Proceedings of the 38th International Conference on Software Engineering 2016
DOI: 10.1145/2884781.2884836
|View full text |Cite
|
Sign up to set email alerts
|

Finding security bugs in web applications using a catalog of access control patterns

Abstract: We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an eval… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

1
4
0

Year Published

2017
2017
2022
2022

Publication Types

Select...
3
2
2

Relationship

0
7

Authors

Journals

citations
Cited by 17 publications
(5 citation statements)
references
References 29 publications
1
4
0
Order By: Relevance
“…As we confirmed "vulnerability" and "unauthorized access" achieved relatively high attention from the developers, security bugs are also considered high impact by researchers and have been well studied [6] [12] [16][17] [19][29] [35]. "Lower performance" in "Effect" category is also well studied [20][21] [22][35] as performance bugs.…”
Section: Developer Demography (Q1)supporting
confidence: 58%
“…As we confirmed "vulnerability" and "unauthorized access" achieved relatively high attention from the developers, security bugs are also considered high impact by researchers and have been well studied [6] [12] [16][17] [19][29] [35]. "Lower performance" in "Effect" category is also well studied [20][21] [22][35] as performance bugs.…”
Section: Developer Demography (Q1)supporting
confidence: 58%
“…Lie et al [24] inspected the presence of a state where a processor loses its tamper resistance and discovered the condition falling into the state. Near and Jackson [25] discovered access patterns that satisfy the security in the web application including some specific elements. These works are different from our work because we abstract specifications of the web as a platform and not individual techniques.…”
Section: ) Formal Methods In Alloymentioning
confidence: 99%
“…He and Fu [22] used high-level petri nets to ensure the correct implementation of these six security patterns. Near and Jackson [23] showed that previously unknown security bugs could be easily identified using their proposed formal approach SPACE (Security Pattern Checker), which finds implementation bugs in access control security patterns. In an approach to improve security pattern definition, Beherens [24] provided abstractions and their implementations using formalised notation.…”
Section: Related Workmentioning
confidence: 99%