Experiments and proofs in web-service security
Paper
Paper/Presentation Title | Experiments and proofs in web-service security |
---|---|
Presentation Type | Paper |
Authors | Sheniar, Dawood (Author), Hadaad, Nabeel (Author), Martin, David (Author), Addie, Ron (Author) and Abdulla, Shahab (Author) |
Editors | Harris, Richard, Gregory, Mark, Tran-Gia, Phuoc and Pawlikowski, Krys |
Journal or Proceedings Title | Proceedings of the 28th International Telecommunications Networks and Applications Conference (ITNAC 2018) |
Number of Pages | 6 |
Year | 2018 |
Place of Publication | New York, United States |
ISBN | 9781538671771 |
Digital Object Identifier (DOI) | https://doi.org/10.1109/ATNAC.2018.8615367 |
Web Address (URL) of Paper | https://ieeexplore.ieee.org/document/8615367 |
Conference/Event | 28th International Telecommunication Networks and Application Conference: Experiments and Proofs in Web-service Security (ITNAC 2018) |
Event Details | 28th International Telecommunication Networks and Application Conference: Experiments and Proofs in Web-service Security (ITNAC 2018) Event Date 21 to end of 23 Nov 2018 Event Location Sydney, Australia |
Abstract | Many web services have a subsystem for allowing users to register, authenticate, reset their password, and change personal details. It is important that such subsystems cannot be abused by attackers to gain access to the accounts of other users. We study a system which was initially prone to such attacks. Specific attacks are demonstrated and the system is then modified to prevent such attacks in future. The design achieved in this way is then analysed to show that it can't be broken in future unless users allow their email to he intercepted. This is achieved by formulating the requirement as a statement of the user's expectations of the system and then analysing the source code of the system to prove that it meets these requirements. The process of attack, correction, and formulation of security rules, and proof that rules hold, is proposed as a methodical security design philosophy. |
Keywords | web service security, security design, passwordreset, security rules, stakeholder analysis |
ANZSRC Field of Research 2020 | 461399. Theory of computation not elsewhere classified |
Public Notes | © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. |
Byline Affiliations | School of Agricultural, Computational and Environmental Sciences |
Open Access College | |
Institution of Origin | University of Southern Queensland |
Funding source | Australian Research Council (ARC) |
https://research.usq.edu.au/item/q51v1/experiments-and-proofs-in-web-service-security
Download files
249
total views234
total downloads0
views this month0
downloads this month