Title :
Automated verification of role-based access control security models recovered from dynamic web applications
Author :
Alalfi, Manar H. ; Cordy, James R. ; Dean, Thomas R.
Author_Institution :
Sch. of Comput., Queen´´s Univ., Kingston, ON, Canada
Abstract :
This paper presents an original Model-Driven-Engineering (MDE) approach to support the verification and testing of security properties in dynamic web applications. Based on a previously recovered UML-based fine-grained security model, the approach begins by transforming the model into a Prolog-based formal model. The Prolog model is then checked to verify whether the application conforms to specified access control security properties. We demonstrate the use of our method on the popular open source bulletin board system PhpBB 2.0, in the context of three test scenarios: testing for unauthorized access, web application security maintenance, and web application re-engineering.
Keywords :
Internet; PROLOG; authorisation; formal verification; public domain software; MDE; PhpBB 2.0; Prolog-based formal model; UML-based fine-grained security model; Web application reengineering; Web application security maintenance; access control security properties; automated verification; dynamic Web application; model-driven-engineering; open source bulletin board system; role-based access control security model; unauthorized access; Access control; Analytical models; Computational modeling; Testing; Transforms; Unified modeling language;
Conference_Titel :
Web Systems Evolution (WSE), 2012 14th IEEE International Symposium on
Conference_Location :
Trento
Print_ISBN :
978-1-4673-3057-2
DOI :
10.1109/WSE.2012.6320525
