When role models have flaws: Static validation of enterprise security policies

Proceedings - International Conference on Software Engineering

Volumn , Issue , 2007, Pages 478-487

  Pistoia, Marco ^a   Fink, Stephen J ^a   Flynn, Robert J ^b   Yahav, Eran ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b POLYTECHNIC UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; COMPUTER AIDED SOFTWARE ENGINEERING; MATHEMATICAL MODELS; USER INTERFACES;

ENTERPRISE SECURITY POLICY EVALUATOR (ESPE) TOOLS; STATIC VALIDATION;

SOFTWARE RELIABILITY;

EID: 34548808043     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICSE.2007.98     Document Type: Conference Paper

References (29)

1. A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading, MA, USA, Jan. 1986.
2. D. F. Bacon and P. F. Sweeney. Fast Static Analysis of C++ Virtual Function Calls. In Proceedings of the 11th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 324-341, San Jose, CA, USA, 1996. ACM Press. Also published in ACM SIGPLAN Notices 31(10).
3. P. Centonze, G. Naumovich, S.J. Fink, and M. Pistoia. Role-Based Access Control Consistency Validation. In Proceedings of the 2006 International Symposium on Software Testing and Analysis (ISSTA 2006), pages 121-132, Portland, ME, USA, 2006. ACM Press.
4. D. Clarke, M. Richmond, and J. Noble. Saving the World from Bad Beans: Deployment-Time Confinement Checking. In Proceedings of the 18th annual ACM SIGPLAN Conference on Object-Oriented Programing, Systems, Languages, and Applications, pages 374-387, Anaheim, CA, USA, 2003. ACM Press.
5. E. Damiani, S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati. A Fine-grained Access Control System for XML Documents. ACM Transactions on Information Systems Security, 5(2):169-202, 2002.
6. J. Dean, D. Grove, and C. Chambers. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In Proceedings of the 9th European Conference on Object-Oriented Programming, pages 77-101, Aarhus, Denmark, August 1995. Springer-Verlag.
7. H. M. Deitel, P. J. Deitel, and S. E. Santry. Advanced Java 2 Platform: How to Program. Prentice Hall, Upper Saddle River, NJ, USA, September 2001.
8. D. F. Ferraiolo and D. R. Kuhn. Role-Based Access Controls. In Proceedings of the 15th NIST-NCSC National Computer Security Conference, pages 554-563, Baltimore, MD, USA, October 1992.
9. A. Freeman and A. Jones. Programming .NET Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, June 2003.
10. D. Grove and C. Chambers. A Framework for Call Graph Construction Algorithms. ACM Trans. Program. Lang. Syst., 23(6):685-746, November 2001.
11. IBM Corporation, Trade3 Benchmark, http://www.ibm.com/software/.
12. D. Jackson. Alloy: A Lightweight Object Modelling Notation. ACM Trans. Softw. Eng. Methodol, 11(2):256-290, 2002.
13. D. Jackson, I. Schechter, and H. Shlyahter. Alcoa: The Alloy Constraint Analyzer. In Proceedings of the 22nd International Conference on Software Engineering, pages 730-733, Limerick, Ireland, 2000. ACM Press.
14. M. Kudo and S. Hada. XML Document Security Based on Provisional Authorization. In Proceedings of the 7th ACM Conference on Computer and Communications Security, pages 87-96, Athens, Greece, Nov. 2000. ACM Press.
15. M. Murata, A. Tozawa, M. Kudo, and S. Hada. XML Access Control Using Static Analysis. In Proceedings of the 10th ACM Conference on Computer and Communications Security, pages 73-84, Washington, DC, USA, Oct. 2003. ACM Press.
16. J. Picon, P. Genchi, M. Sahu, M. Weiss, and A. Dessureault. Enterprise JavaBeans Development Using VisualAge for Java. IBM Redbooks. IBM Corporation, International Technical Support Organization, San Jose, CA, USA, June 1999.
17. M. Pistoia, S. J. Fink, R. J. Flynn, and E. Yahav. When Role Models Have Flaws: Static Validation of Enterprise Security Policies. Technical Report RC24056 (W0609-065), IBM Corporation, Thomas J. Watson Research Center, Yorktown Heights, NY, USA, Sept. 2006.
18. M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In Proceedings of the 9th European Conference on Object-Oriented Programming, Glasgow, Scotland, UK, July 2005. Springer-Verlag.
19. M. Pistoia, N. Nagaratnam, L. Koved, and A. Nadalin. Enterprise Java Security. Addison-Wesley, Reading, MA, USA, February 2004.
20. F. Ricca and P. Tonella. Analysis and Testing of Web Applications. In Proceedings of the 23rd International Conference on Sofiware Engineering, pages 25-34, Toronto, ON, Canada, 2001. IEEE Computer Society.
21. J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, volume 63, pages 1278-1308, Sept. 1975.
22. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman. Role-based access control models. IEEE Computer, 29(2):38-47, Feb. 1996.
23. A. Schaad and J. D. Moffett. A Lightweight Approach to Specification and Analysis of Role-Based Access Control Extensions. In Proceedings of the 7th ACM Symposium on Access Control Models and Technologies, pages 13-22, Monterey, CA, USA, 2002. ACM Press.
24. Standard Performance Evaluation Corporation Java Business Benchmark 2000 (SPECjbb2000), http://www.spec.org.
25. Sun Microsystems, Enterprise JavaBeans™ Specification, http://java.sun.com/products/ejb/.
26. Sun Microsystems, J2EE 1.4 Tutorial, http://java.sun.com/j2ee/1.4/ download.html#tutorial/.
27. Sun Microsystems, Java PetStore, http://java.sun.com/developer/releases/ petstore/.
28. Sun Microsystems, Java™ Platform, Enterprise Edition Specification, http://java.sun.com/j2ee.
29. T. J. Watson Libraries for Analysis (WALA), http://wala.sourceforge.net.