Le, Ha Thanh ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SnT)
Nguyen, Duy Cu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Hourte, Benjamin
External co-authors :
no
Language :
English
Title :
Automated Inference of Access Control Policies for Web Applications
Publication date :
June 2015
Event name :
20th ACM Symposium on Access Control Models and Technologies (SACMAT)
Event place :
Vienna, Austria
Event date :
1-3 June 2015
Audience :
International
Main work title :
20th ACM Symposium on Access Control Models and Technologies (SACMAT), 1-3 June 2015
Hacking Exposed Web Applications: Web Application Security Secrets and Solutions. McGraw-Hill, 3rd edition, 2011.
M. Alalfi, J. Cordy, and T. Dean. Automated reverse engineering of uml sequence diagrams for dynamic web applications. In Software Testing, Verification and Validation Workshops, 2009. ICSTW '09. International Conference on, pages 287-294, April 2009.
M. Alalfi, J. Cordy, and T. Dean. Recovering role-based access control security models from dynamic web applications. In M. Brambilla, T. Tokuda, and R. Tolksdorf, editors, Web Engineering, Volume 7387 of Lecture Notes in Computer Science, pages 121-136. Springer Berlin Heidelberg, 2012.
N. Damianou, A. Bandara, M. Sloman, and E. Lupu. A survey of policy specification approaches. Department of Computing, Imperial College of Science Technology and Medicine, London, 2002.
G. Di Lucca, M. Di Penta, G. Antoniol, and G. Casazza. An approach for reverse engineering of web-based applications. In Reverse Engineering, 2001. Proceedings. Eighth Working Conference on, pages 231-240, 2001.
C. Duda, G. Frey, D. Kossmann, and C. Zhou. Ajaxsearch: Crawling, indexing and searching web 2.0 applications. Proc. VLDB Endow., 1(2):1440-1443, Aug. 2008.
D. Ferraiolo, D. R. Kuhn, and R. Chandramouli. Role-based access control - 2nd edition. Artech House, 2007.
D. Ferraiolo and R. Kuhn. Role-based access control. In In 15th NIST-NCSC National Computer Security Conference, pages 554-563, 1992.
T. O. Foundation. Owasp 10 most critical web application security risks. Technical report, OWASP, 2013.
J. Hwang, E. Martin, T. Xie, and V. C. Hu. Testing access control policies. In Encyclopedia of Software Engineering, pages 673-683. 2010.
R. Kuhn, R. Kacker, Y. Lei, and J. Hunter. Combinatorial software testing. Computer, 42(8):94-96, aug. 2009.
E. Martin. Automated test generation for access control policies. In Companion to the 21st ACM SIGPLAN Symposium on Object-oriented Programming Systems, Languages, and Applications, OOPSLA '06, pages 752-753, New York, NY, USA, 2006. ACM.
A. Masood, R. Bhatti, A. Ghafoor, and A. P. Mathur. Scalable and effective test generation for role-based access control systems. Software Engineering, IEEE Transactions on, 35(5):654-668, 2009.
A. K. Massey, P. N. Otto, L. J. Hayward, and A. I. Antón. Evaluating existing security and privacy requirements for legal compliance. Requirements engineering, 15(1):119-137, 2010.
A. Meneely, B. Smith, and L. Williams. itrust electronic health care system: A case study.
A. Mesbah, A. van Deursen, and S. Lenselink. Crawling Ajax-based web applications through dynamic analysis of user interface state changes. ACM Transactions on the Web (TWEB), 6(1):3:1-3:30, 2012.
G. Noseevich and A. Petukhov. Detecting insufficient access control in web applications. In SysSec Workshop (SysSec), 2011 First, pages 11-18, July 2011.
OASIS. Extensible access control markup language (xacml). Technical report, OASIS, 2003.
C. Olston and M. Najork. Web crawling. Foundations and Trends in Information Retrieval, 4(3):175-246, 2010.
A. Pretschner, T. Mouelhi, and Y. Le Traon. Model-based tests for access control policies. In Software Testing, Verification, and Validation, 2008 1st International Conference on, pages 338-347. IEEE, 2008.
R. S. Sandhu, E. J. Coyne, H. L. Feinstein, and C. E. Youman. Role-based access control models. Computer, 29(2):38-47, 1996.
J. Slankas and L. Williams. Access control policy extraction from unconstrained natural language text. In Social Computing (SocialCom), 2013 International Conference on, pages 435-440, Sept 2013.
P. Tonella and F. Ricca. Dynamic model extraction and statistical analysis of web applications: Follow-up after 6 years. In Web Site Evolution, 2008. WSE 2008. 10th International Symposium on, pages 3-10, Oct 2008.
W3C. Hypertext transfer protocol - http/1.1, 1999.
X. Xiao, A. Paradkar, S. Thummalapenta, and T. Xie. Automated extraction of security policies from natural-language software documents. In ACM SIGSOFT FSE'12, page 12. ACM, 2012.
D. Xu, L. Thomas, M. Kent, T. Mouelhi, and Y. Le Traon. A model-based approach to automated testing of access control policies. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pages 209-218. ACM, 2012.