Abstract
According to security rankings such as the SANS Top 25 and the OWASP Top 10, access-control vulnerabilities are still highly relevant. Even though developers use web frameworks such as Spring and Struts, which handle the entire access-control mechanism, their implementation can still be vulnerable because of misuses, errors, or inconsistent implementation from the design specification. We propose AuthCheck, a static analysis that tracks the program’s state using a finite state machine to report illegal states caused by vulnerable implementation. We implemented AuthCheck for the Spring framework and identified four types of mistakes that developers can make when using Spring Security. With AuthCheck, we analyzed an existing open-source Spring application with inserted vulnerable code and detected the vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Spring framework, java spring. https://spring.io/projects. Accessed 9 Mar 2019
Spring framework, java spring security. https://spring.io/guides/topicals/spring-security-architecture. Accessed 9 Mar 2019
Spring framework, spring expression language. https://docs.spring.io/spring/docs/5.0.5.RELEASE/spring-framework-reference/core.html. Accessed 12 Mar 2019
Alexander, P., Pike, L., Loscocco, P., Coker, G.: Model checking distributed mandatory access control policies. ACM Trans. Inf. Syst. Secur. 18(2), 6:1–6:25 (2015)
Ball, T., Rajamani, S.K.: The slam project: debugging system software via static analysis. In: Proceedings of the 29th ACM SIGPLAN POPL, POPL 2002, pp. 1–3. ACM, New York (2002)
Dalton, M., Kozyrakis, C., Zeldovich, N.: Nemesis: preventing authentication and access control vulnerabilities in web applications. In: Proceedings of USENIX, SSYM 2009, pp. 267–282. USENIX Association, Berkeley (2009)
Enumeration, C.C.W.: Incorrect authorization. https://cwe.mitre.org/data/definitions/863.html. Accessed 12 Mar 2019
Enumeration, C.C.W.: Missing authentication for critical function. https://cwe.mitre.org/data/definitions/306.html. Accessed 12 Mar 2019
Enumeration, C.C.W.: Missing authorization. https://cwe.mitre.org/data/definitions/862.html. Accessed 12 Mar 2019
Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. thesis, University of California, Irvine (2000)
Gamma, E., Vlissides, J., Johnson, R., Helm, R.: Design Patterns CD: Elements of Reusable Object-Oriented Software. Addison-Wesley Longman Publishing Co. Inc., Boston (1998)
Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Software verification with BLAST. In: Ball, T., Rajamani, S.K. (eds.) SPIN 2003. LNCS, vol. 2648, pp. 235–239. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-44829-2_17
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: CrySL: an extensible approach to validating the correct usage of cryptographic APIs. In: ECOOP, pp. 10:1–10:27 (2018)
Lam, P., Bodden, E., Lhotak, O., Hendren, L.: The soot framework for java program analysis: a retrospective. In: Cetus Users and Compiler Infrastructure Workshop (CETUS 2011), October 2011
Marrero, W., Clarke, E., Jha, S.: A model checker for authentication protocols. In: Rutgers University (1997)
Murata, M., Tozawa, A., Kudo, M., Hada, S.: XML access control using static analysis. ACM Trans. Inf. Syst. Secur. 9(3), 292–324 (2006)
Naumovich, G., Centonze, P.: Static analysis of role-based access control in J2EE applications. SIGSOFT Softw. Eng. Notes 29(5), 1–10 (2004)
Petrasch, T., Piskachev, G., Spaeth, J., Bodden, E.: Authcheck spring implementation. https://github.com/secure-software-engineering/authcheck/
del Pilar Salas-Zárate, M., Alor-Hernández, G., Valencia-Garca, R., Rodríguez-Mazahua, L., Rodríguez-González, A., Cuadrado, J.L.L.: Analyzing best practices on web development frameworks: the lift approach. Sci. Comput. Program. 102, 1–19 (2015)
Strom, R.E.: Mechanisms for compile-time enforcement of security. In: Proceedings of the 10th ACM SIGPLAN POPL, pp. 276–284. ACM, New York (1983)
Sun, F., Xu, L., Su, Z.: Static detection of access control vulnerabilities in web applications. In: Proceedings of USENIX. USENIX Association, Berkeley (2011)
Xu, Y., Xie, X.: Modeling and analysis of authentication protocols using colored petri nets. In: Proceedings of the 3rd ASID, ASID 2009. IEEE Press, Piscataway (2009)
Acknowledgement
We thank Abdul Rehman Tareen for extending the initial version of the tool to support all Spring annotations needed for complete analysis of the FredBet application. We also thank the reviewers for the constructive feedback and proposals for improving this paper. This research was partially supported by the Software Campus Program of the German Ministry of Education and Research and the research project “AppSecure.nrw - Security-by-Design of Java-based Applications” funded by the European Regional Development Fund (ERDF-0801379).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Piskachev, G., Petrasch, T., Späth, J., Bodden, E. (2020). AuthCheck: Program-State Analysis for Access-Control Vulnerabilities. In: Sekerinski, E., et al. Formal Methods. FM 2019 International Workshops. FM 2019. Lecture Notes in Computer Science(), vol 12233. Springer, Cham. https://doi.org/10.1007/978-3-030-54997-8_34
Download citation
DOI: https://doi.org/10.1007/978-3-030-54997-8_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-54996-1
Online ISBN: 978-3-030-54997-8
eBook Packages: Computer ScienceComputer Science (R0)