Article (Scientific journals)
Automated Reverse Engineering of Role-based Access Control Policies of Web Applications
Le, Ha Thanh; Shar, Lwin Khin; Bianculli, Domenico et al.
2022In Journal of Systems and Software, 184, p. 111109
Peer Reviewed verified by ORBi
 

Files


Full Text
main.pdf
Author preprint (737.31 kB)
Download

All documents in ORBilu are protected by a user license.

Send to



Details



Keywords :
Access control; testing; reverse engineering
Abstract :
[en] Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with respect to policy specifications or intended access rights. However, in practice, AC policy specifications are often missing or poorly documented; in some cases, AC policies are hard-coded in business logic implementations. This leads to difficulties in validating the correctness of policy implementations and detecting AC defects. In this paper, we present a semi-automated framework for reverse-engineering of AC policies from Web applications. Our goal is to learn and recover role-based access control (RBAC) policies from implementations, which are then used to validate implemented policies and detect AC issues. Our framework, built on top of a suite of security tools, automatically explores a given Web application, mines domain input specifications from access logs, and systematically generates and executes more access requests using combinatorial test generation. To learn policies, we apply machine learning on the obtained data to characterize relevant attributes that influence AC. Finally, the inferred policies are presented to the security engineer, for validation with respect to intended access rights and for detecting AC issues. Inconsistent and insufficient policies are highlighted as potential AC issues, being either vulnerabilities or implementation errors. We evaluated our approach on four Web applications (three open-source and a proprietary one built by our industry partner) in terms of the correctness of inferred policies. We also evaluated the usefulness of our approach by investigating whether it facilitates the detection of AC issues. The results show that 97.8% of the inferred policies are correct with respect to the actual AC implementation; the analysis of these policies led to the discovery of 64 AC issues that were reported to the developers.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)
Disciplines :
Computer science
Author, co-author :
Le, Ha Thanh ;  Eltien & Co
Shar, Lwin Khin ;  Singapore Management University
Bianculli, Domenico  ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
Briand, Lionel ;  University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
Nguyen, Duy Cu ;  POST Luxembourg
External co-authors :
yes
Language :
English
Title :
Automated Reverse Engineering of Role-based Access Control Policies of Web Applications
Publication date :
February 2022
Journal title :
Journal of Systems and Software
ISSN :
0164-1212
eISSN :
1873-1228
Publisher :
Elsevier, Netherlands
Volume :
184
Pages :
111109
Peer reviewed :
Peer Reviewed verified by ORBi
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR3949772 - Validation And Verification Laboratory, 2010 (01/01/2012-31/07/2018) - Lionel Briand
Funders :
FNR - Fonds National de la Recherche [LU]
Available on ORBilu :
since 29 September 2021

Statistics


Number of views
246 (22 by Unilu)
Number of downloads
343 (1 by Unilu)

Scopus citations®
 
5
Scopus citations®
without self-citations
5
OpenCitations
 
1
WoS citations
 
2

Bibliography


Similar publications



Contact ORBilu