References of "Le, Ha Thanh 50002177"
     in
Bookmark and Share    
Full Text
Peer Reviewed
See detailAutomated Reverse Engineering of Role-based Access Control Policies of Web Applications
Le, Ha Thanh UL; Shar, Lwin Khin UL; Bianculli, Domenico UL et al

in Journal of Systems and Software (in press)

Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with ... [more ▼]

Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with respect to policy specifications or intended access rights. However, in practice, AC policy specifications are often missing or poorly documented; in some cases, AC policies are hard-coded in business logic implementations. This leads to difficulties in validating the correctness of policy implementations and detecting AC defects. In this paper, we present a semi-automated framework for reverse-engineering of AC policies from Web applications. Our goal is to learn and recover role-based access control (RBAC) policies from implementations, which are then used to validate implemented policies and detect AC issues. Our framework, built on top of a suite of security tools, automatically explores a given Web application, mines domain input specifications from access logs, and systematically generates and executes more access requests using combinatorial test generation. To learn policies, we apply machine learning on the obtained data to characterize relevant attributes that influence AC. Finally, the inferred policies are presented to the security engineer, for validation with respect to intended access rights and for detecting AC issues. Inconsistent and insufficient policies are highlighted as potential AC issues, being either vulnerabilities or implementation errors. We evaluated our approach on four Web applications (three open-source and a proprietary one built by our industry partner) in terms of the correctness of inferred policies. We also evaluated the usefulness of our approach by investigating whether it facilitates the detection of AC issues. The results show that 97.8% of the inferred policies are correct with respect to the actual AC implementation; the analysis of these policies led to the discovery of 64 AC issues that were reported to the developers. [less ▲]

Detailed reference viewed: 48 (1 UL)
Full Text
See detailReACP: A Semi-Automated Framework for Reverse-engineering and Testing of Access Control Policies of Web Applications
Le, Ha Thanh UL; Nguyen, Duy Cu UL; Briand, Lionel UL

Report (2016)

This technical report details our a semi-automated framework for the reverse-engineering and testing of access control (AC) policies for web-based applications. In practice, AC specifications are often ... [more ▼]

This technical report details our a semi-automated framework for the reverse-engineering and testing of access control (AC) policies for web-based applications. In practice, AC specifications are often missing or poorly documented, leading to AC vulnerabilities. Our goal is to learn and recover AC policies from implementation, and assess them to find AC issues. Built on top of a suite of security tools, our framework automatically explores a system under test, mines domain input specifications from access request logs, and then, generates and executes more access requests using combinatorial test generation. We apply machine learning on the obtained data to characterise relevant attributes that influence access control to learn policies. Finally, the inferred policies are used for detecting AC issues, being vulnerabilities or implementation errors. We have evaluated our framework on three open-source applications with respect to correctness and completeness. The results are very promising in terms of the quality of inferred policies, more than 94% of them are correct with respect to implemented AC mechanisms. The remaining incorrect policies are mainly due to our unrefined permission classification. Moreover, a careful analysis of these policies has revealed 92 vulnerabilities, many of them are new. [less ▲]

Detailed reference viewed: 297 (25 UL)
Full Text
Peer Reviewed
See detailAutomated Inference of Access Control Policies for Web Applications
Le, Ha Thanh UL; Nguyen, Duy Cu UL; Briand, Lionel UL et al

in 20th ACM Symposium on Access Control Models and Technologies (SACMAT), 1-3 June 2015 (2015, June)

Detailed reference viewed: 289 (27 UL)