Role-Based Access Control Models
Computer
A decentralized model for information flow control
Proceedings of the sixteenth ACM symposium on Operating systems principles
Inside Java 2 platform security architecture, API design, and implementation
Inside Java 2 platform security architecture, API design, and implementation
Compositional pointer and escape analysis for Java programs
Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Alcoa: the alloy constraint analyzer
Proceedings of the 22nd international conference on Software engineering
XML document security based on provisional authorization
Proceedings of the 7th ACM conference on Computer and communications security
Pointer analysis: haven't we solved this problem yet?
PASTE '01 Proceedings of the 2001 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering
Analysis and testing of Web applications
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Alloy: a lightweight object modelling notation
ACM Transactions on Software Engineering and Methodology (TOSEM)
A fine-grained access control system for XML documents
ACM Transactions on Information and System Security (TISSEC)
A lightweight approach to specification and analysis of role-based access control extensions
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
Flow Analysis of Computer Programs
Flow Analysis of Computer Programs
A conservative algorithm for computing the flow of permissions in Java programs
ISSTA '02 Proceedings of the 2002 ACM SIGSOFT international symposium on Software testing and analysis
Access rights analysis for Java
OOPSLA '02 Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Proceedings of the 25th International Conference on Software Engineering
Bogor: an extensible and highly-modular software model checking framework
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
XML access control using static analysis
Proceedings of the 10th ACM conference on Computer and communications security
Saving the world from bad beans: deployment-time confinement checking
OOPSLA '03 Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications
The Construction of Contextual Def-Use Associations for Object-Oriented Systems
IEEE Transactions on Software Engineering
Enterprise Java 2 Security: Building Secure and Robust J2EE Applications
Enterprise Java 2 Security: Building Secure and Robust J2EE Applications
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Role-Based access control consistency validation
Proceedings of the 2006 international symposium on Software testing and analysis
Validating Access Control Configurations in J2EE Applications
CBSE '08 Proceedings of the 11th International Symposium on Component-Based Software Engineering
Program analysis for security and privacy
ECOOP'06 Proceedings of the 2006 conference on Object-oriented technology: ECOOP 2006 workshop reader
Symbolic security analysis of ruby-on-rails web applications
Proceedings of the 17th ACM conference on Computer and communications security
Trace-based verification of imperative programs with I/O
Journal of Symbolic Computation
Towards accuracy of role-based access control configurations in component-based systems
Journal of Systems Architecture: the EUROMICRO Journal
ASIDE: IDE support for web application security
Proceedings of the 27th Annual Computer Security Applications Conference
Interprocedural analysis for privileged code placement and tainted variable detection
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
Hi-index | 0.00 |
This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) applications. In such applications, Enterprise Java Beans (EJBs) are commonly used to encapsulate the core computations performed on Web servers. Access to EJBs is protected by application servers, according to role-based access control policies that may be created either at development or deployment time. These policies may prohibit some types of users from accessing specific EJB methods.We present a static technique for analyzing J2EE access control policies with respect to security-sensitive fields of EJBs and other server-side objects. Our technique uses points-to analysis to determine which object fields are accessed by which EJB methods, directly or indirectly. Based on this information, J2EE access control policies are analyzed to identify potential inconsistencies that may lead to security holes.