Apart from this JSON paper in the main ICWE conference, AtlanMod is presenting the paper Towards an Access-Control Metamodel for Web Content Management Systems in the MDWE workshop.
Following our of our previous works on extracting security policies from deployed components (see extraction of network access-control policies and Reverse engineering of database security policies) here the goal is to provide a unified representation of the possible acccess control policies that content management systems like Drupal, WordPress, etc offer ) specially now that they are the tool of choice for the development of millions of enterprise web sites but also the basis of many web applications that reuse them for important tasks like user registration and authentication. Little attention has been brought to the analysis of how developers use the content protection mechanisms provided by these systems, in particular, Access-control (AC). Indeed, once configured, knowing if the AC policy provides the required protection is a complex task as the specificities of each CMS need to be mastered. To tackle this problem, we propose here a metamodel tailored to the representation of CMS AC policies, easing the analysis and manipulation tasks by abstracting from vendor-specific details.
This is paper is still a very preliminar work focusing on the definition of the common security metamodel. Later on we will develop the “injectors” in charge of creating security models from live CMS installations so that their security can quickly be analyzed and visualized.
FNR Pearl Chair. Head of the Software Engineering RDI Unit at LIST. Affiliate Professor at University of Luxembourg. More about me.
Recent Comments