Static analysis of role-based access control in J2EE applications

Authors:
Gleb Naumovich;Paolina Centonze
Affiliations:
Polytechnic University, Brooklyn, NY;Polytechnic University, Brooklyn, NY
Venue:
ACM SIGSOFT Software Engineering Notes
Year:
2004

Citing 20
Cited 11

Role-Based Access Control Models

Computer
A decentralized model for information flow control

Proceedings of the sixteenth ACM symposium on Operating systems principles
Inside Java 2 platform security architecture, API design, and implementation

Inside Java 2 platform security architecture, API design, and implementation
Compositional pointer and escape analysis for Java programs

Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Alcoa: the alloy constraint analyzer

Proceedings of the 22nd international conference on Software engineering
XML document security based on provisional authorization

Proceedings of the 7th ACM conference on Computer and communications security
Pointer analysis: haven't we solved this problem yet?

PASTE '01 Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Analysis and testing of Web applications

ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Alloy: a lightweight object modelling notation

ACM Transactions on Software Engineering and Methodology (TOSEM)
A fine-grained access control system for XML documents

ACM Transactions on Information and System Security (TISSEC)
A lightweight approach to specification and analysis of role-based access control extensions

SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Flow Analysis of Computer Programs

Flow Analysis of Computer Programs
A conservative algorithm for computing the flow of permissions in Java programs

ISSTA '02 Proceedings of the 2002 ACM SIGSOFT international symposium on Software testing and analysis
Access rights analysis for Java

OOPSLA '02 Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Cadena: an integrated development, analysis, and verification environment for component-based systems

Proceedings of the 25th International Conference on Software Engineering
Bogor: an extensible and highly-modular software model checking framework

Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
XML access control using static analysis

Proceedings of the 10th ACM conference on Computer and communications security
Saving the world from bad beans: deployment-time confinement checking

OOPSLA '03 Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications
The Construction of Contextual Def-Use Associations for Object-Oriented Systems

IEEE Transactions on Software Engineering
Enterprise Java 2 Security: Building Secure and Robust J2EE Applications

Enterprise Java 2 Security: Building Secure and Robust J2EE Applications

The essence of command injection attacks in web applications

Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Role-Based access control consistency validation

Proceedings of the 2006 international symposium on Software testing and analysis
A reference software architecture for the development of industrial automation high-level applications in the petroleum industry

Computers in Industry
A survey of static analysis methods for identifying security vulnerabilities in software systems

IBM Systems Journal
Validating Access Control Configurations in J2EE Applications

CBSE '08 Proceedings of the 11th International Symposium on Component-Based Software Engineering
Program analysis for security and privacy

ECOOP'06 Proceedings of the 2006 conference on Object-oriented technology: ECOOP 2006 workshop reader
Symbolic security analysis of ruby-on-rails web applications

Proceedings of the 17th ACM conference on Computer and communications security
Trace-based verification of imperative programs with I/O

Journal of Symbolic Computation
Towards accuracy of role-based access control configurations in component-based systems

Journal of Systems Architecture: the EUROMICRO Journal
ASIDE: IDE support for web application security

Proceedings of the 27th Annual Computer Security Applications Conference
Interprocedural analysis for privileged code placement and tainted variable detection

ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming

Quantified Score

Hi-index	0.00

Visualization

Abstract

This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) applications. In such applications, Enterprise Java Beans (EJBs) are commonly used to encapsulate the core computations performed on Web servers. Access to EJBs is protected by application servers, according to role-based access control policies that may be created either at development or deployment time. These policies may prohibit some types of users from accessing specific EJB methods.We present a static technique for analyzing J2EE access control policies with respect to security-sensitive fields of EJBs and other server-side objects. Our technique uses points-to analysis to determine which object fields are accessed by which EJB methods, directly or indirectly. Based on this information, J2EE access control policies are analyzed to identify potential inconsistencies that may lead to security holes.