Model-based analysis of Java EE web security misconfigurations

The Java EE framework, a popular technology of choice for the development of web applications, provides developers with the means to define access-control policies to protect application resources from unauthorized disclosures and manipulations. Unfortunately, the definition and manipulation of such security policies remains a complex and error prone task, requiring expert-level knowledge on the syntax and semantics of the Java EE access-control mechanisms. Thus, misconfigurations that may lead to unintentional security and/or availability problems can be easily introduced. In response to this problem, we present a (model-based) reverse engineering approach that automatically evaluates a set of security properties on reverse engineered Java EE security configurations, helping to detect the presence of anomalies. We evaluate the efficacy and pertinence of our approach by applying our prototype tool on a sample of real Java EE applications extracted from GitHub. HighlightsWe provide a framework to analyze Java EE access-control misconfigurations.We use model-driven engineering tools and techniques to our analysis.We evaluate the efficacy and pertinence of our approach on real applications.We provide a survey on the importance of security to Java EE developers.

[1]  James R. Cordy,et al.  Recovering Role-Based Access Control Security Models from Dynamic Web Applications , 2012, ICWE.

[2]  Jordi Cabot,et al.  MoDisco: A model driven reverse engineering framework , 2014, Inf. Softw. Technol..

[3]  Elisa Bertino,et al.  XACML Policy Integration Algorithms , 2008, TSEC.

[4]  Frédéric Cuppens,et al.  Reverse Engineering of Database Security Policies , 2013, DEXA.

[5]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[6]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[7]  Xiaowei Li,et al.  A survey on server-side approaches to securing web applications , 2014, ACM Comput. Surv..

[8]  Ehab Al-Shaer,et al.  Anomaly Discovery and Resolution in MySQL Access Control Policies , 2012, DEXA.

[9]  Ravi S. Sandhu,et al.  The NIST model for role-based access control: towards a unified standard , 2000, RBAC '00.

[10]  Gail-Joon Ahn,et al.  Anomaly discovery and resolution in web access control policies , 2011, SACMAT '11.

[11]  Nora Cuppens-Boulahia,et al.  Complete analysis of configuration rules to guarantee reliable network security policies , 2008, International Journal of Information Security.

[12]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.

[13]  Frank Budinsky,et al.  EMF: Eclipse Modeling Framework 2.0 , 2009 .

[14]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[15]  Ehab Al-Shaer,et al.  Taxonomy of conflicts in network security policies , 2006, IEEE Communications Magazine.

[16]  David A. Basin Model driven security , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[17]  Salvador Martínez Perez,et al.  Extracting UML/OCL Integrity Constraints and Derived Types from Relational Databases , 2013, OCL@MoDELS.

[18]  Nora Cuppens-Boulahia,et al.  Model-Driven Integration and Analysis of Access-control Policies in Multi-layer Information Systems , 2015, SEC.

[19]  Martin Gogolla,et al.  Validating UML Models and OCL Constraints , 2000, UML.

[20]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[21]  Ettore Merlo,et al.  Extraction of Inter-procedural Simple Role Privilege Models from PHP Code , 2009, 2009 16th Working Conference on Reverse Engineering.

[22]  Brendan Jennings,et al.  The policy continuum-Policy authoring and conflict analysis , 2008, Comput. Commun..

[23]  Nafees Qamar,et al.  Validation of security policies by the animation of Z specifications , 2011, SACMAT '11.

[24]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[25]  Nora Cuppens-Boulahia,et al.  Model-Driven Security Policy Deployment: Property Oriented Approach , 2010, ESSoS.

[26]  Jean Bézivin,et al.  ATL: A model transformation tool , 2008, Sci. Comput. Program..

[27]  Lionel C. Briand,et al.  Automated Inference of Access Control Policies for Web Applications , 2015, SACMAT.

[28]  Thierry Lavoie,et al.  Extraction and comprehension of moodle's access control model: A case study , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[29]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[30]  Tao Xie,et al.  Conformance Checking of Access Control Policies Specified in XACML , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[31]  Jan Jürjens,et al.  Model-based security analysis for mobile communications , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[32]  Patrick Albert,et al.  A Model Driven Reverse Engineering Framework for Extracting Business Rules Out of a Java Application , 2012, RuleML.

[33]  Jordi Cabot,et al.  Model-Based Analysis of Java EE Web Security Configurations , 2016, 2016 IEEE/ACM 8th International Workshop on Modeling in Software Engineering (MiSE).