Aegis: Automatic enforcement of security policies in workflow-driven web applications

IRIS

Organizations often expose business processes and services as web applications. Improper enforcement of security policies in these applications leads to business logic vulnerabilities that are hard to find and may have dramatic security implications. Aegis is a tool to automatically synthesize run-Time monitors to enforce control-ow and data-ow integrity, as well as authorization policies and constraints in web applications. The enforcement of these properties can mitigate attacks, e.g., authorization bypass and workow violations, while allowing regulatory compliance in the form of, e.g., Separation of Duty. Aegis is capable of guaranteeing business continuity while enforcing the security policies. We evaluate Aegis on a set of real-world applications, assessing the enforcement of policies, mitigation of vulnerabilities, and performance overhead.

Aegis: Automatic enforcement of security policies in workflow-driven web applications / Compagna, L.; Dos Santos, D. R.; Ponta, S. E.; Ranise, S.. - (2017), pp. 321-328. (Intervento presentato al convegno 7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017 tenutosi a usa nel 2017) [10.1145/3029806.3029813].

Aegis: Automatic enforcement of security policies in workflow-driven web applications

Compagna L.;Dos Santos D. R.;Ponta S. E.;Ranise S.

2017-01-01

Abstract

Organizations often expose business processes and services as web applications. Improper enforcement of security policies in these applications leads to business logic vulnerabilities that are hard to find and may have dramatic security implications. Aegis is a tool to automatically synthesize run-Time monitors to enforce control-ow and data-ow integrity, as well as authorization policies and constraints in web applications. The enforcement of these properties can mitigate attacks, e.g., authorization bypass and workow violations, while allowing regulatory compliance in the form of, e.g., Separation of Duty. Aegis is capable of guaranteeing business continuity while enforcing the security policies. We evaluate Aegis on a set of real-world applications, assessing the enforcement of policies, mitigation of vulnerabilities, and performance overhead.

Scheda breve

Scheda completa

Scheda completa (DC)

	Anno di pubblicazione (Date of publication)
	
			2017
		
	Titolo del volume (Proceedings title)
	
			CODASPY 2017 - Proceedings of the 7th ACM Conference on Data and Application Security and Privacy
		
	Luogo di edizione (Place of publication)
	
			1515 BROADWAY, NEW YORK, NY 10036-9998 USA
		
	Casa editrice (Publisher)
	
			Association for Computing Machinery, Inc
		
	ISBN
	
			9781450345231
		
	Codice Scopus (Scopus Identifier)
	
			2-s2.0-85018481615
		
	Codice WOS (WOS identifier)
	
			WOS:000610414300036
		
	Tutti gli autori
	
			Compagna, L.; Dos Santos, D. R.; Ponta, S. E.; Ranise, S.
		
	Citazione
	
			Aegis: Automatic enforcement of security policies in workflow-driven web applications / Compagna, L.; Dos Santos, D. R.; Ponta, S. E.; Ranise, S.. - (2017), pp. 321-328. (Intervento presentato al  convegno 7th ACM Conference on Data and Application Security and Privacy, CODASPY 2017 tenutosi a usa nel 2017) [10.1145/3029806.3029813].
		
	Appare nelle tipologie:
	
			04.1 Saggio in atti di convegno (Paper in Proceedings)

File in questo prodotto:

Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/333220

Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni

ND

11

4

social impact