Finding Security Bugs in Web Applications using a Catalog of Access Control Patterns

• dc.contributor.author: Near, Joseph Paul
• dc.contributor.author: Jackson, Daniel
• dc.date.issued: 2016-05
• dc.identifier.isbn: 978-1-4503-3900-1
• dc.identifier.uri: http://hdl.handle.net/1721.1/102281
• dc.description.abstract: We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bug--|23 previously unknown security bugs, and 10 false positives.
• dc.description.sponsorship: National Science Foundation (U.S.) (Grant 0707612)
• dc.language.iso: en_US
• dc.publisher: Association for Computing Machinery (ACM)
• dc.relation.isversionof: http://2016.icse.cs.txstate.edu/technical-research
• dc.source: Jackson
• dc.type: Article
• dc.identifier.citation: Near, Joseph P., and Daniel Jackson. "Finding Security Bugs in Web Applications using a Catalog of Access Control Patterns." 38th International Conference on Software Engineering (May 2016).
• dc.contributor.department: Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science
• dc.contributor.approver: Jackson, Daniel
• dc.contributor.mitauthor: Jackson, Daniel
• dc.relation.journal: Proceedings of the 38th International Conference on Software Engineering
• dc.eprint.version: Author's final manuscript
• dc.identifier.orcid: https://orcid.org/0000-0003-4864-078X