Organizations often expose business processes and services as web applications. Improper enforcement of security policies in these applications leads to business logic vulnerabilities that are hard to find and may have dramatic security implications. Aegis is a tool to automatically synthesize run-Time monitors to enforce control-ow and data-ow integrity, as well as authorization policies and constraints in web applications. The enforcement of these properties can mitigate attacks, e.g., authorization bypass and workow violations, while allowing regulatory compliance in the form of, e.g., Separation of Duty. Aegis is capable of guaranteeing business continuity while enforcing the security policies. We evaluate Aegis on a set of real-world applications, assessing the enforcement of policies, mitigation of vulnerabilities, and performance overhead.

Aegis: Automatic enforcement of security policies in workflow-driven web applications / Compagna, L.; Dos Santos, D. R.; Ponta, S. E.; Ranise, S.. - (2017), pp. 321-328. ((Intervento presentato al convegno 7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017 tenutosi a usa nel 2017 [10.1145/3029806.3029813].

Aegis: Automatic enforcement of security policies in workflow-driven web applications

Ranise S.
2017-01-01

Abstract

Organizations often expose business processes and services as web applications. Improper enforcement of security policies in these applications leads to business logic vulnerabilities that are hard to find and may have dramatic security implications. Aegis is a tool to automatically synthesize run-Time monitors to enforce control-ow and data-ow integrity, as well as authorization policies and constraints in web applications. The enforcement of these properties can mitigate attacks, e.g., authorization bypass and workow violations, while allowing regulatory compliance in the form of, e.g., Separation of Duty. Aegis is capable of guaranteeing business continuity while enforcing the security policies. We evaluate Aegis on a set of real-world applications, assessing the enforcement of policies, mitigation of vulnerabilities, and performance overhead.
CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
1515 BROADWAY, NEW YORK, NY 10036-9998 USA
Association for Computing Machinery, Inc
9781450345231
Compagna, L.; Dos Santos, D. R.; Ponta, S. E.; Ranise, S.
Aegis: Automatic enforcement of security policies in workflow-driven web applications / Compagna, L.; Dos Santos, D. R.; Ponta, S. E.; Ranise, S.. - (2017), pp. 321-328. ((Intervento presentato al convegno 7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017 tenutosi a usa nel 2017 [10.1145/3029806.3029813].
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/333220
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 8
  • ???jsp.display-item.citation.isi??? 3
social impact