| Summary: | Security analysis of a web system is complicated, and thus analysis using formal methods to describe system specification mathematically has attracted attention. Some previous studies have adopted formal methods, but their models cannot express parallel communication completely. This limitation gives rise to problems where web functions, such as a cache that stores contents, cannot be defined and attacks that forge contents cannot be analyzed. These problems are present in the Alloy-based implementations of current models that do not have the ability to express temporal logic. Therefore, we design implementation and evaluation of temporal logic in Alloy to express time series and parallel computation for web security analysis. In doing so, state transitions in the web can be expressed by fitting them in our proposed syntax. As concrete applications, we describe a web security model that includes caches and show that our proposed syntax can analyze state-of-the-art attacks, such as unauthorized access to users' account pages via caches. The source code of our proposed model in Alloy is publicly available.
|
|---|
