skip to main content
10.1145/3029806.3029813acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
short-paper

Aegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications

Published: 22 March 2017 Publication History

Abstract

Organizations often expose business processes and services as web applications. Improper enforcement of security policies in these applications leads to business logic vulnerabilities that are hard to find and may have dramatic security implications. Aegis is a tool to automatically synthesize run-time monitors to enforce control-flow and data-flow integrity, as well as authorization policies and constraints in web applications. The enforcement of these properties can mitigate attacks, e.g., authorization bypass and workflow violations, while allowing regulatory compliance in the form of, e.g., Separation of Duty. Aegis is capable of guaranteeing business continuity while enforcing the security policies. We evaluate Aegis on a set of real-world applications, assessing the enforcement of policies, mitigation of vulnerabilities, and performance overhead.

References

[1]
D. Balzarotti, M. Cova, V. Felmetsger, and G. Vigna. Multi-module vulnerability analysis of web-based applications. In Proc. of CCS, 2007.
[2]
C. Bertolissi, D. R. dos Santos, and S. Ranise. Automated synthesis of run-time monitors to enforce authorization policies in business processes. In Proc. of ASIACCS, 2015.
[3]
B. Braun, P. Gemein, H.P. Reiser, and J. Posegga. Control-flow integrity in web applications. In Proc. of ESSoS, 2013.
[4]
S. Ceri, G. Gottlob, and L. Tanca. What You Always Wanted to Know About Datalog (And Never Dared to Ask). TKDE, 1(1):146--166, 1989.
[5]
M. Cova, D. Balzarotti, V. Felmetsger, and G. Vigna. Swaddler: An approach for the anomaly-based detection of state violations in web applications. In Proc. of RAID, 2007.
[6]
A. Doupé, L. Cavedon, C. Kruegel, and G. Vigna. Enemy of the state: A state-aware black-box web vulnerability scanner. In Proc. of USENIX Sec., 2012.
[7]
P. Gaubatz, W. Hummer, U. Zdun, and M. Strembeck. Enforcing entailment constraints in offline editing scenarios for real-time collaborative web documents. In Proc. of SAC, 2014.
[8]
P. Gaubatz and U. Zdun. Supporting entailment constraints in the context of collaborative web applications. In Proc. of SAC, 2013.
[9]
X. Li and Y. Xue. Block: a black-box approach for detection of state violation attacks towards web applications. In Proc. of ACSAC, 2011.
[10]
X. Li, Y. Xue, and B. Malin. Detecting anomalous user behaviors in workflow-driven web applications. In Proc. of SRDS, 2012.
[11]
T. Murata. Petri nets: properties, analysis and applications. Proc. of the IEEE, 77(4):541--580, 1989.
[12]
G. Pellegrino and D. Balzarotti. Toward black-box detection of logic flaws in web applications. In Proc. of NDSS, 2014.
[13]
M. Schur, A. Roth, and A. Zeller. Mining workflow models from web applications. TSE, 41(12):1184--1201, 2015.
[14]
A. Sudhodanan, A. Armando, L. Compagna, and R. Carbone. Attack patterns for black-box security testing of multi-party web applications. In Proc. of NDSS, 2016.
[15]
F. Sun, L. Xu, and Z. Su. Static detection of access control vulnerabilities in web applications. In Proc. of USENIX Sec., 2011.
[16]
G. Terracina, N. Leone, V. Lio, and C. Panetta. Experimenting with recursive queries in database and logic programming systems. Theory Pract. Log. Program., 8(2):129--165, 2008.
[17]
W.M.P. van der Aalst. Process Mining. Springer, 2011.
[18]
Q. Wang and N. Li. Satisfiability and resiliency in workflow authorization systems. TISSEC, 13(4):40:1--40:35, 2010.
[19]
M. Weske. Business Process Management. Springer, 2007.
[20]
L. Xing, Y. Chen, X. Wang, and S. Chen. Integuard: Toward automatic protection of third-party web service integrations. In Proc. of NDSS, 2013.

Cited By

View all
  • (2024)Work-in-Progress: A Sidecar Proxy for Usable and Performance-Adaptable End-to-End Protection of Communications in Cloud Native Applications2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00086(706-711)Online publication date: 8-Jul-2024
  • (2022)A Statistical Approach to Discovering Process Regime Shifts and Their DeterminantsAlgorithms10.3390/a1504012715:4(127)Online publication date: 13-Apr-2022
  • (2022)Cybersecurity Analysis via Process Mining: A Systematic Literature ReviewAdvanced Data Mining and Applications10.1007/978-3-030-95405-5_28(393-407)Online publication date: 31-Jan-2022
  • Show More Cited By

Index Terms

  1. Aegis: Automatic Enforcement of Security Policies in Workflow-driven Web Applications

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CODASPY '17: Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy
        March 2017
        382 pages
        ISBN:9781450345231
        DOI:10.1145/3029806
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 22 March 2017

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. policy enforcement
        2. web application
        3. workflow satisfiability

        Qualifiers

        • Short-paper

        Conference

        CODASPY '17
        Sponsor:

        Acceptance Rates

        CODASPY '17 Paper Acceptance Rate 21 of 134 submissions, 16%;
        Overall Acceptance Rate 149 of 789 submissions, 19%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)15
        • Downloads (Last 6 weeks)0
        Reflects downloads up to 20 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)Work-in-Progress: A Sidecar Proxy for Usable and Performance-Adaptable End-to-End Protection of Communications in Cloud Native Applications2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)10.1109/EuroSPW61312.2024.00086(706-711)Online publication date: 8-Jul-2024
        • (2022)A Statistical Approach to Discovering Process Regime Shifts and Their DeterminantsAlgorithms10.3390/a1504012715:4(127)Online publication date: 13-Apr-2022
        • (2022)Cybersecurity Analysis via Process Mining: A Systematic Literature ReviewAdvanced Data Mining and Applications10.1007/978-3-030-95405-5_28(393-407)Online publication date: 31-Jan-2022
        • (2020)Bulwark: Holistic and Verified Security Monitoring of Web ProtocolsComputer Security – ESORICS 202010.1007/978-3-030-58951-6_2(23-41)Online publication date: 12-Sep-2020
        • (2019)Process mining techniques and applications – A systematic mapping studyExpert Systems with Applications: An International Journal10.1016/j.eswa.2019.05.003133:C(260-295)Online publication date: 1-Nov-2019
        • (2019)TestRExInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-017-0474-121:1(105-119)Online publication date: 11-Nov-2019
        • (2019)Securing Emergent IoT ApplicationsChallenging the Borders of Justice in the Age of Migrations10.1007/978-3-030-17601-3_3(99-147)Online publication date: 14-Apr-2019
        • (2018)Securing the Integrity of Workflows in IoTProceedings of the 2018 International Conference on Embedded Wireless Systems and Networks10.5555/3234847.3234908(252-257)Online publication date: 16-Feb-2018
        • (2018)Workflow-Aware Security of Integrated Mobility ServicesComputer Security10.1007/978-3-319-98989-1_1(3-19)Online publication date: 7-Aug-2018

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media