Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Web Engineering

ICWE 2012: Web Engineering pp 121–136Cite as

  1. Home
  2. Web Engineering
  3. Conference paper
Recovering Role-Based Access Control Security Models from Dynamic Web Applications

Recovering Role-Based Access Control Security Models from Dynamic Web Applications

  • Manar H. Alalfi19,
  • James R. Cordy19 &
  • Thomas R. Dean19 
  • Conference paper
  • 2275 Accesses

  • 13 Citations

Part of the Lecture Notes in Computer Science book series (LNISA,volume 7387)

Abstract

Security of dynamic web applications is a serious issue. While Model Driven Architecture (MDA) techniques can be used to generate applications with given access control security properties, analysis of existing web applications is more problematic. In this paper we present a model transformation technique to automatically construct a role-based access control (RBAC) security model of dynamic web applications from previously recovered structural and behavioral models. The SecureUML model generated by this technique can be used to check for security properties of the original application. We demonstrate our approach by constructing an RBAC security model of PhpBB, a popular internet bulletin board system.

Keywords

  • Sequence Diagram
  • Security Model
  • Access Control Policy
  • Model Drive Architecture
  • Secure Resource

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. Project, O.W.A.S.: The Top Ten Most Critical Web Application Security Vulnerabilities, https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project (last access November 26, 2011)

  2. Pistoia, M., Flynn, R.J., Koved, L., Sreedhar, V.C.: Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In: Gao, X.-X. (ed.) ECOOP 2005. LNCS, vol. 3586, pp. 362–386. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  3. Alalfi, M., Cordy, J., Dean, T.: Modeling methods for web application verification and testing: State of the art. Softw. Test. Verif. Reliab. 19, 265–296 (2009)

    CrossRef  Google Scholar 

  4. Cordy, J.R.: The TXL source transformation language. Science of Computer Programming 61, 190–210 (2006)

    CrossRef  MathSciNet  MATH  Google Scholar 

  5. Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated Reverse Engineering of UML Sequence Diagrams for Dynamic Web Applications. In: ICSTW, pp. 295–302 (2009)

    Google Scholar 

  6. Alalfi, M.H., Cordy, J.R., Dean, T.R.: SQL2XMI: Reverse Engineering of UML-ER Diagrams from Relational Database Schemas. In: WCRE, pp. 187–191 (2008)

    Google Scholar 

  7. Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automating Coverage Metrics for Dynamic Web Applications. In: CSMR, pp. 51–60 (2010)

    Google Scholar 

  8. Alalfi, M.H., Cordy, J.R., Dean, T.R.: WAFA: Fine-grained Dynamic Analysis of Web Applications. In: WSE, pp. 41–50 (2009)

    Google Scholar 

  9. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-based Access Control Models. IEEE Computer 29, 38–47 (1996)

    CrossRef  Google Scholar 

  10. Basin, D.A.: Model Driven Security. In: ARES, p. 4 (2006)

    Google Scholar 

  11. Paige, R., Radjenovic, A.: Towards Model Transformation with TXL. In: First Intl. Workshop on Metamodeling for MDA, pp. 163–177 (2003)

    Google Scholar 

  12. Liang, H., Dingel, J.: A Practical Evaluation of Using TXL for Model Transformation. In: Gašević, D., Lämmel, R., Van Wyk, E. (eds.) SLE 2008. LNCS, vol. 5452, pp. 245–264. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  13. phpBB Group: PhpBB, http://www.phpbb.com/ (last access November 27, 2011)

  14. Netcraft Ltd: web server survey (November 2011), http://news.netcraft.com/archives/2011/01/12/january-2011-web-server-survey-4.html (last access November 26, 2011)

  15. PHP Group: PHP usage Stats for (April 2007), http://www.php.net/usage.php (last access November 26, 2011)

  16. MySQL: MySQL Market Share, http://www.mysql.com/why-mysql/marketshare/ (last access November 26, 2011)

  17. Alalfi, M., Cordy, J., Dean, T.: Automated Testing of Role-based Security Models Recovered from Dynamic Web Applications. In: WSE (2012) (submitted)

    Google Scholar 

  18. Garzotto, F., Paolini, P., Schwabe, D.: HDM - A Model-Based Approach to Hypertext Application Design. ACM Trans. Inf. Syst. 11, 1–26 (1993)

    CrossRef  Google Scholar 

  19. Schwabe, D., Rossi, G.: An object oriented approach to Web-based applications design. Theor. Pract. Object Syst. 4, 207–225 (1998)

    CrossRef  Google Scholar 

  20. De Troyer, O., Leune, C.J.: WSDM: A User Centered Design Method for Web Sites. Computer Networks 30, 85–94 (1998)

    Google Scholar 

  21. Ceri, S., Fraternali, P., Bongio, A.: Web Modeling Language (WebML): a modeling language for designing Web sites. In: WWW, pp. 137–157 (2000)

    Google Scholar 

  22. Hassan, A.E., Holt, R.C.: Architecture recovery of web applications. In: ICSE, pp. 349–359 (2002)

    Google Scholar 

  23. Antoniol, G., Penta, M.D., Zazzara, M.: Understanding Web Applications through Dynamic Analysis. In: IWPC, pp. 120–131 (2004)

    Google Scholar 

  24. Di Lucca, G.A., Di Penta, M.: Integrating Static and Dynamic Analysis to improve the Comprehension of Existing Web Applications. In: WSE, pp. 87–94 (2005)

    Google Scholar 

  25. Letarte, D., Merlo, E.: Extraction of Inter-procedural Simple Role Privilege Models from PHP Code. In: WCRE, pp. 187–191 (2009)

    Google Scholar 

  26. Koved, L., Pistoia, M., Kershenbaum, A.: Access rights analysis for Java. In: OOPSLA, pp. 359–372 (2002)

    Google Scholar 

  27. Mendling, J., Strembeck, M., Stermsek, G., Neumann, G.: An Approach to Extract RBAC Models from BPEL4WS Processes. In: WETICE, pp. 81–86 (2004)

    Google Scholar 

  28. Jackson, D.: Software Abstractions: Logic, Language, and Analysis. MIT Press, Cambridge (2006)

    Google Scholar 

  29. Alghathbar, K., Wijesekera, D.: authUML: a three-phased framework to analyze access control specifications in use cases. In: FMSE, pp. 77–86 (2003)

    Google Scholar 

  30. Basin, D.A., Clavel, M., Egea, M.: A decade of model-driven security. In: SACMAT, pp. 1–10 (2011)

    Google Scholar 

  31. Ahn, G.J., Hu, H.: Towards realizing a formal RBAC model in real systems. In: SACMAT, pp. 215–224 (2007)

    Google Scholar 

  32. Ahn, G.J., Sandhu, R.S.: Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur. 3, 207–226 (2000)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computing, Queens University, Kingston, Ontario, Canada

    Manar H. Alalfi, James R. Cordy & Thomas R. Dean

Authors
  1. Manar H. Alalfi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. James R. Cordy
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas R. Dean
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Elettronica e Informazione, Politecnico di Milano, Via Ponzio 34/5, 20133, Milano, Italy

    Marco Brambilla

  2. Department of Computer Science, Tokyo Institute of Technology, 2-12-1 Oookayama, 152-8552, Tokyo, Japan

    Takehiro Tokuda

  3. Institut für Informatik, Freie Universität Berlin, Königin-Luise-Strasse 24-26, 14195, Berlin, Germany

    Robert Tolksdorf

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Alalfi, M.H., Cordy, J.R., Dean, T.R. (2012). Recovering Role-Based Access Control Security Models from Dynamic Web Applications. In: Brambilla, M., Tokuda, T., Tolksdorf, R. (eds) Web Engineering. ICWE 2012. Lecture Notes in Computer Science, vol 7387. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31753-8_9

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-31753-8_9

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31752-1

  • Online ISBN: 978-3-642-31753-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature