Property-testing real-world authorization systems.

We motivate and address the problem of testing for properties of interest in real-world implementations of authorization systems. We adopt a 4-stage process: (1) express a property precisely using existential second-order logic, (2) establish types of traces that are necessary and sufficient to establish a property, (3) adopt finitizing assumptions and show that under those assumptions, verifying a property is in PSPACE, and, (4) use a model-checker as a trace-generator to generate instances of traces, and exercise the implementation to check for those traces. We discuss our design of a corresponding testing-system, and its use to test for qualitatively different kinds of properties in two commercial authorization systems. One is a database system that we call the D system, and the other is a file-sharing system that we call the I system. (We use pseudonyms at the request of the respective vendors.) In the context of the D system, our testing has uncovered several issues with its authorization system in the context of procedures that aggregate SQL statements that, to our knowledge, are new to the research literature. For the I system, we have established that it possesses several properties of interest.