Automated verification of role-based access control security models recovered from dynamic web applications

Author

Alalfi, Manar H. ; Cordy, James R. ; Dean, Thomas R.

Author_Institution

Sch. of Comput., Queen´´s Univ., Kingston, ON, Canada

fYear

2012

fDate

28-28 Sept. 2012

Firstpage

1

Lastpage

10

Abstract

This paper presents an original Model-Driven-Engineering (MDE) approach to support the verification and testing of security properties in dynamic web applications. Based on a previously recovered UML-based fine-grained security model, the approach begins by transforming the model into a Prolog-based formal model. The Prolog model is then checked to verify whether the application conforms to specified access control security properties. We demonstrate the use of our method on the popular open source bulletin board system PhpBB 2.0, in the context of three test scenarios: testing for unauthorized access, web application security maintenance, and web application re-engineering.

Keywords

Internet; PROLOG; authorisation; formal verification; public domain software; MDE; PhpBB 2.0; Prolog-based formal model; UML-based fine-grained security model; Web application reengineering; Web application security maintenance; access control security properties; automated verification; dynamic Web application; model-driven-engineering; open source bulletin board system; role-based access control security model; unauthorized access; Access control; Analytical models; Computational modeling; Testing; Transforms; Unified modeling language;

fLanguage

English

Publisher

ieee

Conference_Titel

Web Systems Evolution (WSE), 2012 14th IEEE International Symposium on

Conference_Location

Trento

ISSN

2160-6153

Print_ISBN

978-1-4673-3057-2

Type

conf

DOI

10.1109/WSE.2012.6320525

Filename

6320525