On Risk in Access Control Enforcement

Authors:
Giuseppe Petracca

Pennsylvania State University, University Park, PA, USA

Pennsylvania State University, University Park, PA, USA
View Profile

,
Frank Capobianco

Pennsylvania State University, University Park, PA, USA

Pennsylvania State University, University Park, PA, USA
View Profile

,
Christian Skalka

University of Vermont, Burlington, VT, USA

University of Vermont, Burlington, VT, USA
View Profile

,
Trent Jaeger

Pennsylvania State University, University Park, PA, USA

Pennsylvania State University, University Park, PA, USA
View Profile

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and TechnologiesJune 2017Pages 31–42https://doi.org/10.1145/3078861.3078872

Published:07 June 2017Publication History

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Pages 31–42

ABSTRACT

While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.

References

Android UI/Application Exerciser. https://developer.android.com/studio/test/monkey.html.Google Scholar
Compatibility Test Suite - Android Open Source Project. https://source.android.com/compatibility/cts/.Google Scholar
Tresys. SETools - Policy Anakysis Tools for SELinux. https://github.com/TresysTechnology/setools3/wiki.Google Scholar
Sepehr Amir-Mohammadian, Stephen Chong, and Christian Skalka. 2016. Correct Audit Logging: Theory and Practice. In Principles of Security and Trust (POST).Google Scholar
Sepehr Amir-Mohammadian and Christian Skalka. 2016. In-Depth Enforcement of Dynamic Integrity Taint Analysis. In ACM Programming Languages and Security Workshop (PLAS). Google ScholarDigital Library
J. P. Anderson. 1972. Computer Security Technology Planning Study, Volume II. Technical Report ESD-TR-73-51. Deputy for Command and Management Systems, HQ Electronics Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA.Google Scholar
D. E. Bell and L. J. LaPadula. 1976. Secure Computer System: Unified Exposition and Multics Interpretation. Technical Report ESD-TR-75-306. Deputy for Command and Management Systems, HQ Electronic Systems Division (AFSC), L. G. Hanscom Field, Bedford, MA.Google Scholar
K. J. Biba. 1977. Integrity Considerations for Secure Computer Systems. Technical Report MTR-3153. MITRE.Google Scholar
Khalid Zaman Bijon, Ram Krishnan, and Ravi S. Sandhu. 2013. A framework for risk-aware role based access control. In IEEE Conference on Communications and Network Security. 462--469.Google Scholar
Hong Chen, Ninghui Li, and Ziqing Mao. 2009. Analyzing and Comparing the Protection Quality of Security Enhanced Operating Systems. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS).Google Scholar
Liang Chen and Jason Crampton. 2011. Risk-Aware Role-Based Access Control. In Proceedings of 7th International Workshop on Security and Trust Management. 140--156. Google ScholarDigital Library
Ying Chen, Heng Xu, Yilu Zhou, and Sencun Zhu. 2013. Is This App Safe for Children? A Comparison Study of Maturity Ratings on Android and iOS Applications. In Proceedings of the 22nd International Conference on World Wide Web. 201--212. Google ScholarDigital Library
Pau-Chen Cheng, Pankaj Rohatgi, Claudia Keser, Paul A. Karger, Grant M. Wagner, and Angela Schuett Reninger. 2007. Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control. In Proceedings of the 2007 IEEE Symposium on Security and Privacy. 222--230. Google ScholarDigital Library
Pern Hui Chia, Yusuke Yamamoto, and N. Asokan. 2012. Is This App Safe? A Large Scale Study on Application Permissions and Risk Signals. In Proceedings of the 21st International Conference on World Wide Web. 311--320. Google ScholarDigital Library
D. Denning. 1976. A Lattice Model of Secure Information Flow. Commun. ACM 19, 5 (1976), 236--242. Google ScholarDigital Library
Cynthia Dwork and Aaron Roth. 2014. The Algorithmic Foundations of Differential Privacy. 9, 3 (2014), 211--407. Google ScholarDigital Library
Antony Edwards, Trent Jaeger, and Xiaolan Zhang. 2002. Runtime verification of authorization hook placement for the Linux security modules framework. In Proceedings of the 9th ACM Conference on Computer and Communications Security. 225--234. Google ScholarDigital Library
William Enck, Machigar Ongtang, and Patrick McDaniel. 2009. On lightweight mobile phone application certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security. ACM, New York, NY, USA, 235--245. Google ScholarDigital Library
W. Enck et al. 2010. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation. Google ScholarDigital Library
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security. 627--638. Google ScholarDigital Library
Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE Symposium on Security and Privacy. 636--654.Google Scholar
V. Ganapathy, T. Jaeger, and S. Jha. 2005. Automatic placement of authorization hooks in the Linux security modules framework. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Alexandria, VA, USA. Google ScholarDigital Library
V. Ganapathy, T. Jaeger, and S. Jha. 2006. Retrofitting Legacy Code for Authorization Policy Enforcement. In Proceedings of the 2006 IEEE Symposium on Security and Privacy. To Appear. Google ScholarDigital Library
Vinod Ganapathy, David H. King, Trent Jaeger, and Somesh Jha. 2007. Mining security-sensitive operations in legacy code using concept analysis. In Proceedings of the 38th International Conference on Software Engineering. 458--467. Google ScholarDigital Library
Andreas Haeberlen, Benjamin C. Pierce, and Arjun Narayan. 2011. Differential Privacy Under Fire. In Proceedings of the 20th USENIX Security Symposium. Google ScholarDigital Library
N. Hardy. 1988. The Confused Deputy. Operating Systems Review 22 (1988), 36--38. Google ScholarDigital Library
Boniface Hicks, Sandra Rueda, Trent Jaeger, and Patrick McDaniel. 2007. From trusted to secure: building and executing applications that enforce system security. In Proceedings of the USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA, 1--14. Google ScholarDigital Library
T. Jaeger, R. Sailer, and X. Zhang. 2003. Analyzing Integrity Protection in the SELinux Example Policy. In Proceedings of the 12th USENIX Security Symposium. 59--74. Google ScholarDigital Library
Yunhan Jack Jia, Qi Alfred Chen, Shiqi Wang, Amir Rahmati, Earlence Fernandes, Z. Morley Mao, and Atul Prakash. 2017. ContexIoT: Towards Providing Contextual Integrity to Appified IoT Platforms. In Proceedings of the 21st Network and Distributed System Security Symposium (NDSS'17).Google ScholarCross Ref
Yiming Jing, Gail-Joon Ahn, Ziming Zhao, and Hongxin Hu. 2014. RiskMon: Continuous and Automated Risk Assessment of Mobile Applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. 99--110. Google ScholarDigital Library
Savith Kandala, Ravi S. Sandhu, and Venkata Bhamidipati. 2011. An Attribute Based Framework for Risk-Adaptive Access Control Models. In Proceedings of the Sixth International Conference on Availability, Reliability and Security. 236--241. Google ScholarDigital Library
Stephen McCamant and Michael D. Ernst. 2008. Quantitative information flow as network flow capacity. In Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation. Tucson, AZ, USA, 193--205. Google ScholarDigital Library
Frank D. McSherry. 2009. Privacy Integrated Queries: An Extensible Platform for Privacy-preserving Data Analysis. In Proceedings of the 2009 ACM SIGMOD International Conference on Management of Data. 19--30. Google ScholarDigital Library
Divya Muthukumaran, Trent Jaeger, and Vinod Ganapathy. 2012. Leveraging 'Choice' to Automate Authorization Hook Placement. In Proceedings of the 19th ACM Conference on Computer and Communications Security. ACM Press, Raleigh, North Carolina, USA. Google ScholarDigital Library
Divya Muthukumaran, Nirupama Talele, Trent Jaeger, and Gang Tan. 2015. Producing Hook Placements to Enforce Expected Access Control Policies. In Proceedings of the 2015 International Symposium on Engineering Secure Software and Systems.Google ScholarCross Ref
Andrew C. Myers and Barbara Liskov. 1997. A Decentralized Model for Information Flow Control. ACM Operating Systems Review 31, 5 (Oct. 1997), 129--142. http://www.cs.cornell.edu/andru/papers/iflow-sosp97/paper.html Google ScholarDigital Library
Qun Ni, Elisa Bertino, and Jorge Lobo. 2010. Risk-based Access Control Systems Built on Fuzzy Inferences. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. 250--260. Google ScholarDigital Library
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Security Symposium. 527--542. Google ScholarDigital Library
Hao Peng, Chris Gates, Bhaskar Sarma, Ninghui Li, Yuan Qi, Rahul Potharaju, Cristina Nita-Rotaru, and Ian Molloy. 2012. Using Probabilistic Generative Models for Ranking Risks of Android Apps. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. 241--252. Google ScholarDigital Library
Giuseppe Petracca, Yuqiong Sun, Trent Jaeger, and Ahmad Atamli. 2015. Audroid: Preventing attacks on audio channels in mobile devices. In Proceedings of the 31st Annual Computer Security Applications Conference. ACM, 181--190. Google ScholarDigital Library
Indrajit Roy, Srinath T. V. Setty, Ann Kilzer, Vitaly Shmatikov, and Emmett Witchel. 2010. Airavat: Security and Privacy for MapReduce. In Proceedings of the 7th USENIX Conference on Networked Systems Design and Implementation. Google ScholarDigital Library
Farzad Salim, Jason Reid, Ed Dawson, and Uwe Dulleck. 2011. An Approach to Access Control under Uncertainty. In Proceedings of the Sixth International Conference on Availability, Reliability and Security. 1--8. Google ScholarDigital Library
J. H. Saltzer et al. 1975. The Protection of Information in Computer Systems. Proc. IEEE (1975).Google ScholarCross Ref
Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2011. RoleCast: finding missing security checks when you do not know what checks are. In Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications. Google ScholarDigital Library
Sooel Son, Kathryn S. McKinley, and Vitaly Shmatikov. 2013. Fix Me Up: Repairing Access-Control Bugs in Web Applications. In Proceedings of the 20th Annual Network and Distributed System Security Symposium.Google Scholar
Lin Tan, Xiaolan Zhang, Xiao Ma, Weiwei Xiong, and Yuanyuan Zhou. 2008. AutoISES: automatically inferring security specifications and detecting violations. In USENIX Security. Google ScholarDigital Library
Hayawardh Vijayakumar, Xinyang Ge, Mathias Payer, and Trent Jaeger. 2014. JIGSAW: Protecting Resource Access by Inferring Programmer Expectations. In Proceedings of the 23rd USENIX Security Symposium. Google ScholarDigital Library
Hayawardh Vijayakumar and Trent Jaeger. 2012. The Right Files at the Right Time. In Proceedings of the 5th IEEE Symposium on Configuration Analytics and Automation (SafeConfig 2012).Google Scholar
Hayawardh Vijayakumar et al. 2012. Integrity Walls: Finding attack surfaces from mandatory access control policies. In ASIACCS. Google ScholarDigital Library
Wen Zhang, You Chen, Thaddeus Cybulski, Daniel Fabbri, Carl Gunter, Patrick Lawlor, David Liebovitz, and Bradley Malin. 2014. Decide Now or Decide Later? Quantifying the Tradeoff Between Prospective and Retrospective Access Decisions. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 1182--1192. Google ScholarDigital Library

Index Terms

On Risk in Access Control Enforcement
1. Security and privacy

Recommendations

Towards Attribute-Based Access Control Policy Engineering Using Risk
Risk Assessment and Risk-Driven Testing
Abstract
In this paper, we consider a policy engineering problem for attribute-based access control. The general goal is to help a policy writer to specify access control policies. In particular, we target the problem of defining the values of attributes ...
Read More
First experiences using XACML for access control in distributed systems
XMLSEC '03: Proceedings of the 2003 ACM workshop on XML security

Authorization systems today are increasingly complex. They span domains of administration, rely on many different authentication sources, and manage permissions that can be as complex as the system itself. Worse still, while there are many standards ...
Read More
A framework for risk assessment in access control systems

We describe a framework for risk assessment specifically within the context of risk-based access control systems, which make authorization decisions by determining the security risk associated with access requests and weighing such security risk against ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies
June 2017
276 pages
ISBN:9781450347020
DOI:10.1145/3078861
General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chairs:
Ravi Sandhu
University of Texas at San Antonio, USA
,
Edgar Weippl
SBA Research, Austria
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 7 June 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control enforcement
risk
Qualifiers
- research-article
Conference

Acceptance Rates
SACMAT '17 Abstracts Paper Acceptance Rate14of50submissions,28%Overall Acceptance Rate177of597submissions,30%
More
Upcoming Conference
SACMAT 2024

Sponsor:

sigsac

The 29th ACM Symposium on Access Control Models and Technologies

May 15 - 17, 2024

San Antonio , TX , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 393
  Total Downloads
- Downloads (Last 12 months)32
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

On Risk in Access Control Enforcement

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

ABSTRACT

References

Cited By

Index Terms

Recommendations

Towards Attribute-Based Access Control Policy Engineering Using Risk

First experiences using XACML for access control in distributed systems

A framework for risk assessment in access control systems