Skip to main content
SpringerLink
Log in

Static Detection of Logic Flaws in Service-Oriented Applications

  • Conference paper
Foundations and Applications of Security Analysis (ARSPA-WITS 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5511))

Abstract

Application or business logic, used in the development of services, has to do with the operations that define the application functionalities and not with the platform ones. Often security problems can be found at this level, because circumventing or misusing the required operations can lead to unexpected behaviour or to attacks, called application logic attacks. We investigate this issue, by using the CaSPiS calculus to model services, and by providing a Control Flow Analysis able to detect and prevent some possible misuses.

Research supported by the EU FET-GC2 Project IST-2005-016004 Sensoria, by the Italian PRIN Project “SOFT” and by the Italian FIRB Project Tocai.it.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Acciai, L., Boreale, M.: Type Abstractions of Name-Passing Processes. In: Arbab, F., Sirjani, M. (eds.) FSEN 2007. LNCS, vol. 4767, pp. 302–317. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  2. Acciai, L., Boreale, M.: A Type System for Client Progress in a Service-Oriented Calculus. In: Degano, P., De Nicola, R., Meseguer, J. (eds.) Concurrency, Graphs and Models. LNCS, vol. 5065, pp. 642–658. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  3. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Semantics-Based Design for Secure Web Services. IEEE Transactions on Software Engineering 34(1), 33–49 (2008)

    Article  Google Scholar 

  5. Bhargavan, K., Fournet, C., Gordon, A.D.: Verified Reference Implementations of WS-Security Protocols. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds.) WS-FM 2006. LNCS, vol. 4184, pp. 88–106. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  6. Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: Computer Security Foundations Workshop (CSFW) (2001)

    Google Scholar 

  7. Bodei, C., Bracciali, A., Chiarugi, D.: Control Flow Analysis for Brane Calculi. ENTCS, vol. 227, pp. 59–75. Elsevier, Amsterdam (2009)

    MATH  Google Scholar 

  8. Bodei, C., Brodo, L., Degano, P., Gao, H.: Detecting and Preventing Type Flaws at Static Time. To appear in Journal of Computer Security (2009)

    Google Scholar 

  9. Bodei, C., Brodo, L., Bruni, R.: Static Detection of Logic Flaws in Service Applications. Technical Report, Dipartimento di Informatica, Università di Pisa (2009)

    Google Scholar 

  10. Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Static Validation of Security Protocols. Journal of Computer Security 13(3), 347–390 (2005)

    Article  MATH  Google Scholar 

  11. Bond, M., Clulow, J.: Extending Security Protocol Analysis: New Challenges. ENTCS, vol. 125(1), pp. 13–24. Elsevier, Amsterdam (2005)

    MATH  Google Scholar 

  12. Bonelli, E., Compagnoni, A., Gunter, E.: Typechecking Safe Process Synchronization. In: Proc. Foundations of Global Ubiquitous Computing. ENTCS, vol. 138(1), pp. 3–22. Elsevier, Amsterdam (2005)

    Google Scholar 

  13. Boreale, M., Bruni, R., De Nicola, R., Loreti, M.: Sessions and Pipelines for Structured Service Programming. In: Barthe, G., de Boer, F.S. (eds.) FMOODS 2008. LNCS, vol. 5051, pp. 19–38. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. Bruni, R.: Calculi for service-oriented computing. In: Proc. of 9th International School on Formal Methods for the Design of Computer, Communication and Software Systems: Web Services (SFM 2009). LNCS, vol. 5569, pp. 1–41. Springer, Heidelberg (2009)

    Google Scholar 

  15. Bruni, R., Mezzina, L.G.: Types and Deadlock Freedom in a Calculus of Services, Sessions and Pipelines. In: Meseguer, J., Roşu, G. (eds.) AMAST 2008. LNCS, vol. 5140, pp. 100–115. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Kitchin, D., Cook, W.R., Misra, J.: A language for task orchestration and its semantic properties. In: Baier, C., Hermanns, H. (eds.) CONCUR 2006. LNCS, vol. 4137, pp. 477–491. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Dolev, D., Yao, A.C.: On the Security of Public Key Protocols. IEEE TIT, IT-29(12), 198–208 (1983)

    Google Scholar 

  18. Kolundzija, M.: Security Types for Sessions and Pipelines. In: Proc. of the 5th International Workshop on Web Services and Formal Methods (WS-FM 2008). LNCS, vol. 5387, pp. 175–189. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  19. Nabi, F.: Secure business application logic for e-commerce systems. Computers & Security 24(3), 208–217 (2005)

    Article  Google Scholar 

  20. Nielson, F., Riis Nielson, H., Priami, C., Schuch da Rosa, D.: Control Flow Analysis for BioAmbients. ENTCS, vol. 180(3), pp. 65–79. Elsevier, Amsterdam (2007)

    Google Scholar 

  21. Riis Nielson, H., Nielson, F.: Flow Logic: a multi-paradigmatic approach to static analysis. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 223–244. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  22. OASIS Technical Commitee. Web Services Security (WS-Security) (2006)

    Google Scholar 

  23. Neohapsis Archives. Price modification possible in CyberOffice Shopping Cart, http://archives.neohapsis.com/archives/bugtraq/2000-10/0011.html

  24. Backes, M., Mödersheim, S., Pfitzmann, B., Viganò, L.: Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario. In: Aceto, L., Ingólfsdóttir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 428–445. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  25. Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proc. of IEEE Symposium on Security and Privacy (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa, Italy

    Chiara Bodei & Roberto Bruni

  2. Dipartimento di Scienze dei Linguaggi, Università di Sassari, Italy

    Linda Brodo

Authors
  1. Chiara Bodei
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Linda Brodo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Roberto Bruni
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Informatica, Università di Pisa, Largo Bruno Pontecorvo, 3, 56127, Pisa, Italy

    Pierpaolo Degano

  2. Dipartimento di Informatica, Università di Verona, Strada Le Grazie 15, 37134, Verona, Italy

    Luca Viganò

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Bodei, C., Brodo, L., Bruni, R. (2009). Static Detection of Logic Flaws in Service-Oriented Applications. In: Degano, P., Viganò, L. (eds) Foundations and Applications of Security Analysis. ARSPA-WITS 2009. Lecture Notes in Computer Science, vol 5511. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03459-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03459-6_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03458-9

  • Online ISBN: 978-3-642-03459-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation