Automated verification of role-based access control security models recovered from dynamic web applications

Authors:
Manar H. Alalfi;James R. Cordy;Thomas R. Dean
Affiliations:
School of Computing, Queen's University, Kingston, Canada;School of Computing, Queen's University, Kingston, Canada;School of Computing, Queen's University, Kingston, Canada
Venue:
WSE '12 Proceedings of the 2012 IEEE 14th International Symposium on Web Systems Evolution (WSE)
Year:
2012

Citing 0
Cited 1

Uncovering access control weaknesses and flaws with security-discordant software clones

Proceedings of the 29th Annual Computer Security Applications Conference

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper presents an original Model-Driven-Engineering (MDE) approach to support the verification and testing of security properties in dynamic web applications. Based on a previously recovered UML-based fine-grained security model, the approach begins by transforming the model into a Prolog-based formal model. The Prolog model is then checked to verify whether the application conforms to specified access control security properties. We demonstrate the use of our method on the popular open source bulletin board system PhpBB 2.0, in the context of three test scenarios: testing for unauthorized access, web application security maintenance, and web application re-engineering.