Result: Model-based analysis of Java EE web security misconfigurations

Title:
Model-based analysis of Java EE web security misconfigurations
Authors:
Martínez, Salvador, Cosentino, Valerio, Cabot, Jordi
Contributors:
Modeling Technologies for Software Production, Operation, and Evolution (LS2N - équipe AtlanModels), Centre Inria de l'Université de Rennes, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Laboratoire des Sciences du Numérique de Nantes (LS2N), Université de Nantes - UFR des Sciences et des Techniques (UN UFR ST), Université de Nantes (UN)-Université de Nantes (UN)-École Centrale de Nantes (ECN)-Centre National de la Recherche Scientifique (CNRS)-IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT)-Université de Nantes - UFR des Sciences et des Techniques (UN UFR ST), Institut Mines-Télécom [Paris] (IMT)-Institut Mines-Télécom [Paris] (IMT), Département Ingénierie Logiciels et Systèmes (DILS (CEA, LIST)), Laboratoire d'Intégration des Systèmes et des Technologies (LIST (CEA)), Direction de Recherche Technologique (CEA) (DRT (CEA)), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Direction de Recherche Technologique (CEA) (DRT (CEA)), Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Commissariat à l'énergie atomique et aux énergies alternatives (CEA)-Université Paris-Saclay, Universitat Oberta de Catalunya [Barcelona] (UOC), Institució Catalana de Recerca i Estudis Avançats = Catalan Institution for Research and Advanced Studies (ICREA)
Source:
Computer Languages. :36-61
Publisher Information:
CCSD; Elsevier, 2017.
Publication Year:
2017
Collection:
collection:CEA
collection:UNIV-NANTES
collection:CNRS
collection:INRIA
collection:EC-NANTES
collection:INRIA-RENNES
collection:INRIA_TEST
collection:UNAM
collection:TESTALAIN1
collection:DRT
collection:INRIA2
collection:CEA-UPSAY
collection:LS2N
collection:LS2N-ATLANMODELS
collection:UNIV-PARIS-SACLAY
collection:CEA-UPSAY-SACLAY
collection:INRIA2017
collection:LIST
collection:INRIA-RENGRE
collection:INSTITUTS-TELECOM
collection:TEST-HALCNRS
collection:GS-ENGINEERING
collection:GS-COMPUTER-SCIENCE
collection:GS-SPORT-HUMAN-MOVEMENT
collection:INRIA_WEB
collection:NANTES-UNIVERSITE
collection:UNIV-NANTES-AV2022
collection:NU-CENTRALE
collection:INRIAARTDOI
Subject Terms:
Model-Driven Engineering, Security, Reverse-engineering, [INFO]Computer Science [cs]
Original Identifier:
HAL:
Document Type:
Journal article<br />Journal articles
Language:
English
ISSN:
1477-8424
Relation:
info:eu-repo/semantics/altIdentifier/doi/10.1016/j.cl.2017.02.001
DOI:
10.1016/j.cl.2017.02.001
Access URL:
https://cea.hal.science/cea-01803832
https://cea.hal.science/cea-01803832v1/document
https://cea.hal.science/cea-01803832v1/file/Martinez2017.pdf
Rights:
info:eu-repo/semantics/OpenAccess
Accession Number:
edshal.cea.01803832v1
Database:
HAL

Further Information

14th ACM SIGPLAN International Conference on Generative-Programming - Concepts and Experiences (GPCE) co-located with SPLASH Conference, Pittsburgh, PA, OCT 26-27, 2015
The Java EE framework, a popular technology of choice for the development of web applications, provides developers with the means to define access-control policies to protect application resources from unauthorized disclosures and manipulations. Unfortunately, the definition and manipulation of such security policies remains a complex and error prone task, requiring expert-level knowledge on the syntax and semantics of the Java EE access-control mechanisms. Thus, misconfigurations that may lead to unintentional security and/or availability problems can be easily introduced. In response to this problem, we Present a (model-based) reverse engineering approach that automatically evaluates a set of security properties on reverse engineered Java EE security configurations, helping to detect the presence of anomalies. We evaluate the efficacy and pertinence of our approach by applying our prototype tool on a sample of real Java EE applications extracted from GitHub.