Can I Reach You? Do I Need To? New Semantics in Security Policy Specification and Testing.