, Testing static analysis tools using exploitable buffer overflows from open source code, SIGSOFT Softw. Eng. Notes, vol.29, issue.6, pp.97-106, 2004.
, A Model-Based Framework for Security Policy Specification, Deployment and Testing, 2008.
DOI : 10.1007/978-3-540-87875-9_38
, Transforming and Selecting Functional Test Cases for Security Policy Testing, 2009 International Conference on Software Testing Verification and Validation, 2009.
DOI : 10.1109/ICST.2009.49
URL : https://hal.archives-ouvertes.fr/inria-00538390
, Model-Based Tests for Access Control Policies, 2008 International Conference on Software Testing, Verification, and Validation, 2008.
DOI : 10.1109/ICST.2008.44
URL : https://hal.archives-ouvertes.fr/inria-00456952
, Transforming and Selecting Functional Test Cases for Security Policy Testing Testing security policies : going beyond functional testing, in ISSRE'07 : The 18th IEEE International Symposium on Software Reliability Engineering Test-Driven Assessment of Access Control in Legacy Applications, Proceedings of the 2009 International Conference on Software Testing Verification and Validation ICST 2008: First IEEE International Conference on Software, Testing, Verification and Validation. 2008. 12. B. Morin, T. Mouelhi, F. Fleurey, O. Barais, Y. Le Traon, and J. M. Jezequel, Security-Driven Model-Based Dynamic Adaptation 25nd IEEE/ACM International Conference on Automated Software Engineering, 2007.
, in SARSSI 2009 : 4ème conférence sur la sécurité des architectures réseaux et des systèmes d'information Mutating DAC And MAC Security Policies: A Generic Metamodel Based Approach., in Modeling Security Workshop In Association with MODELS '08 Mutation analysis for security tests qualification, in Mutation'07 : third workshop on mutation analysis in conjuction with TAIC-Part Language-Specific vs. Language- Independent Approaches: Embedding Semantics on a Metamodel for Testing and Verifying Access Control Policies, SecTest 08: 1st International ICST workshop on Security Testing. 2008. 15. T. Mouelhi, Software Testing Verification and Validation Workshop, IEEE International Conference on 2010. 18. CWE/SANS TOP 25 Most Dangerous Programming Errors. Available from, 2007.
, Basic and Digest Access Authentication Abadi and R. Needham, A logic of authentication, ACM Trans. Comput. Syst, vol.8, issue.1, pp.18-36, 1990.
, Dos and Don'ts of Client Authentication on the Web Access control: principle and practice, Proceedings of the 10th USENIX Security Symposium 25. A. Pretschner, M. Hilty, and D. Basin, Distributed usage control, pp.40-48, 1994.
, Towards usage control models: beyond traditional access control ACM: Monterey, California, USA. 27 Proposed NIST standard for role-based access control, Proceedings of the seventh ACM symposium on Access control models and technologies, pp.224-274, 2001.
DOI : 10.1145/507711.507722
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.161.4350
, Integrity consideration for secure computer systems, in Tech. Rep. MTR- 3153, The MITRE Corporation,. 1975. 29 Secure computer systems: Unified exposition and multics interpretation, in Tech. Rep. ESD-TR-73-306, The MITRE Corporation, 30. B. Lampson. Protection. in 5th Princeton Symposium on Information Sciences and Systems, 1971.
, A guide to understanding discretionary access control in trusted systems Organization Based Access Control, 32. A. Abou El Kalam, IEEE 4th International Workshop on Policies for Distributed Systems and Networks. 2003. 33. M. Ben Ghorbel-Talbi, F. Cuppens, N. Cuppens-Boulahia, and A. Bouhoula, Managing Delegation in Access Control Models Proceedings of the 15th International Conference on Advanced Computing and Communications %@, pp.0-7695, 1987.
, Administration Model for Or-BAC, in On The Move to Meaningful Internet Systems, pp.754-768, 2003.
, Flexible support for multiple access control policies, ACM Trans. Database Syst, vol.26, issue.2, pp.214-260, 2001.
, Dynamic Event-Based Access Control as Term Rewriting, in Data and Applications Security XXI, pp.195-210, 2007.
, A flexible authorization mechanism for relational data management systems 101-140. 39. S. Barker and M. Fernández, Term Rewriting for Access Control, in Data and Applications Security XX. 2006. p. 179-193. 40. Sun's XACML implementation Automated Test Generation for Access Control Policies via Change-Impact Analysis, ACM Trans. Inf. Syst. Secur. Proceedings of the 1st IEEE International Workshop on Security in Software Engineering. 2007. 42 Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems. 2007. 43. A Anderson, XACML profile for role based access control (RBAC), in OASIS Access Control TC committee draft. 2004. 44. D. Abi Haidar, N. Cuppens-Boulahia, F. Cuppens and H. Deba. An extended RBAC profile of XACML. in Proceedings of the 3rd ACM workshop on Secure web services. 2006. 45. L. Mike Ter and V. N. Venkatakrishnan, Blueprint: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Proceedings of the 2009 30th IEEE Symposium on Security and Privacy, pp.501-546, 1999.
, SWAP: Mitigating XSS attacks using a reverse proxy, 2009 ICSE Workshop on Software Engineering for Secure Systems, 2008.
DOI : 10.1109/IWSESS.2009.5068456
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.638.8688
, Robust defenses for cross-site request forgery Browser protection against crosssite request forgery, Proceedings of the 15th ACM conference on Computer and communications security Proceedings of the first ACM workshop on Secure execution of untrusted code, 2008.
DOI : 10.1145/1455770.1455782
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.140.2584
, Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection Revised Selected Papers, Financial Cryptography and Data Security: 13th International Conference, pp.238-255, 2009.
, A solution for the automated detection of clickjacking attacks SQLrand : Preventing SQL Injection Attacks in ACNS A Learning-Based Approach to the Detection of SQL Attacks. in Intrusion and Malware Detection and Vulnerability Assessment Software Penetration Testing Mendes, Measurement, Prediction and Risk Analysis for Web Applications Model-based security analysis in seven steps ---a guided tour to the CORAS method, Proceedings of the 5th ACM Symposium on Information Proceedings of the 7th International Symposium on Software Metrics, pp.84-87, 2001.
, Information Security Risk Analysis Inc. 296. 58. Hope Paco, McGraw Gary, and I. Ant Annie, Misuse and Abuse Cases: Getting Past the Positive, IEEE Security and Privacy, issue.23, pp.90-92, 2000.
, Security Requirements Engineering: When Anti-Requirements Hit the Fan Security and Privacy Requirements Analysis within a Social Setting A framework for security requirements engineering, Analysis of Secure Software Architecture Proceedings of the International Conference on Information Technology: Coding and Computing Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering Proceedings of the 11th IEEE International Conference on Requirements Engineering Proceedings of the 2006 international workshop on Software engineering for secure systems ACM: Shanghai, China. 63. A. van Lamsweerde, Elaborating Security Requirements by Construction of Intentional Anti-Models Proceedings of the 26th International Conference on Software Engineering Thuong, S. Demurjian, T. C. Ting, and A. Ketterl, MAC and UML for secure software design Proceedings of the 2004 ACM workshop on Formal methods in security engineering, p.65, 2002.
, Using uml to visualize rolebased access control constraints Modeling Role-Based Access Control Using Parameterized UML Models, Proceedings of the ninth ACM symposium on Access control models and technologies Fundamental Approaches to Software Engineering, pp.180-193, 2004.
, Secure Systems Development with UML. 2003: SpringerVerlag. 68 UMLsec: Extending UML for Secure Systems Development, in «UML» 2002 ? The Unified Modeling Language SecureUML: A UML-Based Modeling Language for Model-Driven Security, Proceedings of the 5th International Conference on The Unified Modeling Language, 2002.
, An aspect-based approach to modeling access control concerns. Information and Software Technology, 71. A. Bertolino, Software Testing Research and Practice Abstract State Machines, pp.575-587, 2003.
, Genetic Algorithms Applications to Software Testing Software Engineering and Its Applications The art of Software Testing Testing Object-Oriented Systems: Models, Patterns and Tools, Fifth International Conference Inc. 177. 74. R. V. Binder Proceedings of the Second Workshop on Mutation Analysis Ch. Zhenyu, X. Baowen, and W. Ziyuan, A New Mutation Analysis Method for Testing Java Exception Handling Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference, 1979.
, Inter-Class Mutation Operators for Java The Csaw C Mutation Tool: Initial Results A. Derezi?ska, Advanced mutation operators applicable in C# programs, Proceedings of the 13th International Symposium on Software Reliability Engineering IEEE Computer Society. 83. M. Ellims, Proceedings of the Testing: Academic and Industrial Conference Practice and Research Techniques -MUTATION Software Engineering Techniques: Design for Quality Proceedings of the Sixth International Conference on Quality Software, pp.283-288, 2002.
, Investigations of the software testing coupling effect, ACM Transactions on Software Engineering and Methodology, vol.1, issue.1, pp.5-20, 1992.
DOI : 10.1145/125489.125473
, Is mutation an appropriate tool for testing experiments? An experimental evaluation of data flow and mutation testing, Proceedings of the 27th international conference on Software engineering, pp.26-165, 1996.
, On Mutation and Data Flow An Empirical Comparison of Data Flow and Mutation-Based Test Adequacy Criteria. Software Testing, Verification and Reliability, pp.9-31, 1993.
, An Experimental Comparison of Four Unit Test Criteria: Mutation, Edge-Pair, All-Uses and Prime Path Coverage, Proceedings of the IEEE International Conference on Software Testing 92. M. Yu-Seung, J. Offutt, and Y. R. Kwon, MuJava : An Automated Class Mutation System. Software Testing, Verification and Reliability, 2005. 93. PlexTest, 2009.
, tormenting-your-tests-with-heckle, p.95, 2006.
, Automatically finding patches using genetic programming Why security testing is hard, Proceedings of the 2009 IEEE 31st International Conference on Software Engineering, pp.83-86, 2003.
, The Art of Software Security Testing: Identifying Software Security Flaws (Symantec Press), 2004.
, Testing for software vulnerability using environment perturbation, Proceeding International Conference on Dependable Systems and Networks. DSN 2000, 2000.
DOI : 10.1109/ICDSN.2000.857596
, An automated approach for identifying potential vulnerabilities in software, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186), 1998.
DOI : 10.1109/SECPRI.1998.674827
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.147.1579
, Random testing for security, Proceedings of the 2nd international workshop on Random testing co-located with the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE 2007), RT '07, 2007.
DOI : 10.1145/1292414.1292416
, Grammar-based whitebox fuzzing, Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation, 2008.
DOI : 10.1145/1379022.1375607
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.165.770
, Automated Whitebox Fuzz Testing. Available from: citeulike-article-id, p.4510843
, Bypass testing of Web applications, 15th International Symposium on Software Reliability Engineering ISSRE, 2004.
, An Industrial Case Study of Bypass Testing on Web Applications, 2008 International Conference on Software Testing, Verification, and Validation, 2008.
DOI : 10.1109/ICST.2008.46
, Automatic creation of SQL Injection and cross-site scripting attacks, 2009 IEEE 31st International Conference on Software Engineering, 2009.
DOI : 10.1109/ICSE.2009.5070521
, Automated Test Generation for Access Control Policies via Change-Impact Analysis, Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007), 2007.
DOI : 10.1109/SESS.2007.5
, Technical report: Scalable and Effective Test Generation for Access Control Systems that Employ RBAC Policies, 2005.
, Verification and change-impact analysis of access-control policies. in ICSE, 2005.
, Test Generation from Security Policies Specified in Or-BAC, 31st Annual International Computer Software and Applications Conference, Vol. 2, (COMPSAC 2007), 2007.
DOI : 10.1109/COMPSAC.2007.210
, Cuppens and Cuppens F. A Formal Approach for Testing Security Rules. in SACMAT, 2007.
, A fault model and mutation testing of access control policies, Proceedings of the 16th international conference on World Wide Web , WWW '07, 2007.
DOI : 10.1145/1242572.1242663
, A formal approach for testing security rules, Proceedings of the 12th ACM symposium on Access control models and technologies , SACMAT '07, 2007.
DOI : 10.1145/1266840.1266860
, Generating security tests in addition to functional tests, Proceedings of the 3rd international workshop on Automation of software test, 2008.
, Schobbens, Model-Checking Access Control Policies, in Information Security, pp.219-230, 2004.
DOI : 10.1007/978-3-540-30144-8_19
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.218.2061
, Evaluating Access Control Policies Through Model Checking, in Information Security, pp.446-460, 2005.
DOI : 10.1007/11556992_32
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.218.3080
, An Industrial Case Study of Bypass Testing on Web Applications, 2008 International Conference on Software Testing, Verification, and Validation, 2008.
DOI : 10.1109/ICST.2008.46
, Formal specification for role based access control user/role and role/role relationship management, Proceedings of the third ACM workshop on Role-based access control , RBAC '98, 1996.
DOI : 10.1145/286884.286902
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.28.3385
, Role-based access control models, IEEE Computer, vol.29, issue.2, pp.38-47, 1996.
, Task-based authorization controls (TBAC): a family of models for active and enterprise-oriented authorization management, 11 th IFIP Working Conference on Database Security, 1997.
DOI : 10.1007/978-0-387-35285-5_10
, Hints on Test Data Selection: Help for the Practicing Programmer, Computer, vol.11, issue.4, pp.34-41, 1978.
DOI : 10.1109/C-M.1978.218136
, A UML-based approach to System Testing. Software and Systems Modeling, pp.10-42, 2002.
, Automatic test generation: a use case driven approach, IEEE Transactions on Software Engineering, vol.32, issue.3, 2006.
DOI : 10.1109/TSE.2006.22
URL : https://hal.archives-ouvertes.fr/lirmm-00102747
, High Level Conflict Management Strategies in Advanced Access Control Models, Workshop on Information and Computer Security (ICS'06, 2006.
DOI : 10.1016/j.entcs.2007.01.064
, An experimental determination of sufficient mutant operators, ACM Transactions on Software Engineering and Methodology, vol.5, issue.2, pp.99-118, 1996.
DOI : 10.1145/227607.227610
, PIE: a dynamic failure-based technique, IEEE Transactions on Software Engineering, vol.18, issue.8, pp.717-727, 1992.
DOI : 10.1109/32.153381
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.83.8453
, A Practical Strategy for Testing Pair-wise Coverage of Network Interfaces, in ISSRE, 1996.
, Combination testing strategies: a survey, Software Testing, Verification and Reliability, vol.29, issue.3, 2004.
DOI : 10.1002/stvr.319
, Inferring Access-Control Policy Properties via Machine Learning, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06), 2006.
DOI : 10.1109/POLICY.2006.19
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.143.6815
, Software engineering for security, Proceedings of the conference on The future of Software engineering , ICSE '00, 2000.
DOI : 10.1145/336512.336559
, Train, and C. Mingins, Design Patterns and Contracts, 1999.
, Secure Computer Systems: Unified Exposition and Multics Interpretation, 1976.
, Weaving executability into objectoriented meta-languages. in MoDELS'05, 2005.
DOI : 10.1007/11557432_19
URL : https://hal.archives-ouvertes.fr/hal-00795095
, Core Final Adopted Specification Available from: http://www.omg.org/cgi-bin, pp.3-10, 2004.
, OSGi Service Platform Core Specification, 2007.
, Taming Dynamically Adaptive Systems using models and aspects, 2009 IEEE 31st International Conference on Software Engineering, 2009.
DOI : 10.1109/ICSE.2009.5070514
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.150.780
, Static detection of cross-site scripting vulnerabilities, Proceedings of the 13th international conference on Software engineering , ICSE '08, 2008.
DOI : 10.1145/1368088.1368112
, Browser-Based Intrusion Prevention System, Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection, 2009.