Abstract
Application or business logic, used in the development of services, has to do with the operations that define the application functionalities and not with the platform ones. Often security problems can be found at this level, because circumventing or misusing the required operations can lead to unexpected behaviour or to attacks, called application logic attacks. We investigate this issue, by using the CaSPiS calculus to model services, and by providing a Control Flow Analysis able to detect and prevent some possible misuses.
Research supported by the EU FET-GC2 Project IST-2005-016004 Sensoria, by the Italian PRIN Project “SOFT” and by the Italian FIRB Project Tocai.it.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Acciai, L., Boreale, M.: Type Abstractions of Name-Passing Processes. In: Arbab, F., Sirjani, M. (eds.) FSEN 2007. LNCS, vol. 4767, pp. 302–317. Springer, Heidelberg (2007)
Acciai, L., Boreale, M.: A Type System for Client Progress in a Service-Oriented Calculus. In: Degano, P., De Nicola, R., Meseguer, J. (eds.) Concurrency, Graphs and Models. LNCS, vol. 5065, pp. 642–658. Springer, Heidelberg (2008)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)
Bartoletti, M., Degano, P., Ferrari, G.L., Zunino, R.: Semantics-Based Design for Secure Web Services. IEEE Transactions on Software Engineering 34(1), 33–49 (2008)
Bhargavan, K., Fournet, C., Gordon, A.D.: Verified Reference Implementations of WS-Security Protocols. In: Bravetti, M., Núñez, M., Zavattaro, G. (eds.) WS-FM 2006. LNCS, vol. 4184, pp. 88–106. Springer, Heidelberg (2006)
Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: Computer Security Foundations Workshop (CSFW) (2001)
Bodei, C., Bracciali, A., Chiarugi, D.: Control Flow Analysis for Brane Calculi. ENTCS, vol. 227, pp. 59–75. Elsevier, Amsterdam (2009)
Bodei, C., Brodo, L., Degano, P., Gao, H.: Detecting and Preventing Type Flaws at Static Time. To appear in Journal of Computer Security (2009)
Bodei, C., Brodo, L., Bruni, R.: Static Detection of Logic Flaws in Service Applications. Technical Report, Dipartimento di Informatica, Università di Pisa (2009)
Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Nielson, H.R.: Static Validation of Security Protocols. Journal of Computer Security 13(3), 347–390 (2005)
Bond, M., Clulow, J.: Extending Security Protocol Analysis: New Challenges. ENTCS, vol. 125(1), pp. 13–24. Elsevier, Amsterdam (2005)
Bonelli, E., Compagnoni, A., Gunter, E.: Typechecking Safe Process Synchronization. In: Proc. Foundations of Global Ubiquitous Computing. ENTCS, vol. 138(1), pp. 3–22. Elsevier, Amsterdam (2005)
Boreale, M., Bruni, R., De Nicola, R., Loreti, M.: Sessions and Pipelines for Structured Service Programming. In: Barthe, G., de Boer, F.S. (eds.) FMOODS 2008. LNCS, vol. 5051, pp. 19–38. Springer, Heidelberg (2008)
Bruni, R.: Calculi for service-oriented computing. In: Proc. of 9th International School on Formal Methods for the Design of Computer, Communication and Software Systems: Web Services (SFM 2009). LNCS, vol. 5569, pp. 1–41. Springer, Heidelberg (2009)
Bruni, R., Mezzina, L.G.: Types and Deadlock Freedom in a Calculus of Services, Sessions and Pipelines. In: Meseguer, J., Roşu, G. (eds.) AMAST 2008. LNCS, vol. 5140, pp. 100–115. Springer, Heidelberg (2008)
Kitchin, D., Cook, W.R., Misra, J.: A language for task orchestration and its semantic properties. In: Baier, C., Hermanns, H. (eds.) CONCUR 2006. LNCS, vol. 4137, pp. 477–491. Springer, Heidelberg (2006)
Dolev, D., Yao, A.C.: On the Security of Public Key Protocols. IEEE TIT, IT-29(12), 198–208 (1983)
Kolundzija, M.: Security Types for Sessions and Pipelines. In: Proc. of the 5th International Workshop on Web Services and Formal Methods (WS-FM 2008). LNCS, vol. 5387, pp. 175–189. Springer, Heidelberg (2009)
Nabi, F.: Secure business application logic for e-commerce systems. Computers & Security 24(3), 208–217 (2005)
Nielson, F., Riis Nielson, H., Priami, C., Schuch da Rosa, D.: Control Flow Analysis for BioAmbients. ENTCS, vol. 180(3), pp. 65–79. Elsevier, Amsterdam (2007)
Riis Nielson, H., Nielson, F.: Flow Logic: a multi-paradigmatic approach to static analysis. In: Mogensen, T.Æ., Schmidt, D.A., Sudborough, I.H. (eds.) The Essence of Computation. LNCS, vol. 2566, pp. 223–244. Springer, Heidelberg (2002)
OASIS Technical Commitee. Web Services Security (WS-Security) (2006)
Neohapsis Archives. Price modification possible in CyberOffice Shopping Cart, http://archives.neohapsis.com/archives/bugtraq/2000-10/0011.html
Backes, M., Mödersheim, S., Pfitzmann, B., Viganò, L.: Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario. In: Aceto, L., Ingólfsdóttir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 428–445. Springer, Heidelberg (2006)
Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proc. of IEEE Symposium on Security and Privacy (1993)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Bodei, C., Brodo, L., Bruni, R. (2009). Static Detection of Logic Flaws in Service-Oriented Applications. In: Degano, P., Viganò, L. (eds) Foundations and Applications of Security Analysis. ARSPA-WITS 2009. Lecture Notes in Computer Science, vol 5511. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03459-6_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-03459-6_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03458-9
Online ISBN: 978-3-642-03459-6
eBook Packages: Computer ScienceComputer Science (R0)