Abstract
Security of dynamic web applications is a serious issue. While Model Driven Architecture (MDA) techniques can be used to generate applications with given access control security properties, analysis of existing web applications is more problematic. In this paper we present a model transformation technique to automatically construct a role-based access control (RBAC) security model of dynamic web applications from previously recovered structural and behavioral models. The SecureUML model generated by this technique can be used to check for security properties of the original application. We demonstrate our approach by constructing an RBAC security model of PhpBB, a popular internet bulletin board system.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Project, O.W.A.S.: The Top Ten Most Critical Web Application Security Vulnerabilities, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (last access November 26, 2011)
Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005)
Alalfi, M., Cordy, J., Dean, T.: Modeling methods for web application verification and testing: State of the art. Softw. Test. Verif. Reliab. 19, 265–296 (2009)
Cordy, J.R.: The TXL source transformation language. Science of Computer Programming 61, 190–210 (2006)
Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated Reverse Engineering of UML Sequence Diagrams for Dynamic Web Applications. In: ICSTW, pp. 295–302 (2009)
Alalfi, M.H., Cordy, J.R., Dean, T.R.: SQL2XMI: Reverse Engineering of UML-ER Diagrams from Relational Database Schemas. In: WCRE, pp. 187–191 (2008)
Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automating Coverage Metrics for Dynamic Web Applications. In: CSMR, pp. 51–60 (2010)
Alalfi, M.H., Cordy, J.R., Dean, T.R.: WAFA: Fine-grained Dynamic Analysis of Web Applications. In: WSE, pp. 41–50 (2009)
Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based Access Control Models. IEEE Computer 29, 38–47 (1996)
Basin, D.A.: Model Driven Security. In: ARES, p. 4 (2006)
Paige, R., Radjenovic, A.: Towards Model Transformation with TXL. In: First Intl. Workshop on Metamodeling for MDA, pp. 163–177 (2003)
Liang, H., Dingel, J.: A Practical Evaluation of Using TXL for Model Transformation. In: Gašević, D., Lämmel, R., Van Wyk, E. (eds.) SLE 2008. LNCS, vol. 5452, pp. 245–264. Springer, Heidelberg (2009)
phpBB Group: PhpBB, http://www.phpbb.com/ (last access November 27, 2011)
Netcraft Ltd: web server survey (November 2011), http://news.netcraft.com/archives/2011/01/12/january-2011-web-server-survey-4.html (last access November 26, 2011)
PHP Group: PHP usage Stats for (April 2007), http://www.php.net/usage.php (last access November 26, 2011)
MySQL: MySQL Market Share, http://www.mysql.com/why-mysql/marketshare/ (last access November 26, 2011)
Alalfi, M., Cordy, J., Dean, T.: Automated Testing of Role-based Security Models Recovered from Dynamic Web Applications. In: WSE (2012) (submitted)
Garzotto, F., Paolini, P., Schwabe, D.: HDM - A Model-Based Approach to Hypertext Application Design. ACM Trans. Inf. Syst. 11, 1–26 (1993)
Schwabe, D., Rossi, G.: An object oriented approach to Web-based applications design. Theor. Pract. Object Syst. 4, 207–225 (1998)
De Troyer, O., Leune, C.J.: WSDM: A User Centered Design Method for Web Sites. Computer Networks 30, 85–94 (1998)
Ceri, S., Fraternali, P., Bongio, A.: Web Modeling Language (WebML): a modeling language for designing Web sites. In: WWW, pp. 137–157 (2000)
Hassan, A.E., Holt, R.C.: Architecture recovery of web applications. In: ICSE, pp. 349–359 (2002)
Antoniol, G., Penta, M.D., Zazzara, M.: Understanding Web Applications through Dynamic Analysis. In: IWPC, pp. 120–131 (2004)
Di Lucca, G.A., Di Penta, M.: Integrating Static and Dynamic Analysis to improve the Comprehension of Existing Web Applications. In: WSE, pp. 87–94 (2005)
Letarte, D., Merlo, E.: Extraction of Inter-procedural Simple Role Privilege Models from PHP Code. In: WCRE, pp. 187–191 (2009)
Koved, L., Pistoia, M., Kershenbaum, A.: Access rights analysis for Java. In: OOPSLA, pp. 359–372 (2002)
Mendling, J., Strembeck, M., Stermsek, G., Neumann, G.: An Approach to Extract RBAC Models from BPEL4WS Processes. In: WETICE, pp. 81–86 (2004)
Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2006)
Alghathbar, K., Wijesekera, D.: authUML: a three-phased framework to analyze access control specifications in use cases. In: FMSE, pp. 77–86 (2003)
Basin, D.A., Clavel, M., Egea, M.: A decade of model-driven security. In: SACMAT, pp. 1–10 (2011)
Ahn, G.J., Hu, H.: Towards realizing a formal RBAC model in real systems. In: SACMAT, pp. 215–224 (2007)
Ahn, G.J., Sandhu, R.S.: Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3, 207–226 (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Alalfi, M.H., Cordy, J.R., Dean, T.R. (2012). Recovering Role-Based Access Control Security Models from Dynamic Web Applications. In: Brambilla, M., Tokuda, T., Tolksdorf, R. (eds) Web Engineering. ICWE 2012. Lecture Notes in Computer Science, vol 7387. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31753-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-31753-8_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31752-1
Online ISBN: 978-3-642-31753-8
eBook Packages: Computer ScienceComputer Science (R0)