Classification and Distribution of RBAC Privilege Protection Changes in Wordpress Evolution (Short Paper)

Role-Based Access Control (RBAC) is commonly used in web applications to protect information and restrict operations. Their security may be affected by source code changes between releases in unexpected ways. To prevent regression and vulnerabilities, developers need to validate them prior to each release, which may be a major undertaking. We automatically and statically determine privilege-level security impacts of code changes using privilege protection changes and apply a set-theoretic classification to them. To do so, we analyze code and determine the security privilege protection models of Web applications written in PHP using Pattern Traversal Flow Analysis (PTFA). We present the distribution of both privilege protection changes and their classification over 147 release pairs of WordPress, spanning from 2.0 to 4.5.1. We found that code changes had no impact on privilege protection in the 82 (56%) release pairs. The remaining 65 (44%) release pairs are affected by privilege protection changes. For the latter release pairs, only 0.30% of code is affected by privilege protection changes. We also found that the most common change categories are complete gains (40.81%), complete losses (17.99%) and substitution (20.10%). The automated identification and classification of privilege protection changes may help developers to more efficiently focus their effort during security reviews, verification, validation, testing, and repairs.