Full Program »
From Hindsight to Foresight: Enhancing Design Artifacts for Business Logic Flaw Discovery
Web applications have encroached on our lives, handling important tasks and sensitive information. There are many tools that check application code for implementation-level vulnerabilities but they are often blind to flaws caused by violation of design-level assumptions. Fixing such flaws after code deployment is costly. In this work, we seek to retroactively identify business logic flaws or design-level flaws by generating security tests during the design phase using available software artifacts. Specifically, we take in use case scenarios and automatically generate misuse case scenarios based on user-defined design constraints. By running those misuse case scenarios using already existing testing code written for functional use cases, we can discover potential design flaws during the coding phase. We apply our approach to two widely used open-source applications which have high-quality feature files. Running our generated misuse case scenarios discovers, and hence, potentially prevents seven flaws. Among them, several were only fixed in hindsight after someone stumbled upon a bug, with the remaining being new issues.