Finding Security Bugs in Web Applications Using a Catalog of Access Control Patterns

We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, SPACE, checks that every data exposure allowed by an application's code...

Full description

Saved in:
Bibliographic Details
Main Authors: Near, Joseph P., Jackson, Daniel
Format: Conference Proceeding
Language:English
Subjects:
Access control
Aerospace electronics
bug finding
Computer bugs
Open source software
Rails
web application security
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:We propose a specification-free technique for finding missing security checks in web applications using a catalog of access control patterns in which each pattern models a common access control use case. Our implementation, SPACE, checks that every data exposure allowed by an application's code matches an allowed exposure from a security pattern in our catalog. The only user-provided input is a mapping from application types to the types of the catalog; the rest of the process is entirely automatic. In an evaluation on the 50 most watched Ruby on Rails applications on Github, SPACE reported 33 possible bugs---23 previously unknown security bugs, and 10 false positives.
ISSN:1558-1225
DOI:10.1145/2884781.2884836