Finding Security Bugs in Web Applications using a Catalog of Access Control Patterns

Near, Joseph Paul; Jackson, Daniel

Author(s)

Near, Joseph Paul; Jackson, Daniel

Downloadjnear-icse16.pdf (1.197Mb)

OPEN_ACCESS_POLICY

Terms of use

Creative Commons Attribution-Noncommercial-Share Alike http://creativecommons.org/licenses/by-nc-sa/4.0/

Metadata

Show full item record

Abstract

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, Space, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, Space reported 33 possible bug--|23 previously unknown security bugs, and 10 false positives.

Date issued

2016-05

URI

http://hdl.handle.net/1721.1/102281

Department

Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science

Journal

Proceedings of the 38th International Conference on Software Engineering

Publisher

Association for Computing Machinery (ACM)

Citation

Near, Joseph P., and Daniel Jackson. "Finding Security Bugs in Web Applications using a Catalog of Access Control Patterns." 38th International Conference on Software Engineering (May 2016).

Version: Author's final manuscript

ISBN

978-1-4503-3900-1

Collections

MIT Open Access Articles

DSpace@MIT