Experiments and proofs in web-service security

Sheniar, Dawood and Hadaad, Nabeel and Martin, David and Addie, Ron ORCID: https://orcid.org/0000-0002-6664-8462 and Abdulla, Shahab ORCID: https://orcid.org/0000-0002-1193-6969 (2018) Experiments and proofs in web-service security. In: 28th International Telecommunication Networks and Application Conference: Experiments and Proofs in Web-service Security (ITNAC 2018), 21-23 Nov 2018, Sydney, Australia.

Text (Accepted Version)
Experiments and Proofs in Web-service Security-Dawood.pdf

Download (220kB) | Preview


Many web services have a subsystem for allowing users to register, authenticate, reset their password, and change personal details. It is important that such subsystems cannot be abused by attackers to gain access to the accounts of other users. We study a system which was initially prone to such attacks. Specific attacks are demonstrated and the system is then modified to prevent such attacks in future. The design achieved in this way is then analysed to show that it can't be broken in future unless users allow their email to he intercepted. This is achieved by formulating the requirement as a statement of the user's expectations of the system and then analysing the source code of the system to prove that it meets these requirements. The process of attack, correction, and formulation of security rules, and proof that rules hold, is proposed as a methodical security design philosophy.

Statistics for USQ ePrint 35880
Statistics for this ePrint Item
Item Type: Conference or Workshop Item (Commonwealth Reporting Category E) (Paper)
Refereed: Yes
Item Status: Live Archive
Additional Information: © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Faculty/School / Institute/Centre: Historic - Open Access College (1 Jul 2013 - 7 Jun 2020)
Faculty/School / Institute/Centre: Historic - Open Access College (1 Jul 2013 - 7 Jun 2020)
Date Deposited: 03 May 2019 06:23
Last Modified: 19 Dec 2021 21:57
Uncontrolled Keywords: web service security, security design, password reset, security rules, stakeholder analysis
Fields of Research (2008): 08 Information and Computing Sciences > 0802 Computation Theory and Mathematics > 080201 Analysis of Algorithms and Complexity
Fields of Research (2020): 46 INFORMATION AND COMPUTING SCIENCES > 4613 Theory of computation > 461399 Theory of computation not elsewhere classified
Socio-Economic Objectives (2008): E Expanding Knowledge > 97 Expanding Knowledge > 970108 Expanding Knowledge in the Information and Computing Sciences
Funding Details:
Identification Number or DOI: https://doi.org/10.1109/ATNAC.2018.8615367
URI: http://eprints.usq.edu.au/id/eprint/35880

Actions (login required)

View Item Archive Repository Staff Only