Title :
Semantic smells and errors in access control models: A case study in PHP
Author :
Gauthier, Francois ; Merlo, Ettore
Author_Institution :
Polytech. Montreal, Montréal, QC, Canada
Abstract :
Access control models implement mechanisms to restrict access to sensitive data from unprivileged users. Access controls typically check privileges that capture the semantics of the operations they protect. Semantic smells and errors in access control models stem from privileges that are partially or totally unrelated to the action they protect. This paper presents a novel approach, partly based on static analysis and information retrieval techniques, for the automatic detection of semantic smells and errors in access control models. Investigation of the case study application revealed 31 smells and 2 errors. Errors were reported to developers who quickly confirmed their relevance and took actions to correct them. Based on the obtained results, we also propose three categories of semantic smells and errors to lay the foundations for further research on access control smells in other systems and domains.
Keywords :
authorisation; information retrieval; program diagnostics; PHP; access control models; access control smells; information retrieval techniques; privilege checking; semantic smells; sensitive data; static analysis; unprivileged users; Access control; Analytical models; Context; Information retrieval; Logistics; Semantics; access control models; code smells; information retrieval; security; static analysis;
Conference_Titel :
Software Engineering (ICSE), 2013 35th International Conference on
Conference_Location :
San Francisco, CA
Print_ISBN :
978-1-4673-3073-2
DOI :
10.1109/ICSE.2013.6606670
