Design and User Study of a Constraint-based Framework for Business Logic Flaw Discovery

2022 IEEE Secure Development Conference (SecDev) Pub Date : 2022-10-01 DOI:10.1109/SecDev53368.2022.00029

C. Cheh, Nicholas Tay, Binbin Chen

{"title":"Design and User Study of a Constraint-based Framework for Business Logic Flaw Discovery","authors":"C. Cheh, Nicholas Tay, Binbin Chen","doi":"10.1109/SecDev53368.2022.00029","DOIUrl":null,"url":null,"abstract":"Business logic flaws are common in web application security and pose a huge problem to developers. While there are many tools that check application code for implementation-level vulnerabilities, they are often blind to flaws caused by violation of design-level considerations. In this work, we present a framework that guides developers to create security test scenarios or misuse case scenarios by relating design constraints to existing functional use case scenarios. Those design constraints can then be translated into misuse case scenarios which can be run using existing test code that were written for functional use case scenarios in order to discover potential business logic flaws. In this paper, we conduct a user study with eleven experienced programmers to determine the feasibility of our approach and compare the complexity of our framework to the conventional approach of creating misuse case scenarios from scratch. The results of that study show that our framework saves time, improves coverage, and enhances re-usability compared to the conventional approach of creating misuse case scenarios in an ad-hoc manner.","PeriodicalId":407946,"journal":{"name":"2022 IEEE Secure Development Conference (SecDev)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Secure Development Conference (SecDev)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SecDev53368.2022.00029","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Business logic flaws are common in web application security and pose a huge problem to developers. While there are many tools that check application code for implementation-level vulnerabilities, they are often blind to flaws caused by violation of design-level considerations. In this work, we present a framework that guides developers to create security test scenarios or misuse case scenarios by relating design constraints to existing functional use case scenarios. Those design constraints can then be translated into misuse case scenarios which can be run using existing test code that were written for functional use case scenarios in order to discover potential business logic flaws. In this paper, we conduct a user study with eleven experienced programmers to determine the feasibility of our approach and compare the complexity of our framework to the conventional approach of creating misuse case scenarios from scratch. The results of that study show that our framework saves time, improves coverage, and enhances re-usability compared to the conventional approach of creating misuse case scenarios in an ad-hoc manner.

查看原文本刊更多论文

基于约束的业务逻辑缺陷发现框架设计与用户研究

业务逻辑缺陷在web应用程序安全中很常见，给开发人员带来了巨大的问题。虽然有许多工具可以检查应用程序代码的实现级漏洞，但它们通常对违反设计级考虑而导致的缺陷视而不见。在这项工作中，我们提出了一个框架，通过将设计约束与现有的功能用例场景联系起来，指导开发人员创建安全测试场景或误用场景。然后，这些设计约束可以转化为误用场景，这些场景可以使用为功能用例场景编写的现有测试代码来运行，以便发现潜在的业务逻辑缺陷。在本文中，我们与11名经验丰富的程序员进行了用户研究，以确定我们方法的可行性，并将我们框架的复杂性与从头开始创建误用场景的传统方法进行比较。该研究的结果表明，与以特殊方式创建误用场景的传统方法相比，我们的框架节省了时间，提高了覆盖范围，并增强了可重用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Secure Development Conference (SecDev)

自引率

0.00%

发文量