Efficiently computing static single assignment form and the control dependence graph
ACM Transactions on Programming Languages and Systems (TOPLAS)
Role-Based Access Control Models
Computer
A decentralized model for information flow control
Proceedings of the sixteenth ACM symposium on Operating systems principles
Advanced compiler design and implementation
Advanced compiler design and implementation
Alcoa: the alloy constraint analyzer
Proceedings of the 22nd international conference on Software engineering
XML document security based on provisional authorization
Proceedings of the 7th ACM conference on Computer and communications security
Location Consistency-A New Memory Model and Cache Consistency Protocol
IEEE Transactions on Computers
Analysis and testing of Web applications
ICSE '01 Proceedings of the 23rd International Conference on Software Engineering
Alloy: a lightweight object modelling notation
ACM Transactions on Software Engineering and Methodology (TOSEM)
A fine-grained access control system for XML documents
ACM Transactions on Information and System Security (TISSEC)
A framework for call graph construction algorithms
ACM Transactions on Programming Languages and Systems (TOPLAS)
A lightweight approach to specification and analysis of role-based access control extensions
SACMAT '02 Proceedings of the seventh ACM symposium on Access control models and technologies
A unified approach to global program optimization
POPL '73 Proceedings of the 1st annual ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Java 2 Network Security
Advanced Java 2 Platform How to Program
Advanced Java 2 Platform How to Program
Access rights analysis for Java
OOPSLA '02 Proceedings of the 17th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation
Inside Java(TM) 2 Platform Security: Architecture, API Design, and Implementation
Proceedings of the 25th International Conference on Software Engineering
Programming .NET Security
Bogor: an extensible and highly-modular software model checking framework
Proceedings of the 9th European software engineering conference held jointly with 11th ACM SIGSOFT international symposium on Foundations of software engineering
XML access control using static analysis
Proceedings of the 10th ACM conference on Computer and communications security
Saving the world from bad beans: deployment-time confinement checking
OOPSLA '03 Proceedings of the 18th annual ACM SIGPLAN conference on Object-oriented programing, systems, languages, and applications
Static analysis of role-based access control in J2EE applications
ACM SIGSOFT Software Engineering Notes
The case for analysis preserving language transformation
Proceedings of the 2006 international symposium on Software testing and analysis
APLAS'05 Proceedings of the Third Asian conference on Programming Languages and Systems
Interprocedural analysis for privileged code placement and tainted variable detection
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
When Role Models Have Flaws: Static Validation of Enterprise Security Policies
ICSE '07 Proceedings of the 29th international conference on Software Engineering
Validating Access Control Configurations in J2EE Applications
CBSE '08 Proceedings of the 11th International Symposium on Component-Based Software Engineering
Repairing inconsistent XML write-access control policies
DBPL'07 Proceedings of the 11th international conference on Database programming languages
Program analysis for security and privacy
ECOOP'06 Proceedings of the 2006 conference on Object-oriented technology: ECOOP 2006 workshop reader
2ndStrike: toward manifesting hidden concurrency typestate bugs
Proceedings of the sixteenth international conference on Architectural support for programming languages and operating systems
Towards accuracy of role-based access control configurations in component-based systems
Journal of Systems Architecture: the EUROMICRO Journal
DBSec'11 Proceedings of the 25th annual IFIP WG 11.3 conference on Data and applications security and privacy
F4F: taint analysis of framework-based web applications
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
Towards Security Assurance in Round-Trip Engineering: A Type-Based Approach
Electronic Notes in Theoretical Computer Science (ENTCS)
| Hi-index | 0.00 |
Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy. Relying on a location consistency property, this paper shows how to infer whether an operation-based RBAC policy is equivalent to any databased RBAC policy. We have built a static analysis tool for Java Platform, Enterprise Edition (Java EE) called Static Analysis for Validation of Enterprise Security (SAVES). Relying on interprocedural pointer analysis and dataflow analysis, SAVES analyzes Java EE bytecode to determine if the associated RBAC policy is location consistent, and reports potential security flaws where location consistency does not hold. The experimental results obtained by using SAVES on a number of production-level Java EE codes have identified several security flaws with no false positive reports.