Following our of our previous works on extracting security policies from deployed components (see extraction of network access-control policies and Reverse engineering of database security policies) here the goal is to provide a unified representation of the possible acccess control policies that content management systems like Drupal, WordPress, etc offer ) specially now that they are the tool of choice for the development of millions of enterprise web sites but also the basis of many web applications that reuse them for important tasks like user registration and authentication. Little attention has been brought to the analysis of how developers use the content protection mechanisms provided by these systems, in particular, Access-control (AC). Indeed, once conﬁgured, knowing if the AC policy provides the required protection is a complex task as the speciﬁcities of each CMS need to be mastered. To tackle this problem, we propose here a metamodel tailored to the representation of CMS AC policies, easing the analysis and manipulation tasks by abstracting from vendor-speciﬁc details.
This is paper is still a very preliminar work focusing on the definition of the common security metamodel. Later on we will develop the “injectors” in charge of creating security models from live CMS installations so that their security can quickly be analyzed and visualized.