Model-Assisted Access Control Implementation for Code-centric Ruby-on-Rails Web Application Development

In a Web application framework suitable for a code-centric development approach, maintaining the faultlessness of the security features is an issue because the security features are dispersed throughout the code during the implementation. In this paper, we propose a method and develop a static verification tool for Web applications that checks the completeness of the security features implementation. The tool generates a navigation model from an application code while retaining the security properties and then checks the consistency of the security properties on the model since access control is relevant to the application behavior. We applied the proposed tool to various Ruby on Rails Web application source codes and then tested their authentication and authorization features. Results showed that the tool is an effective aid in the implementation of security features in code-centric and iterative Web application development.

[1]  James R. Cordy,et al.  A Survey of Analysis Models and Methods in Website Verification and Testing , 2007, ICWE.

[2]  Avik Chaudhuri,et al.  Symbolic security analysis of ruby-on-rails web applications , 2010, CCS '10.

[3]  Curtis E. Dyreson,et al.  Scalability issues with using FSMWeb to test web applications , 2010, Inf. Softw. Technol..

[4]  Lori L. Pollock,et al.  A Study of Usage-Based Navigation Models and Generated Abstract Test Cases for Web Applications , 2011, 2011 Fourth IEEE International Conference on Software Testing, Verification and Validation.

[5]  Philippe Kruchten,et al.  Towards agile security assurance , 2004, NSPW '04.

[6]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[7]  Timothy Lethbridge,et al.  Problems and opportunities for model-centric versus code-centric software development: a survey of software professionals , 2008, MiSE '08.

[8]  Martin Gilje Jaatun,et al.  Not Ready for Prime Time: A Survey on Security in Model Driven Development , 2011, Int. J. Secur. Softw. Eng..

[9]  Ettore Merlo,et al.  Fast Detection of Access Control Vulnerabilities in PHP Applications , 2012, 2012 19th Working Conference on Reverse Engineering.

[10]  Kent L. Beck,et al.  Test-driven Development - by example , 2002, The Addison-Wesley signature series.

[11]  A. Jefferson Offutt,et al.  Testing Web applications by modeling with FSMs , 2005, Software & Systems Modeling.

[12]  Christopher Krügel,et al.  Fear the EAR: discovering and mitigating execution after redirect vulnerabilities , 2011, CCS '11.

[13]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[14]  David A. Basin,et al.  A decade of model-driven security , 2011, SACMAT '11.

[15]  Steffen Bartsch,et al.  Practitioners' Perspectives on Security in Agile Development , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[16]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.