A verification framework for access control in dynamic web applications

ACM International Conference Proceeding Series

Volumn , Issue , 2009, Pages 109-113

  Alalfi, Manar H ^a   Cordy, James R ^a   Dean, Thomas R ^a  

^a QUEEN S UNIVERSITY   (Canada)

Author keywords

[No Author keywords available]

Indexed keywords

DYNAMIC WEB APPLICATIONS; FORMAL ANALYSIS; REVERSE ENGINEERING PROCESS; ROLE-BASED ACCESS CONTROL; SECURITY ANALYSIS; SECURITY ENGINEERS; VERIFICATION FRAMEWORK;

REENGINEERING; REVERSE ENGINEERING; SECURITY SYSTEMS; SOFTWARE ENGINEERING; WORLD WIDE WEB;

ACCESS CONTROL;

EID: 71049144084     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1557626.1557643     Document Type: Conference Paper

References (26)

1. The Top Ten Most Critical Web Application Security Vulnerabilities, http://www.owasp.org/documentation/topten, last access June 27, 2007.
2. MySQL AB, MySQL Market Share http://www.mysql.com/why-mysql/marketshare/, last access Nov 26, 2008.
3. Gail-Joon Ahn and Hongxin Hu. Towards realizing a formal RBAC model in real systems. In SACMAT 2007, 12th ACM Symposium on Access Control Models and Technologies, Sophia Antipolis, France, June 20-22, 2007, pages 215-224.
4. Gail-Joon Ahn and Ravi S. Sandhu. Role-based authorization constraints specification. ACM Trans. Inf. Syst. Secur., 3(4):207-226, 2000.
5. Manar H. Alalfi, James R. Cordy, and Thomas R. Dean. "Automated Reverse Engineering of UML Sequence Diagrams for Dynamic Web Applications". In WebTest 2009, 1st International Workshop on Web Testing, Denver,Denver, Colorado - USA April 4, 2009(in press).
6. Manar H. Alalfi, James R. Cordy, and Thomas R. Dean. SQL2XMI: Reverse Engineering of UML-ER Diagrams from Relational Database Schemas. In WCRE 2008, the 15th Working Conference on Reverse Engineering, Antwerp, Belgium, October 15-18, pages 187-191.
7. Manar H. Alalfi, James R. Cordy, and Thomas R. Dean. A Survey of Analysis Models and Methods in Website Verification and Testing. In ICWE 2007, 7th International Conference on Web Engineering, Como, Italy, pages 306-311, 2007.
8. Manar H. Alalfi, James R. Cordy, and Thomas R. Dean. Modeling methods for web application verification and testing: State of the art. Softw. Test., Verif. Reliab., 2008 (in press).
9. Khaled Alghathbar and Duminda Wijesekera. authUML: a three-phased framework to analyze access control specifications in use cases. In FMSE 2003, ACM workshop on Formal methods in security engineering, FMSE 2003, Washington, DC, USA, October 30, pages 77-86.
10. Carlo Bellettini, Alessandro Marchetto, and Andrea Trentini. WebUml: reverse engineering of web applications. In SAC 2004, ACM Symposium on Applied Computing, Nicosia, Cyprus, March 14-17, 2004, pages 1662-1669.
11. Behzad Bordbar and Kyriakos Anastasakis. MDA and Analysis of Web Applications. In TEAA(2005), Trends in Enterprise Application Architecture, VLDB Workshop, Trondheim, Norway,, volume 3888 of LNCS, pages 44-55. Springer.
12. Daniela Castelluccia, Marina Mongiello, Michele Ruta, and Rodolfo Totaro. WAVer: A Model Checking-based Tool to Verify Web Application Design. Electr. Notes Theor. Comput. Sci., 157(1):61-76, 2006.
13. James R. Cordy. The TXL source transformation language. Sci. Comput. Program., 61(3):190-210, 2006.
14. D.Basin, J.Doser, and T. Lodderstedt. Model driven security: from UML models to access control infrastructures. ACM Trans. Softw. Eng. Methodol., 15(1):39-91, 01 2006.
15. Canoo Engineering. Canoo WebTest, http://webtest.canoo.com.
16. Yao-Wen Huang, Chung-Hung Tsai, Tsung-Po Lin, Shih-Kun Huang, D. T. Lee, and S. Y Kuo. A testing framework for Web application security assessment. Computer Networks, 48(5):739-761, 08 2005.
17. Yao-Wen Huang, Fang Yu, Christian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In the 13th international conference on World Wide Web, WWW 2004, New York, NY, USA, May 17-20, pages 40-52, 2004.
18. Sanctum Inc. Web Application Security Testing, AppScan 3.5., http://www.sanctuminc.com, last access September 5, 2007.
19. Daniel Jackson. Software Abstractions: Logic, Language, and Analysis. MIT Press. Cambridge, MA., March 2006.
20. B. Michael, F. Juliana, and G. Patrice. Veriweb: automatically testing dynamic web sites. In WWW 2002, the International World Wide Web Conferences, Honulolu.
21. Netcraft Ltd. November 2008 web server survey, http://news.netcraft.com/ archives/2008/11/19/november-2008-web-server-survey.html, last access Nov 26, 2008.
22. PHP Group. PHP usage Stats for April 2007, http://www.php.net/usage.php, last access June 27, 2007.
23. phpBB Group. PhpBB, http://www.phpbb.com/, last access June 27, 2007.
24. R. S.Sandhu, E. J.Coyne, H. L.Feinstein, and C. E.Youman. Role-based access control models. Computer, 29(2):38, February 1996.
25. WatirCraft. WATIR, http://wtr.rubyforge.org.
26. Adrian Wiesmann, Andrew van der Stock, and Mark. A Guide to Building Secure Web Applications and Web Services. Open Web Application Security Project, OWASP, 2005.