ABSTRACT
While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.
- Android UI/Application Exerciser. https://developer.android.com/studio/test/monkey.html.Google Scholar
- Compatibility Test Suite - Android Open Source Project. https://source.android.com/compatibility/cts/.Google Scholar
- Tresys. SETools - Policy Anakysis Tools for SELinux. https://github.com/TresysTechnology/setools3/wiki.Google Scholar
- Sepehr Amir-Mohammadian, Stephen Chong, and Christian Skalka. 2016. Correct Audit Logging: Theory and Practice. In Principles of Security and Trust (POST).Google Scholar
- Sepehr Amir-Mohammadian and Christian Skalka. 2016. In-Depth Enforcement of Dynamic Integrity Taint Analysis. In ACM Programming Languages and Security Workshop (PLAS). Google ScholarDigital Library
- J. P. Anderson. 1972. Computer Security Technology Planning Study, Volume II. Technical Report ESD-TR-73-51. Deputy for Command and Management Systems, HQ Electronics Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA.Google Scholar
- D. E. Bell and L. J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306. Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA.Google Scholar
- K. J. Biba. 1977. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153. MITRE.Google Scholar
- Khalid Zaman Bijon, Ram Krishnan, and Ravi S. Sandhu. 2013. A framework for risk-aware role based access control. In IEEE Conference on Communications and Network Security. 462--469.Google Scholar
- Hong Chen, Ninghui Li, and Ziqing Mao. 2009. Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS).Google Scholar
- Liang Chen and Jason Crampton. 2011. Risk-Aware Role-Based Access Control. In Proceedings of 7th International Workshop on Security and Trust Management. 140--156. Google ScholarDigital Library
- Ying Chen, Heng Xu, Yilu Zhou, and Sencun Zhu. 2013. Is This App Safe for Children? A Comparison Study of Maturity Ratings on Android and iOS Applications. In Proceedings of the 22nd International Conference on World Wide Web. 201--212. Google ScholarDigital Library
- Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A. Karger, Grant M. Wagner, and Angela Schuett Reninger. 2007. Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. 222--230. Google ScholarDigital Library
- Pern Hui Chia, Yusuke Yamamoto, and N. Asokan. 2012. Is This App Safe? A Large Scale Study on Application Permissions and Risk Signals. In Proceedings of the 21st International Conference on World Wide Web. 311--320. Google ScholarDigital Library
- D. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM 19, 5 (1976), 236--242. Google ScholarDigital Library
- Cynthia Dwork and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. 9, 3 (2014), 211--407. Google ScholarDigital Library
- Antony Edwards, Trent Jaeger, and Xiaolan Zhang. 2002. Runtime verification of authorization hook placement for the Linux security modules framework. In Proceedings of the 9th ACM Conference on Computer and Communications Security. 225--234. Google ScholarDigital Library
- William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 235--245. Google ScholarDigital Library
- W. Enck et al. 2010. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation. Google ScholarDigital Library
- Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security. 627--638. Google ScholarDigital Library
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE Symposium on Security and Privacy. 636--654.Google Scholar
- V. Ganapathy, T. Jaeger, and S. Jha. 2005. Automatic placement of authorization hooks in the Linux security modules framework. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Alexandria, VA, USA. Google ScholarDigital Library
- V. Ganapathy, T. Jaeger, and S. Jha. 2006. Retrofitting Legacy Code for Authorization Policy Enforcement. In Proceedings of the 2006 IEEE Symposium on Security and Privacy. To Appear. Google ScholarDigital Library
- Vinod Ganapathy, David H. King, Trent Jaeger, and Somesh Jha. 2007. Mining security-sensitive operations in legacy code using concept analysis. In Proceedings of the 38th International Conference on Software Engineering. 458--467. Google ScholarDigital Library
- Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan. 2011. Differential Privacy Under Fire. In Proceedings of the 20th USENIX Security Symposium. Google ScholarDigital Library
- N. Hardy. 1988. The Confused Deputy. Operating Systems Review 22 (1988), 36--38. Google ScholarDigital Library
- Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. 2007. From trusted to secure: building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA, 1--14. Google ScholarDigital Library
- T. Jaeger, R. Sailer, and X. Zhang. 2003. Analyzing Integrity Protection in the SELinux Example Policy. In Proceedings of the 12th USENIX Security Symposium. 59--74. Google ScholarDigital Library
- Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash. 2017. ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms. In Proceedings of the 21st Network and Distributed System Security Symposium (NDSS'17).Google ScholarCross Ref
- Yiming Jing, Gail-Joon Ahn, Ziming Zhao, and Hongxin Hu. 2014. RiskMon: Continuous and Automated Risk Assessment of Mobile Applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 99--110. Google ScholarDigital Library
- Savith Kandala, Ravi S. Sandhu, and Venkata Bhamidipati. 2011. An Attribute Based Framework for Risk-Adaptive Access Control Models. In Proceedings of the Sixth International Conference on Availability, Reliability and Security. 236--241. Google ScholarDigital Library
- Stephen McCamant and Michael D. Ernst. 2008. Quantitative information flow as network flow capacity. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation. Tucson, AZ, USA, 193--205. Google ScholarDigital Library
- Frank D. McSherry. 2009. Privacy Integrated Queries: An Extensible Platform for Privacy-preserving Data Analysis. In Proceedings of the 2009 ACM SIGMOD International Conference on Management of Data. 19--30. Google ScholarDigital Library
- Divya Muthukumaran, Trent Jaeger, and Vinod Ganapathy. 2012. Leveraging 'Choice' to Automate Authorization Hook Placement. In Proceedings of the 19th ACM Conference on Computer and Communications Security. ACM Press, Raleigh, North Carolina, USA. Google ScholarDigital Library
- Divya Muthukumaran, Nirupama Talele, Trent Jaeger, and Gang Tan. 2015. Producing Hook Placements to Enforce Expected Access Control Policies. In Proceedings of the 2015 International Symposium on Engineering Secure Software and Systems.Google ScholarCross Ref
- Andrew C. Myers and Barbara Liskov. 1997. A Decentralized Model for Information Flow Control. ACM Operating Systems Review 31, 5 (Oct. 1997), 129--142. http://www.cs.cornell.edu/andru/papers/iflow-sosp97/paper.html Google ScholarDigital Library
- Qun Ni, Elisa Bertino, and Jorge Lobo. 2010. Risk-based Access Control Systems Built on Fuzzy Inferences. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. 250--260. Google ScholarDigital Library
- Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Security Symposium. 527--542. Google ScholarDigital Library
- Hao Peng, Chris Gates, Bhaskar Sarma, Ninghui Li, Yuan Qi, Rahul Potharaju, Cristina Nita-Rotaru, and Ian Molloy. 2012. Using Probabilistic Generative Models for Ranking Risks of Android Apps. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. 241--252. Google ScholarDigital Library
- Giuseppe Petracca, Yuqiong Sun, Trent Jaeger, and Ahmad Atamli. 2015. Audroid: Preventing attacks on audio channels in mobile devices. In Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 181--190. Google ScholarDigital Library
- Indrajit Roy, Srinath T. V. Setty, Ann Kilzer, Vitaly Shmatikov, and Emmett Witchel. 2010. Airavat: Security and Privacy for MapReduce. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation. Google ScholarDigital Library
- Farzad Salim, Jason Reid, Ed Dawson, and Uwe Dulleck. 2011. An Approach to Access Control under Uncertainty. In Proceedings of the Sixth International Conference on Availability, Reliability and Security. 1--8. Google ScholarDigital Library
- J. H. Saltzer et al. 1975. The Protection of Information in Computer Systems. Proc. IEEE (1975).Google ScholarCross Ref
- Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2011. RoleCast: finding missing security checks when you do not know what checks are. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications. Google ScholarDigital Library
- Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In Proceedings of the 20th Annual Network and Distributed System Security Symposium.Google Scholar
- Lin Tan, Xiaolan Zhang, Xiao Ma, Weiwei Xiong, and Yuanyuan Zhou. 2008. AutoISES: automatically inferring security specifications and detecting violations. In USENIX Security. Google ScholarDigital Library
- Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, and Trent Jaeger. 2014. JIGSAW: Protecting Resource Access by Inferring Programmer Expectations. In Proceedings of the 23rd USENIX Security Symposium. Google ScholarDigital Library
- Hayawardh Vijayakumar and Trent Jaeger. 2012. The Right Files at the Right Time. In Proceedings of the 5th IEEE Symposium on Configuration Analytics and Automation (SafeConfig 2012).Google Scholar
- Hayawardh Vijayakumar et al. 2012. Integrity Walls: Finding attack surfaces from mandatory access control policies. In ASIACCS. Google ScholarDigital Library
- Wen Zhang, You Chen, Thaddeus Cybulski, Daniel Fabbri, Carl Gunter, Patrick Lawlor, David Liebovitz, and Bradley Malin. 2014. Decide Now or Decide Later? Quantifying the Tradeoff Between Prospective and Retrospective Access Decisions. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 1182--1192. Google ScholarDigital Library
Index Terms
- On Risk in Access Control Enforcement
Recommendations
Towards Attribute-Based Access Control Policy Engineering Using Risk
Risk Assessment and Risk-Driven TestingAbstractIn this paper, we consider a policy engineering problem for attribute-based access control. The general goal is to help a policy writer to specify access control policies. In particular, we target the problem of defining the values of attributes ...
First experiences using XACML for access control in distributed systems
XMLSEC '03: Proceedings of the 2003 ACM workshop on XML securityAuthorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards ...
A framework for risk assessment in access control systems
We describe a framework for risk assessment specifically within the context of risk-based access control systems, which make authorization decisions by determining the security risk associated with access requests and weighing such security risk against ...
Comments