Role-based access control consistency validation

Proceedings of the 2006 International Symposium on Software Testing and Analysis, ISSTA 2006

Volumn 2006, Issue , 2006, Pages 121-131

  Centonze, Paolina ^a   Naumovich, Gleb ^b   Fink, Stephen J ^a   Pistoia, Marco ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b POLYTECHNIC UNIVERSITY   (United States)

Author keywords

J2EE; Java; Java EE; RBAC; Role based access control; Security; Static analysis

Indexed keywords

LOCATION CONSISTENCY; LOCATION-CONSISTENCY PROPERTY; ROLE BASED ACCESS CONTROL (RBAC); STATIC ANALYSIS FOR VALIDATION OF ENTERPRISE SECURITY (SAVES);

DATA FLOW ANALYSIS; DATA PRIVACY; DATA REDUCTION; IDENTIFICATION (CONTROL SYSTEMS); JAVA PROGRAMMING LANGUAGE; STATIC ANALYSIS;

ACCESS CONTROL;

EID: 34247363687     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1146238.1146253     Document Type: Conference Paper

References (42)

1. Lars Ole Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, Copenhagen, Denmark, May 1994.
2. Achim D. Brucker and Burkhart Wolff. Testing Distributed Component Based Systems Using UML/OCL. In K. Bauknecht, W. Brauer, and Th. Muck, editors, Proceedings of Informatik 2001, volume 1 of Tagungsband der GI/ÖCG Jahrestagung, pages 608-614, Vienna, Austria, November 2001. Österreichische Computer Gesellschaft.
3. Dave Clarke, Michael Richmond, and James Noble. Saving the World from Bad Beans: Deployment-Time Confinement Checking. In Proceedings of the 18th annual ACM SIGPLAN Conference on Object-Oriented Programing. Systems, Languages, and Applications, pages 374-387, Anaheim, CA, USA, 2003. ACM Press.
4. CORBA/IIOP Specification, http://www.omg.org.
5. Ron Cytron, Jeanne Ferrante, Barry K. Rosen, Mark N. Wegman, and F. Kenneth Zadeck. Efficiently Computing Static Single Assignment Form and the Control Dependence Graph. Transactions on Programming Languages and Systems (TOPLAS), 13(4):451-490, October 1991.
6. Ernesto Damiani, Sabrina De Capitani di Vimercati, Stefano Paraboschi, and Pierangela Samarati. A Fine-grained Access Control System for XML Documents. ACM Transactions on Information Systems Security, 5(2): 169-202, 2002.
7. Harvey M. Deitel, Paul J. Deitel, and Sean E. Santry. Advanced Java 2 Platform: How to Program. Prentice Hall, Upper Saddle River, NJ, USA, September 2001.
8. David F. Ferraiolo and D. Richard Kuhn. Role-Based Access Controls. In Proceedings of the 15th NIST-NCSC National Computer Security Conference, pages 554-563, Baltimore, MD, USA, October 1992.
9. Stephen J. Fink, Julian Dolby, and Logan Colby. Semi-Automatic J2EE Transaction Configuration. Technical Report RC23326, IBM Corporation, Thomas J. Watson Research Center, Yorktown Heights, NY, USA, 2004.
10. Adam Freeman and Allen Jones. Programming .NET Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, June 2003.
11. Guang R. Gao and Vivek Sarkar. Location Consistency-A New Memory Model and Cache Consistency Protocol. IEEE Transactions on Computers, 49(8):798-813, 2000.
12. Li Gong, Gary Ellison, and Mary Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley, Reading, MA, USA, second edition, May 2003.
13. George Grätzer. General Lattice Theory. Birkhäuser, Boston, MA, USA, second edition, January 2003.
14. David Grove and Craig Chambers. A Framework for Call Graph Construction Algorithms. ACM Trans. Program. Lang. Syst., 23(6):685-746, November 2001.
15. John Hatcliff, Xinghua Deng, Matthew B. Dwyer, Georg Jung, and Venkatesh Prasad Ranganath. Cadena: An Integrated Development, Analysis, and Verification Environment for Component-based Systems. In Proceedings of the 25th International Conference on Software Engineering, pages 160-173, Portland, OR, USA, May 2003.
16. IBM Corporation, Trade3 Benchmark, http://www.ibm.com/software/.
17. Daniel Jackson. Alloy: A Lightweight Object Modelling Notation. ACM Trans. Softw. Eng. Methodol., 11(2):256-290, 2002.
18. Daniel Jackson, Ian Schlechter, and Hya Shlyahter. Alcoa: The Alloy Constraint Analyzer. In Proceedings of the 22nd International Conference on Software Engineering, pages 730-733, Limerick, Ireland, 2000. ACM Press.
19. Gary A. Kildall. A Unified Approach to Global Program Optimization. In Proceedings of the 1st Annual, ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 194-206, Boston, MA, USA, 1973. ACM Press.
20. Larry Koved, Marco Pistoia, and Aaron Kershenbaum. Access Rights Analysis for Java. In Proceedings of the 17th ACM SIGPLAN Conference, on Object-Oriented Programming. Systems, Languages, and Applications, pages 359-372, Seattle, WA, USA, November 2002. ACM Press.
21. Michiharu Kudo and Satoshi Hada. XML Document Security Based on Provisional Authorization. In Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 87-96, Athens, Greece, November 2000. ACM Press.
22. Benjamin Livshits, John Whaley, and Monica S. Lam. Reflection Analysis for Java. In Proceedings of the 3rd Asian Symposium on Programming Languages and Systems, pages 139-160, Tsakuba, Japan, November 2005.
23. Steven S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, June 1997.
24. Makoto Murata, Akihiko Tozawa, Michiharu Kudo, and Satoshi Hada. XML Access Control Using Static Analysis. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 73-84, Washington, DC, USA, October 2003. ACM Press.
25. Andrew C. Myers and Barbara Liskov. A Decentralized Model for Information Flow Control. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 129-142, Saint Malo, France, October 1997. ACM Press.
26. Gleb Naumovich and Paolina, Centonze. Static Analysis of Role-Based Access Control in J2EE Applications. SIGSOFT Software Engineering Notes, 29(5): 1-10, September 2004.
27. Object Management Group. Object Constraint Language Specification, Chapter 6 of OMG Unified Modeling Language Specification (draft). http://www.omg.org/uml, February 2001.
28. Joaquin Picon, Patrizia Genchi, Maneesh Sahu, Martin Weiss, and Alain Dessureault. Enterprise JavaBeans Development Using VisualAge for Java. IBM Redbooks. IBM Corporation, International Technical Support Organization, San Jose, CA, USA, June 1999.
29. Marco Pistoia, and Robert J. Flynn. Interprocedural Analysis for Automatic Evaluation of Role-Based Access Control Policies. Technical Report RC23846 (W0511-020), IBM Corporation, Thomas J. Watson Research Center, Yorktown Heights, NY, USA, November 2005.
30. Marco Pistoia, Robert J. Flynn, Larry Koved, and Vugranam C. Sreedhar. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In Proceedings of the 9th European Conference on Object-Oriented Programming, Glasgow, Scotland, UK, July 2005. Springer-Verlag.
31. Marco Pistoia, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java Security. Addison-Wesley, Reading, MA, USA, February 2004.
32. Marco Pistoia, Duane Reller, Deepak Gupta, Milind Nagnur, and Ashok K. Ramani. Java 2 Network Security. Prentice Hall PTR, Upper Saddle River, NJ, USA, second edition, August 1999.
33. Filippo Ricca, and Paolo Tonella. Analysis and Testing of Web Applications. In Proceedings of the 28rd International Conference on Software Engineering, pages 25-34, Toronto, ON, Canada, 2001. IEEE Computer Society.
34. Robby, Matthew B. Dwyer, and John Hatcliff. Bogor: An Extensible and Highly-modular Software Model Checking Framework. In ESEC/FSE-11: Proceedings of the 9th European Software Engineering Conference held jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pages 267-276, New York, NY, USA, 2003. ACM Press.
35. Jerome H. Saltzer and Michael D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, volume 63, pages 1278-1308, September 1975.
36. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2):38-47, February 1996.
37. Andreas Schaad and Jonathan D. Moffett. A Lightweight Approach to Specification and Analysis of Role-Based Access Control Extensions. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, pages 13-22, Monterey, CA, USA, 2002. ACM Press.
38. Sun Microsystems, Enterprise JavaBeans™ Specification, http://java.sun.com/products/ejb/.
39. Sun Microsystems, J2EE 1.4 Tutorial, http://java. sun.com/j2ee/1.4/ download.html#tutorial/.
40. Sun Microsystems, Java PetStore, http: //java.sun.com/developer/releases/ petstore/.
41. Sun Microsystems, Java™ Platform, Enterprise Edition Specification, http://java.sun.com/j2ee.
42. Xiaolan Zhang, Larry Koved, Marco Pistoia, Sam Weber, Trent Jaeger, Guillaume Marceau, and Liangzhao Zeng. The Case for Analysis Preserving Language Transformation. In Proceedings of the ACM SIGSOFT 2006 International Symposium on Software Testing and Analysis (ISSTA). ACM Press, July 2006.