Automated verification of role-based access control security models recovered from dynamic web applications

This paper presents an original Model-Driven-Engineering (MDE) approach to support the verification and testing of security properties in dynamic web applications. Based on a previously recovered UML-based fine-grained security model, the approach begins by transforming the model into a Prolog-based formal model. The Prolog model is then checked to verify whether the application conforms to specified access control security properties. We demonstrate the use of our method on the popular open source bulletin board system PhpBB 2.0, in the context of three test scenarios: testing for unauthorized access, web application security maintenance, and web application re-engineering.

[1]  Daniel Jackson,et al.  Alloy: A New Technology for Software Modelling , 2002, TACAS.

[2]  Michele Ruta,et al.  WAVer: A Model Checking-based Tool to Verify Web Application Design , 2006, Electron. Notes Theor. Comput. Sci..

[3]  James R. Cordy,et al.  Automated Reverse Engineering of UML Sequence Diagrams for Dynamic Web Applications , 2009, 2009 International Conference on Software Testing, Verification, and Validation Workshops.

[4]  James R. Cordy,et al.  SQL2XMI: Reverse Engineering of UML-ER Diagrams from Relational Database Schemas , 2008, 2008 15th Working Conference on Reverse Engineering.

[5]  Ettore Merlo,et al.  Extraction of Inter-procedural Simple Role Privilege Models from PHP Code , 2009, 2009 16th Working Conference on Reverse Engineering.

[6]  James R. Cordy,et al.  Recovering Role-Based Access Control Security Models from Dynamic Web Applications , 2012, ICWE.

[7]  Harald Störrle,et al.  A PROLOG-based Approach to Representing and Querying Software Engineering Models , 2007, VLL.

[8]  James R. Cordy,et al.  The TXL source transformation language , 2006, Sci. Comput. Program..

[9]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.

[10]  Francesco M. Donini,et al.  Design Verification of Web Applications Using Symbolic Model Checking , 2005, ICWE.

[11]  Pablo de la Fuente,et al.  UML Automatic Verification Tool with Formal Methods , 2005, VLFM.

[12]  Fausto Giunchiglia,et al.  NUSMV: a new symbolic model checker , 2000, International Journal on Software Tools for Technology Transfer.

[13]  James R. Cordy,et al.  WAFA: Fine-grained dynamic analysis of web applications , 2009, 2009 11th IEEE International Symposium on Web Systems Evolution.

[14]  Behzad Bordbar,et al.  MDA and Analysis of Web Applications , 2005, TEAA.

[15]  James R. Cordy,et al.  Automating Coverage Metrics for Dynamic Web Applications , 2010, 2010 14th European Conference on Software Maintenance and Reengineering.

[16]  Jürgen Dingel,et al.  A Practical Evaluation of Using TXL for Model Transformation , 2009, SLE.

[17]  Eran Yahav,et al.  A survey of static analysis methods for identifying security vulnerabilities in software systems , 2007, IBM Syst. J..

[18]  James R. Cordy,et al.  Modelling methods for web application verification and testing: state of the art , 2009, Softw. Test. Verification Reliab..

[19]  Michael Felderer,et al.  Querying UML Models using OCL and Prolog: A Performance Study , 2008, 2008 IEEE International Conference on Software Testing Verification and Validation Workshop.

[20]  Marco Pistoia,et al.  Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[21]  James R. Cordy,et al.  A verification framework for access control in dynamic web applications , 2009, C3S2E '09.

[22]  Gail-Joon Ahn,et al.  Role-based authorization constraints specification , 2000, TSEC.

[23]  David A. Basin,et al.  A decade of model-driven security , 2011, SACMAT '11.

[24]  Mark Strembeck,et al.  An approach to extract RBAC models from BPEL4WS processes , 2004, 13th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[25]  Alek Radjenovic,et al.  Towards Model Transformation with TXL , .