverage Criteria
In this section, as an example, we show the application of the coverage criteria defined in Section 7 to the policy of Listing 1 described in Section 4.3, and we provide examples of test suites able to satisfy the different proposed criteria.

Policy Target True
Given a test suite TS 1 = {RQ 1 }, where RQ 1 is the request of Listing 2, we would like to measure its coverage considering the Policy target true criterion. As in Listing 2, the request contains a subject having a value equal to 10. The evaluation of the request on the policy of Listing 1 provides the following results: RQ 1 covers with True value the Target of the PolicySet, the Target of Policy1 and the Target of the Rule1.
Indeed, because the policy-combining algorithm is FirstApplicable, i.e., it returns the result of the first applicable policy, neither Policy2 nor Rule2 are evaluated with RQ 1 .
Consequently, the overall coverage measure of the Policy targets true criterion for TS 1 is 60%, because the policy of Listing 1 contains five targets and RQ 1 covers only three of them.
In order to increase the coverage and reach 100%, TS 1 should be enriched with a request able to reach the target of Policy2. From a practical point of view, this is possible by executing a request that makes the evaluation of the Policy1 not applicable and triggers the evaluation of Policy2. An example of such a request is provided in Listing 3, which contains a subject having a value equal to 2. Indeed, this request is able to pass the Target of the PolicySet, makes the evaluation of the Policy1 not applicable, and triggers the evaluation both of the Target of Policy2 and Rule2.
Consequently, given a test suite TS 2 = {RQ 1 , RQ 2 } where RQ 1 and RQ 2 are the requests of Listing 2 and Listing 3, respectively, the overall coverage measure of the Policy targets true criterion for TS 2 is 100% because RQ 2 is able to evaluate with a True value the Targets of the PolicySet, Policy2 and Rule2.

Policy Target True and False
Given the test suite TS 2 = {RQ 1 , RQ 2 } where RQ 1 and RQ 2 are the requests of Listing 2 and Listing 3, respectively, we would like to measure its coverage considering the Policy target true and false criterion.
In this case, as already described in the previous section, RQ 1 and RQ 2 are able to evaluate with True value the Targets of the PolicySet, Policy1, Policy2, Rule1 and Rule2. Additionally, the request R 2 evaluates with False value the target of Policy1.
Consequently, the overall coverage measure of the Policy targets true and false criterion for TS 2 is 60%, because the policy of Listing 1 contains five targets, each one to be evaluated to True and False value, and TS 2 covers only six of them.
In order to increase the coverage and try to reach 100%, TS 2 should be enriched with additional requests. For the aim of simplicity, we report in Table 5 an example of the required requests. In particular, we considered RQ 3 having a subject value equal for instance to 16; (ii) RQ 4 with a subject value equal for instance to 11; (iii) RQ 5 with a subject value equal for instance to 8.
Consequently, given a test suite TS 3 = TS 2 {RQ 3 , RQ 4 , RQ 5 }, we would like to measure its coverage considering the Policy target true and false criterion.
In this case • RQ 3 is able to evaluate with False value the Target of the PolicySet; • RQ 4 is able to evaluate with False value the Target of Policy2; • RQ 5 is able to reach the evaluation with True value of the Target of Policy2 and then trigger the evaluation of the Target of the Rule2 with False value.
Consequently, the overall coverage measure of the Policy targets true and false criterion for TS 3 is 90%.
Note that it is not possible to reach 100% coverage of Policy targets true and false criterion, since it is not possible to have the coverage of the Target of the Rule1 with False value. This is because in order to trigger the evaluation of Rule1, we need a request with a subject equal to 10 that is able to evaluate with True value the Target of Policy1; then, this subject value is always greater than 4.

Policy Condition True
Given the test suite TS 2 = {RQ 1 , RQ 2 } where RQ 1 and RQ 2 are the requests of Listing 2 and Listing 3, respectively, we would like to measure its coverage considering the Policy condition true criterion.
In this case, as already described in the previous section, RQ 1 and RQ 2 are able to evaluate with True value the Conditions of Rule1 and Rule2. Indeed, RQ 1 is able to evaluate with True value the condition of Rule1, whereas RQ 2 is able to evaluate with True value the condition of Rule2.
Consequently, the test suite TS 2 is also able to reach 100% coverage of Policy conditions true criterion.

Policy Condition True and False
Given the test suite TS 4 = TS 2 {RQ 6 } where RQ 6 is the request of Table 5, we would like to measure its coverage considering the Policy condition true and false criterion.
In this case, as already described in the previous section, RQ 1 , RQ 2 and RQ 6 are able to reach 75% of coverage of Policy conditions true and false criterion, since RQ 6 is able to cover with False value the condition of Rule2.
Note that, again, it is not possible to reach a 100% coverage measure of Policy conditions true and false criterion, since to trigger the evaluation of condition of Rule1, a subject equal to 10 is needed to evaluate to True value the Target of Policy1. This subject value makes always true the condition of Rule1.

Discussion and Conclusions
In this paper, we provided a formal definition of XACML syntax and semantics and defined some coverage concepts useful for verifiability and testability purposes. In particular, we revised and extended the existing definition of the abstract syntax and semantics of XACML 3.0 standard, defined a formal specification of the coverage process of the elements of the XACML policy and provided some coverage criteria useful to assess the XACML policy.
The proposed coverage criteria can have different practical implications for improving the verifiability and testability of the policy. Indeed, from a testing point of view, the policy coverage measure can describe the degree to which the policy has been exercised by a given test suite. Reaching high coverage, measured as a percentage, can increase the chance of detecting possible weaknesses or security flaws in the considered policy code. Moreover, the analysis of the policy elements that have not been covered may suggest possible improvements of the original test suite, so to increase the overall fault detection effectiveness of the test suite itself. This has been evidenced also by the application example proposed in this paper. Even if it is very simple, the application of the coverage criteria of Target true and false and Condition true and false evidenced an infeasible path in the policy specification. This does not per se represent a security flaw; however, it highlights an inaccuracy in the policy writing that should be avoided. Another practical implication of the proposed coverage criteria is the possibility of exploiting the coverage measure to reduce (or select), from a given test suite, only those test cases that have an impact on the defined coverage criteria. This is specifically important in case of regression testing because the test effort may be dedicated just to run the test cases able to maximize the coverage measure.
Finally, the proposals of this paper can also be used for the definition of test suite generation methodologies that target the 100% coverage of a specific criterion. As from the application example, the coverage of a specific target and/or condition depends on the evaluation of the previous targets and/or conditions. Thus, as a basic proposal for a test case generation algorithm able to force the execution of a specific rule, it should be considered that: it is first necessary to generate the attributes that make the Target element of the PolicySet true; successively to generate the attributes that make the Target of the current Policy true and those that make the previous Policy elements false; finally, to generate the attributes that make the Target of the Rule element true and the Targets of the previous Rules elements false.
However, many different metrics can be used to calculate policy coverage. In this paper, we provide some basic ones focusing on the evaluation of the targets and the conditions that are common critical points for most of the policies. As a future work, we would like to provide more additional specific coverage criteria as well as to perform an accurate comparison of their fault detection effectiveness so to better guide testing efforts. We are also developing ad hoc test case generation algorithms able to target the coverage criteria proposed in this paper.