Current technologies such as anti-virus software programs and network firewalls provide
reasonably secure protection at the host and network levels, but not at the application
level. When network and host-level entry points are comparatively secure, public interfaces
of web applications become the focus of malicious software attacks. In this thesis, we focus
on one of most serious web application vulnerabilities, broken access control. Attackers
often try to access unauthorized objects and resources other than URL pages in an indirect
way; for instance, using indirect access to back-end resources such as databases. The
consequences of these attacks can be very destructive, especially when the web application
allows administrators to remotely manage users and contents over the web. In such cases,
the attackers are not only able to view unauthorized content,but also to take over site administration.
To protect against these types of attacks, we have designed and implemented
a security analysis framework for dynamic web applications. A reverse engineering process
is performed on an existing dynamic web application to extract a role-based access-control
security model. A formal analysis is applied on the recovered model to check access-control
security properties. This framework can be used to verify that a dynamic web application
conforms to access control polices specified by a security engineer. Our framework provides
a set of novel techniques for the analysis and modeling of web applications for the purpose
of security verification and validation. It is largely language independent, and based on
adaptable model recovery which can support a wide range of security analysis tasks. / Thesis (Ph.D, Computing) -- Queen's University, 2010-04-30 14:30:53.018
| Identifer | oai:union.ndltd.org:LACETR/oai:collectionscanada.gc.ca:OKQ.1974/5651 |
| Date | 30 April 2010 |
| Creators | Alalfi, Manar |
| Contributors | Queen's University (Kingston, Ont.). Theses (Queen's University (Kingston, Ont.)) |
| Source Sets | Library and Archives Canada ETDs Repository / Centre d'archives des thèses électroniques de Bibliothèque et Archives Canada |
| Language | English, English |
| Detected Language | English |
| Type | Thesis |
| Rights | This publication is made available by the authority of the copyright owner solely for the purpose of private study and research and may not be copied or reproduced except as permitted by the copyright laws without written authority from the copyright owner. |
| Relation | Canadian theses |
Page generated in 0.0024 seconds