{"id":"https://openalex.org/W2511961348","doi":"https://doi.org/10.1145/2970276.2970350","title":"Finding access control bugs in web applications with CanCheck","display_name":"Finding access control bugs in web applications with CanCheck","publication_year":2016,"publication_date":"2016-08-25","ids":{"openalex":"https://openalex.org/W2511961348","doi":"https://doi.org/10.1145/2970276.2970350","mag":"2511961348"},"language":"en","primary_location":{"id":"doi:10.1145/2970276.2970350","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2970276.2970350","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=2970350&type=pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"http://dl.acm.org/ft_gateway.cfm?id=2970350&type=pdf","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5013112454","display_name":"Ivan Boci\u0107","orcid":null},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":true,"raw_author_name":"Ivan Boci\u0107","raw_affiliation_strings":["University of California at Santa Barbara, USA"],"affiliations":[{"raw_affiliation_string":"University of California at Santa Barbara, USA","institution_ids":["https://openalex.org/I154570441"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5039991493","display_name":"Tevfik Bultan","orcid":"https://orcid.org/0000-0003-2993-1215"},"institutions":[{"id":"https://openalex.org/I154570441","display_name":"University of California, Santa Barbara","ror":"https://ror.org/02t274463","country_code":"US","type":"education","lineage":["https://openalex.org/I154570441"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"Tevfik Bultan","raw_affiliation_strings":["University of California at Santa Barbara, USA"],"affiliations":[{"raw_affiliation_string":"University of California at Santa Barbara, USA","institution_ids":["https://openalex.org/I154570441"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":2,"corresponding_author_ids":["https://openalex.org/A5013112454"],"corresponding_institution_ids":["https://openalex.org/I154570441"],"apc_list":null,"apc_paid":null,"fwci":1.7669,"has_fulltext":true,"cited_by_count":10,"citation_normalized_percentile":{"value":0.89385876,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":97},"biblio":{"volume":null,"issue":null,"first_page":"155","last_page":"166"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.9980000257492065,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10927","display_name":"Access Control and Trust","score":0.9973999857902527,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10126","display_name":"Logic, programming, and type systems","score":0.9962000250816345,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/access-control","display_name":"Access control","score":0.8350356817245483},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8021017909049988},{"id":"https://openalex.org/keywords/authorization","display_name":"Authorization","score":0.6342583894729614},{"id":"https://openalex.org/keywords/enforcement","display_name":"Enforcement","score":0.5351667404174805},{"id":"https://openalex.org/keywords/web-application","display_name":"Web application","score":0.5218188166618347},{"id":"https://openalex.org/keywords/role-based-access-control","display_name":"Role-based access control","score":0.44853973388671875},{"id":"https://openalex.org/keywords/control","display_name":"Control (management)","score":0.44684427976608276},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.37203919887542725},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.36148470640182495},{"id":"https://openalex.org/keywords/database","display_name":"Database","score":0.3554774522781372},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.28378796577453613},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.10004732012748718}],"concepts":[{"id":"https://openalex.org/C527821871","wikidata":"https://www.wikidata.org/wiki/Q228502","display_name":"Access control","level":2,"score":0.8350356817245483},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8021017909049988},{"id":"https://openalex.org/C108759981","wikidata":"https://www.wikidata.org/wiki/Q788590","display_name":"Authorization","level":2,"score":0.6342583894729614},{"id":"https://openalex.org/C2779777834","wikidata":"https://www.wikidata.org/wiki/Q4202277","display_name":"Enforcement","level":2,"score":0.5351667404174805},{"id":"https://openalex.org/C118643609","wikidata":"https://www.wikidata.org/wiki/Q189210","display_name":"Web application","level":2,"score":0.5218188166618347},{"id":"https://openalex.org/C45567728","wikidata":"https://www.wikidata.org/wiki/Q1702839","display_name":"Role-based access control","level":3,"score":0.44853973388671875},{"id":"https://openalex.org/C2775924081","wikidata":"https://www.wikidata.org/wiki/Q55608371","display_name":"Control (management)","level":2,"score":0.44684427976608276},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.37203919887542725},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.36148470640182495},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.3554774522781372},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.28378796577453613},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.10004732012748718},{"id":"https://openalex.org/C17744445","wikidata":"https://www.wikidata.org/wiki/Q36442","display_name":"Political science","level":0,"score":0.0},{"id":"https://openalex.org/C199539241","wikidata":"https://www.wikidata.org/wiki/Q7748","display_name":"Law","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/2970276.2970350","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2970276.2970350","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=2970350&type=pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/2970276.2970350","is_oa":true,"landing_page_url":"https://doi.org/10.1145/2970276.2970350","pdf_url":"http://dl.acm.org/ft_gateway.cfm?id=2970350&type=pdf","source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering","raw_type":"proceedings-article"},"sustainable_development_goals":[{"score":0.7699999809265137,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[{"id":"https://openalex.org/G3172429894","display_name":null,"funder_award_id":"CCF-1423623","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"},{"id":"https://openalex.org/G5706889890","display_name":"SHF: Small: Data Model Verification for Web Applications","funder_award_id":"1423623","funder_id":"https://openalex.org/F4320306076","funder_display_name":"National Science Foundation"}],"funders":[{"id":"https://openalex.org/F4320306076","display_name":"National Science Foundation","ror":"https://ror.org/021nxhr62"}],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W2511961348.pdf","grobid_xml":"https://content.openalex.org/works/W2511961348.grobid-xml"},"referenced_works_count":30,"referenced_works":["https://openalex.org/W160952353","https://openalex.org/W1596061562","https://openalex.org/W1599739130","https://openalex.org/W1606177908","https://openalex.org/W1895387792","https://openalex.org/W1963797508","https://openalex.org/W1993836075","https://openalex.org/W1999512659","https://openalex.org/W2007237548","https://openalex.org/W2014473133","https://openalex.org/W2029009274","https://openalex.org/W2033182255","https://openalex.org/W2057716730","https://openalex.org/W2060440626","https://openalex.org/W2064070192","https://openalex.org/W2074685549","https://openalex.org/W2081212007","https://openalex.org/W2124694173","https://openalex.org/W2128325590","https://openalex.org/W2130427425","https://openalex.org/W2166768964","https://openalex.org/W2249108975","https://openalex.org/W2404990348","https://openalex.org/W2749040653","https://openalex.org/W2752929869","https://openalex.org/W3102845218","https://openalex.org/W3140723952","https://openalex.org/W4211218509","https://openalex.org/W6650065013","https://openalex.org/W6764000109"],"related_works":["https://openalex.org/W2372156812","https://openalex.org/W2374393728","https://openalex.org/W2555738791","https://openalex.org/W1990260561","https://openalex.org/W1593822213","https://openalex.org/W2357728851","https://openalex.org/W2017675414","https://openalex.org/W2367441718","https://openalex.org/W2355345331","https://openalex.org/W1466567525"],"abstract_inverted_index":{"Access":[0],"control":[1,30,62,75,99,130,139],"bugs":[2,131],"in":[3,31,111,137],"web":[4,12],"applications":[5,13],"can":[6],"have":[7],"dire":[8],"consequences":[9],"since":[10],"many":[11],"store":[14],"private":[15],"and":[16,54,67,88],"sensitive":[17],"data.":[18],"In":[19],"this":[20,82],"paper":[21],"we":[22,123],"present":[23],"an":[24],"automated":[25,90],"verification":[26],"technique":[27,38,110],"for":[28,73],"access":[29,61,74,98,129,138],"Ruby":[32],"on":[33,118],"Rails":[34,121],"(Rails)":[35],"applications.":[36],"Our":[37],"starts":[39],"by":[40,56,104],"automatically":[41,80],"extracting":[42],"a":[43,112],"model":[44,83],"that":[45],"captures":[46],"1)":[47],"the":[48,50,57,60,65,69,96,105],"ways":[49],"data":[51],"is":[52,101],"accessed":[53],"modified":[55],"application,":[58,66],"2)":[59],"policy":[63,76,100],"of":[64],"3)":[68],"authorization":[70],"checks":[71],"used":[72],"enforcement.":[77],"Then,":[78],"it":[79],"translates":[81],"to":[84,93],"first":[85],"order":[86],"logic":[87],"uses":[89],"theorem":[91],"provers":[92],"check":[94],"whether":[95],"declared":[97],"correctly":[102],"enforced":[103],"implementation.":[106],"We":[107],"implemented":[108],"our":[109],"tool":[113],"called":[114],"CanCheck.":[115],"Using":[116],"CanCheck":[117],"open":[119],"source":[120],"applications,":[122],"found":[124],"numerous":[125],"previously":[126],"unknown":[127],"exploitable":[128],"as":[132,134],"well":[133],"several":[135],"deficiencies":[136],"policies.":[140]},"counts_by_year":[{"year":2024,"cited_by_count":1},{"year":2022,"cited_by_count":2},{"year":2020,"cited_by_count":3},{"year":2018,"cited_by_count":3},{"year":2017,"cited_by_count":1}],"updated_date":"2026-04-10T15:06:20.359241","created_date":"2025-10-10T00:00:00"}