Automated reverse engineering of role-based access control policies of web applications

被引:2
作者
Ha Thanh Le [1 ]
Shar, Lwin Khin [2 ]
Bianculli, Domenico [3 ]
Briand, Lionel Claude [3 ,4 ]
Nguyen, Cu Duy [5 ]
机构
[1] Getcare Pharma Corp, Ho Chi Minh City, Vietnam
[2] Singapore Management Univ, Sch Comp & Informat Syst, Singapore, Singapore
[3] Univ Luxembourg, Interdisciplinary Ctr Secur Reliabil & Trust SnT, Luxembourg, Luxembourg
[4] Univ Ottawa, Ottawa, ON, Canada
[5] Cyberforce Dept POST Luxembourg, Luxembourg, Luxembourg
基金
新加坡国家研究基金会;
关键词
Access control testing; Reverse engineering; Access control policies; Machine learning; ALGORITHMS;
D O I
10.1016/j.jss.2021.111109
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with respect to policy specifications or intended access rights. However, in practice, AC policy specifications are often missing or poorly documented; in some cases, AC policies are hard-coded in business logic implementations. This leads to difficulties in validating the correctness of policy implementations and detecting AC defects. In this paper, we present a semi-automated framework for reverse-engineering of AC policies from Web applications. Our goal is to learn and recover role-based access control (RBAC) policies from implementations, which are then used to validate implemented policies and detect AC issues. Our framework, built on top of a suite of security tools, automatically explores a given Web application, mines domain input specifications from access logs, and systematically generates and executes more access requests using combinatorial test generation. To learn policies, we apply machine learning on the obtained data to characterize relevant attributes that influence AC. Finally, the inferred policies are presented to the security engineer, for validation with respect to intended access rights and for detecting AC issues. Inconsistent and insufficient policies are highlighted as potential AC issues, being either vulnerabilities or implementation errors. We evaluated our approach on four Web applications (three open-source and a proprietary one built by our industry partner) in terms of the correctness of inferred policies. We also evaluated the usefulness of our approach by investigating whether it facilitates the detection of AC issues. The results show that 97.8% of the inferred policies are correct with respect to the actual AC implementation; the analysis of these policies led to the discovery of 64 AC issues that were reported to the developers. (C) 2021 Elsevier Inc. All rights reserved.
引用
收藏
页数:18
相关论文
共 64 条
  • [1] Alalfi Manar H., 2012, Web Engineering. Proceedings 12th International Conference, ICWE 2012, P121, DOI 10.1007/978-3-642-31753-8_9
  • [2] Automated Reverse Engineering of UML Sequence Diagrams for Dynamic Web Applications
    Alalfi, Manar H.
    Cordy, James R.
    Dean, Thomas R.
    [J]. ICSTW 2009: IEEE INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION, AND VALIDATION WORKSHOPS, 2009, : 287 - 294
  • [3] Anderson A, 2004, XACML PROFILE ROLE B
  • [4] [Anonymous], 2016, P 21 ACM S ACCESS CO
  • [5] [Anonymous], 1993, PROGRAMS MACHINE LEA, DOI DOI 10.1016/C2009-0-27846-9
  • [6] [Anonymous], 1999, HYPERTEXT TRANSFER P
  • [7] A Model-driven Approach to Representing and Checking RBAC Contextual Policies
    Ben Fadhel, Ameni
    Bianculli, Domenico
    Briand, Lionel
    Hourte, Benjamin
    [J]. CODASPY'16: PROCEEDINGS OF THE SIXTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY, 2016, : 243 - 253
  • [8] A comprehensive modeling framework for role-based access control policies
    Ben Fadhel, Ameni
    Bianculli, Domenico
    Briand, Lionel
    [J]. JOURNAL OF SYSTEMS AND SOFTWARE, 2015, 107 : 110 - 126
  • [9] Bertolino A, 2016, P 31 ANN ACM S APPL, P1641
  • [10] An automated model-based test oracle for access control systems
    Bertolino, Antonia
    Daoudagh, Said
    Lonetti, Francesca
    Marchetti, Eda
    [J]. 2018 IEEE/ACM 13TH INTERNATIONAL WORKSHOP ON AUTOMATION OF SOFTWARE TEST (AST), 2018, : 2 - 8