Security Model Evolution of PHP Web Applications

Web sites are often a mixture of static sites and programs that integrate relational databases as a back-end. As they evolve to meet ever-changing user needs, new versions of programs, interactions and functionalities may be added and existing ones may be removed or modified. Web sites require configuration and programming attention to assure security, confidentiality, and trust of the published information. During evolution of Web software, from one version to the next one, security properties may change and possible changes may include new flaws or corrections. Changes to security properties, including access control privileges, can be monitored by observing and analyzing changes between security models extracted from different versions of an application. This paper defines Property Satisfaction Profiles (PSP) as the satisfaction values of properties computed on the extracted models. This paper presents also an investigation of the evolution of the changes in the PSP computed on security models of different versions of a Web application. Model extraction and PSP computation can be performed in linear time on one version. Comparison between two versions is also linear and practical performance is fast. This paper reports results about experiments performed on 31 versions of phpBB, that is a publicly available bulletin board written in PHP. Version 1.0.0 (9547 LOC) to version 2.0.22 (40663 LOC) have been considered as a case study. Results show that the proposed approach can be used to observe and monitor the evolution of PSP in successive versions of the same software package. Suggestions for further research are also presented.