Static Detection of Logic Flaws in Service-Oriented Applications

Application or business logic, used in the development of services, has to do with the operations that define the application functionalities and not with the platform ones. Often security problems can be found at this level, because circumventing or misusing the required operations can lead to unexpected behaviour or to attacks, called application logic attacks. We investigate this issue, by using the CaSPiS calculus to model services, and by providing a Control Flow Analysis able to detect and prevent some possible misuses.

[1]  David A. Schmidt,et al.  The Essence of Computation , 2002 .

[2]  Andrew D. Gordon,et al.  Verified Reference Implementations of WS-Security Protocols , 2006, WS-FM.

[3]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[4]  Flemming Nielson,et al.  Static validation of security protocols , 2005, J. Comput. Secur..

[5]  Jayadev Misra,et al.  A Language for Task Orchestration and Its Semantic Properties , 2006, CONCUR.

[6]  Robin Milner,et al.  Theories for the Global Ubiquitous Computer , 2004, FoSSaCS.

[7]  Doina Bucur,et al.  Secure Data Flow in a Calculus for Context Awareness , 2008, Concurrency, Graphs and Models.

[8]  Marija Kolundzija Security Types for Sessions and Pipelines , 2008, WS-FM.

[9]  Eduardo Bonelli,et al.  Typechecking Safe Process Synchronization , 2005, FGUC.

[10]  Andrea Bracciali,et al.  Control Flow Analysis for Brane Calculi , 2008, MeCBIC.

[11]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[12]  Pierpaolo Degano,et al.  Detecting and preventing type flaws at static time , 2010, J. Comput. Secur..

[13]  Gian Luigi Ferrari,et al.  Semantics-Based Design for Secure Web Services , 2008, IEEE Transactions on Software Engineering.

[14]  Faisal Nabi Secure business application logic for e-commerce systems , 2005, Comput. Secur..

[15]  Flemming Nielson,et al.  Control Flow Analysis for BioAmbients , 2007, BioConcur@CONCUR.

[16]  Roberto Bruni Calculi for Service-Oriented Computing , 2009, SFM.

[17]  Mike Bond,et al.  Extending Security Protocol Analysis: New Challenges , 2005, Electron. Notes Theor. Comput. Sci..

[18]  Farhad Arbab,et al.  International Symposium on Fundamentals of Software Engineering, International Symposium, FSEN 2007, Tehran, Iran, April 17-19, 2007, Proceedings , 2007, FSEN.

[19]  Sebastian Mödersheim,et al.  Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario , 2006, IACR Cryptol. ePrint Arch..

[20]  Christel Baier,et al.  CONCUR 2006 - Concurrency Theory, 17th International Conference, CONCUR 2006, Bonn, Germany, August 27-30, 2006, Proceedings , 2006, CONCUR.

[21]  Bob Atkinson Web Services Security (WS-Security) , 2003 .

[22]  Roberto Bruni,et al.  Sessions and Pipelines for Structured Service Programming , 2008, FMOODS.

[23]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[25]  Lucia Acciai,et al.  A Type System for Client Progress in a Service-Oriented Calculus , 2008, Concurrency, Graphs and Models.

[26]  Flemming Nielson,et al.  Flow Logic: A Multi-paradigmatic Approach to Static Analysis , 2002, The Essence of Computation.

[27]  Lucia Acciai,et al.  Type abstractions of name-passing processes , 2007, FSEN'07.

[28]  Roberto Bruni,et al.  Types and Deadlock Freedom in a Calculus of Services, Sessions and Pipelines , 2008, AMAST.