Model checking graph representation of precise boolean inter-procedural flow analysis
Proceedings of the IEEE/ACM international conference on Automated software engineering
Recovering role-based access control security models from dynamic web applications
ICWE'12 Proceedings of the 12th international conference on Web Engineering
Uncovering access control weaknesses and flaws with security-discordant software clones
Proceedings of the 29th Annual Computer Security Applications Conference
Hi-index | 0.00 |
Web based applications may suffer from role privilege violations duet vulnerabilities in the source code.This paper presents an original algorithm to extract simple boolean role privilege models from an inter-procedural perspective of PHP source code.Extracted models can be verified against role privilege violations,using model checkers. The proposed extraction approach has been preliminarily evaluated on a small PHP open source system, phpBB, that implements a bulletin board.Role privilege properties have been verified on the extracted models.Simple boolean security models can be extracted and verified in linear time using the presented algorithms, while general approaches for inter-procedural model checking show a higher computational complexity due to their generality.Results have been successfully compared with those previously obtained from the corresponding inter-procedural data-flow vulnerability analysis.Results and execution time performance of the proposed model extraction and of the validation processes are presented and discussed.Further research, possible extensions, and conclusions are reported.