skip to main content
10.1145/3387939.3391609acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

Self-protection against business logic vulnerabilities

Published: 18 September 2020 Publication History

Abstract

Attacks against business logic rules occur when the attacker exploits the domain rules in a malicious way. Such attacks have not received sufficient attention in research so far. In this paper, we propose a novel self-protecting approach that defends a system against the exploitation of business logic vulnerabilities. The approach empowers a system with a self-protecting layer to protect it against attacks aimed at misusing business logic rules. The approach maintains up-to-date domain knowledge which is analyzed using runtime verification to detect logical attacks. When attacks are discovered they are dynamically mitigated by applying proper system reconfigurations at runtime. We evaluate the approach using a case from the domain of hotel booking systems.

References

[1]
Falcone Yliès (Eds.) Bartocci, Ezio. Lectures on Runtime Verification: Introductory and Advanced Topics. Springer, 2018.
[2]
David A. Basin, Felix Klaedtke, and Samuel Müller. Monitoring security policies with metric first-order temporal logic. In Proceedings of 15th ACM Symposium on Access Control Models and Technologies, Pittsburgh, Pennsylvania, USA, pages 23--34, 2010.
[3]
Andreas Bauer, Jan-Christoph Küster, and Gil Vegliach. Runtime verification meets android security. In Proceedings of 4th International Symposium on NASA Formal Methods, Norfolk, VA, USA, pages 174--180, 2012.
[4]
B. Cheng, R. de Lemos, H. Giese, P. Inverardi, J. Magee, J. Andersson, B. Becker, N. Bencomo, Y. Brun, B. Cukic, G. Di Marzo Serugendo, S. Dustdar, A. Finkelstein, C. Gacek, K. Geihs, V. Grassi, G. Karsai, H. Kienle, J. Kramer, M. Litoiu, S. Malek, R. Mirandola, H. Müller, S. Park, M. Shaw, M. Tichy, M. Tivoli, D. Weyns, and J. Whittle. Software engineering for self-adaptive systems: A research roadmap. In B. Cheng, R. de Lemos, H. Giese, P. Inverardi, and J. Magee, editors, Software Engineering for Self-Adaptive Systems, pages 1--26. Springer Berlin Heidelberg, Berlin, Heidelberg, 2009.
[5]
Christian Colombo, Gordon J Pace, and Gerardo Schneider. Larva---safer monitoring of real-time java programs (tool paper). In 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods, pages 33--37. IEEE, 2009.
[6]
G. Deepa and P. Santhi Thilagam. Securing web applications from injection and logic vulnerabilities: Approaches and challenges. Information & Software Technology, 74:160--180, 2016.
[7]
G. Deepa, P. Santhi Thilagam, Amit Praseed, and Alwyn R. Pais. Detlogic: A black-box approach for detecting logic vulnerabilities in web applications. J. Network and Computer Applications, 109:89--109, 2018.
[8]
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst., 32(2):5:1--5:29, June 2014.
[9]
Viktoria Felmetsger, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. Toward automated detection of logic vulnerabilities in web applications. In 19th USENIX Security Symposium, Washington, DC, USA, August 11--13, 2010, Proceedings, pages 143--160, 2010.
[10]
D. Garlan, S. Cheng, A. Huang, B. Schmerl, and P. Steenkiste. Rainbow: Architecture-based self-adaptation with reusable infrastructure. Computer, 37(10):46--54, October 2004.
[11]
Didac Gil De La Iglesia and Danny Weyns. Mape-k formal templates to rigorously design behaviors for self-adaptive systems. ACM Trans. Auton. Adapt. Syst., 10(3), September 2015.
[12]
Jeffrey O Kephart and David M Chess. The vision of autonomic computing. Computer, (1):41--50, 2003.
[13]
Narges Khakpour, Charilaos Skandylas, Goran Saman Nariman, and Danny Weyns. Towards secure architecture-based adaptations. In Proceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems, SEAMS@ICSE 2019, Montreal, QC, Canada, May 25--31, 2019, pages 114--125, 2019.
[14]
Calvin Ko, Manfred Ruschitzka, and Karl N. Levitt. Execution monitoring of security-critical programs in distributed systems: A specification-based approach. In 1997 IEEE Symposium on Security and Privacy, May 4--7, 1997, Oakland, CA, USA, pages 175--187, 1997.
[15]
Martin Leucker and Christian Schallhart. A brief account of runtime verification. The Journal of Logic and Algebraic Programming, 78(5):293 -- 303, 2009.
[16]
Xiaowei Li and Yuan Xue. Logicscope: automatic discovery of logic vulnerabilities within web applications. In 8th ACM Symposium on Information, Computer and Communications Security, ASIA CCS '13, Hangzhou, China - May 08 - 10, 2013, pages 481--486, 2013.
[17]
Prasad Naldurg, Koushik Sen, and Prasanna Thati. A temporal logic based framework for intrusion detection. In Formal Techniques for Networked and Distributed Systems - FORTE 2004, 24th IFIP WG 6.1 International Conference, Madrid Spain, September 27--30, 2004, Proceedings, pages 359--376, 2004.
[18]
Julien Olivain and Jean Goubault-Larrecq. The orchids intrusion detection tool. In Computer Aided Verification, 17th International Conference, CAV 2005, Edinburgh, Scotland, UK, July 6--10, 2005, Proceedings, pages 286--290, 2005.
[19]
Mohammad Feroz Raihan and Mohammad Zulkernine. Detecting intrusions specified in a software specification language. In 29th Annual International Computer Software and Applications Conference, COMPSAC 2005, Edinburgh, Scotland, UK, July 25--28, 2005. Volume 1, pages 143--148, 2005.
[20]
M. Salehie and L. Tahvildari. Self-adaptive software: Landscape and research challenges. ACM Transactions on Autonomous and Adaptive Systems, 4(2):14:1--14:42, 2009.
[21]
Jose Fragoso Santos, Tamara Rezk, and Ana Almeida Matos. Modular monitor extensions for information flow security in javascript. In Trustworthy Global Computing - 10th International Symposium, TGC 2015, Madrid, Spain, August 31 - September 1, 2015 Revised Selected Papers, pages 47--62, 2015.
[22]
Bradley Schmerl, Javier Camara, Jeffrey Gennari, David Garlan, Paulo Casanova, Gabriel A Moreno, Thomas J Glazier, and Jeffrey M Barnes. Architecture-based self-protection: composing and reasoning about denial-of-service mitigations. In Proceedings of the 2014 Symposium and Bootcamp on the Science of Security, page 2. ACM, 2014.
[23]
Thein Than Tun, Mu Yang, Arosha Bandara, Yijun Yu, Armstrong Nhlabatsi, Niamul Khan, Khaled Khan, and Bashar Nuseibeh. Requirements and specifications for adaptive security: concepts and analysis. In Proceedings of the 13th International Conference on Software Engineering for Adaptive and Self-Managing Systems, SEAMS@ICSE 2018, Gothenburg, Sweden, May 28--29, 2018, pages 161--171, 2018.
[24]
Prem Uppuluri and R. Sekar. Experiences with specification-based intrusion detection. In Recent Advances in Intrusion Detection, 4th International Symposium, RAID 2001 Davis, CA, USA, October 10--12, 2001, Proceedings, pages 172--189, 2001.
[25]
D. Weyns. Software engineering of self-adaptive systems. In Handbook of Software Engineering, pages 399--443. Springer, 2019.
[26]
D. Weyns, S. Malek, and J. Andersson. Forms: Unifying reference model for formal specification of distributed self-adaptive systems. ACM Transactions on Autonomous and Adaptive Systems, 7(1):8:1--8:61, 2012.
[27]
E. Yuan, N. Esfahani, and S. Malek. A systematic survey of self-protecting software systems. TAAS, 8(4):17:1--17:41, 2014.

Cited By

View all
  • (2024)Towards Understanding Trust in Self-adaptive SystemsProceedings of the 19th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3643915.3644100(207-213)Online publication date: 15-Apr-2024
  • (2024)Patterns of Applied Control for Public Health Measures on Transportation Services under EpidemicProceedings of the 19th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3643915.3644091(150-160)Online publication date: 15-Apr-2024
  • (2024)Navigating the Threat Landscape of IoT: An Analysis of AttacksInnovative Computing and Communications10.1007/978-981-97-4149-6_3(25-48)Online publication date: 27-Sep-2024

Index Terms

  1. Self-protection against business logic vulnerabilities

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    SEAMS '20: Proceedings of the IEEE/ACM 15th International Symposium on Software Engineering for Adaptive and Self-Managing Systems
    June 2020
    211 pages
    ISBN:9781450379625
    DOI:10.1145/3387939
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    In-Cooperation

    • IEEE CS

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 18 September 2020

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. business logic vulnerabilities
    2. domain attacks
    3. logical attacks
    4. runtime verification
    5. self-adaptation
    6. self-protection

    Qualifiers

    • Research-article

    Funding Sources

    • Swedish Knowledge Foundation

    Conference

    SEAMS '20
    Sponsor:

    Acceptance Rates

    Overall Acceptance Rate 17 of 31 submissions, 55%

    Upcoming Conference

    ICSE 2025

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)41
    • Downloads (Last 6 weeks)3
    Reflects downloads up to 17 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Towards Understanding Trust in Self-adaptive SystemsProceedings of the 19th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3643915.3644100(207-213)Online publication date: 15-Apr-2024
    • (2024)Patterns of Applied Control for Public Health Measures on Transportation Services under EpidemicProceedings of the 19th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1145/3643915.3644091(150-160)Online publication date: 15-Apr-2024
    • (2024)Navigating the Threat Landscape of IoT: An Analysis of AttacksInnovative Computing and Communications10.1007/978-981-97-4149-6_3(25-48)Online publication date: 27-Sep-2024
    • (2023)Brigadier: A Datalog-based IAST framework for Node.js Applications2023 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER56733.2023.00054(509-521)Online publication date: Mar-2023

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media