Towards Further Formal Foundation of Web Security: Expression of Temporal Logic in Alloy and Its Application to A Security Model with Cache

Hayato Shimamoto, Naoto Yanai, Shingo Okamura, Jason Paul Cruz, Shouei Ou, Takao Okubo
2019 IEEE Access  
Security analysis of a web system is complicated, and thus analysis using formal methods to describe system specification mathematically has attracted attention. Some previous studies have adopted formal methods, but their models cannot express parallel communication completely. This limitation gives rise to problems where web functions, such as a cache that stores contents, cannot be defined and attacks that forge contents cannot be analyzed. These problems are present in the Alloy-based
more » ... entations of current models that do not have the ability to express temporal logic. Therefore, we design implementation and evaluation of temporal logic in Alloy to express time series and parallel computation for web security analysis. In doing so, state transitions in the web can be expressed by fitting them in our proposed syntax. As concrete applications, we describe a web security model that includes caches and show that our proposed syntax can analyze state-of-the-art attacks, such as unauthorized access to users' account pages via caches. The source code of our proposed model in Alloy is publicly available. INDEX TERMS Alloy, cache, formal methods, security model, temporal logic, web security.
doi:10.1109/access.2019.2920675 fatcat:tmoorwl2org6dbou37g453ii3m