IEEE Access (Jan 2019)

Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to a Security Model With Cache

  • Hayato Shimamoto,
  • Naoto Yanai,
  • Shingo Okamura,
  • Jason Paul Cruz,
  • Shouei Ou,
  • Takao Okubo

DOI
https://doi.org/10.1109/ACCESS.2019.2920675
Journal volume & issue
Vol. 7
pp. 74941 – 74960

Abstract

Read online

Security analysis of a web system is complicated, and thus analysis using formal methods to describe system specification mathematically has attracted attention. Some previous studies have adopted formal methods, but their models cannot express parallel communication completely. This limitation gives rise to problems where web functions, such as a cache that stores contents, cannot be defined and attacks that forge contents cannot be analyzed. These problems are present in the Alloy-based implementations of current models that do not have the ability to express temporal logic. Therefore, we design implementation and evaluation of temporal logic in Alloy to express time series and parallel computation for web security analysis. In doing so, state transitions in the web can be expressed by fitting them in our proposed syntax. As concrete applications, we describe a web security model that includes caches and show that our proposed syntax can analyze state-of-the-art attacks, such as unauthorized access to users' account pages via caches. The source code of our proposed model in Alloy is publicly available.

Keywords