Automated Inference of Access Control Policies for Web Applications

In this paper, we present a novel, semi-automated approach to infer access control policies automatically for web-based applications. Our goal is to support the validation of implemented access control policies, even when they have not been clearly specified or documented. We use role-based access control as a reference model. Built on top of a suite of security tools, our approach automatically exercises a system under test and builds access spaces for a set of known users and roles. Then, we apply a machine learning technique to infer access rules. Inconsistent rules are then analysed and fed back to the process for further testing and improvement. Finally, the inferred rules can be validated based on pre-specified rules if they exist. Otherwise, the inferred rules are presented to human experts for validation and for detecting access control issues. We have evaluated our approach on two applications; one is open source while the other is a proprietary system built by our industry partner. The obtained results are very promising in terms of the quality of inferred rules and the access control vulnerabilities it helped detect.

[1]  Arif Ghafoor,et al.  Scalable and Effective Test Generation for Role-Based Access Control Systems , 2009, IEEE Transactions on Software Engineering.

[2]  Ramaswamy Chandramouli,et al.  Role-Based Access Control (2nd ed.) , 2007 .

[3]  James R. Cordy,et al.  Recovering Role-Based Access Control Security Models from Dynamic Web Applications , 2012, ICWE.

[4]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[5]  James R. Cordy,et al.  Automated Reverse Engineering of UML Sequence Diagrams for Dynamic Web Applications , 2009, 2009 International Conference on Software Testing, Verification, and Validation Workshops.

[6]  Laurie A. Williams,et al.  Access Control Policy Extraction from Unconstrained Natural Language Text , 2013, 2013 International Conference on Social Computing.

[7]  Donald Kossmann,et al.  AJAXSearch: crawling, indexing and searching web 2.0 applications , 2008, Proc. VLDB Endow..

[8]  George Noseevich,et al.  Detecting Insufficient Access Control in Web Applications , 2011, 2011 First SysSec Workshop.

[9]  David Wong,et al.  Hacking Exposed Web Applications: Web Application Security Secrets & Solutions , 2002 .

[10]  Dianxiang Xu,et al.  A model-based approach to automated testing of access control policies , 2012, SACMAT '12.

[11]  Tao Xie,et al.  Policy-Based Testing , 2010, Encyclopedia of Software Engineering.

[12]  Jeff Yu Lei,et al.  Combinatorial Software Testing , 2009, Computer.

[13]  Tim Moses,et al.  EXtensible Access Control Markup Language (XACML) version 1 , 2003 .

[14]  Andreas Matheus,et al.  How to Declare Access Control Policies for XML Structured Information Objects using OASIS' eXtensible Access Control Markup Language (XACML) , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[15]  Marc Najork,et al.  Web Crawling , 2010, Found. Trends Inf. Retr..

[16]  Yves Le Traon,et al.  Model-Based Tests for Access Control Policies , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[17]  Paolo Tonella,et al.  Dynamic model extraction and statistical analysis of Web applications: Follow-up after 6 years , 2008, 2008 10th International Symposium on Web Site Evolution.

[18]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[19]  Arie van Deursen,et al.  Crawling Ajax-Based Web Applications through Dynamic Analysis of User Interface State Changes , 2012, TWEB.

[20]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[21]  Emil C. Lupu,et al.  A Survey of Policy Specification Approaches , 2002 .

[22]  Giuliano Antoniol,et al.  An approach for reverse engineering of web-based applications , 2001, Proceedings Eighth Working Conference on Reverse Engineering.

[23]  Annie I. Antón,et al.  Evaluating existing security and privacy requirements for legal compliance , 2009, Requirements Engineering.

[24]  Tim Berners-Lee,et al.  Hypertext transfer protocol--http/i , 1993 .

[25]  GhafoorArif,et al.  Scalable and Effective Test Generation for Role-Based Access Control Systems , 2009 .

[26]  Tao Xie,et al.  Automated extraction of security policies from natural-language software documents , 2012, SIGSOFT FSE.

[27]  Evan Martin,et al.  Automated test generation for access control policies , 2006, OOPSLA '06.

[28]  Tao Xie,et al.  Testing of Access Control Policies , 2008 .

[29]  Walter Goralski Chapter 26 – Hypertext Transfer Protocol , 2017 .