Abstract
Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically.
The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws.
SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients.
Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.
- Anderson, J. P. 1972. Computer security technology planning study. Tech. rep., Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA.Google Scholar
- Becker, M. Y., Fournet, C., and Gordon, A. D. 2007. Design and semantics of a decentralized authorization language. In Proceedings of CSF. IEEE Computer Society, Los Alamitos, CA, 3--15. Google Scholar
Digital Library
- Bravenboer, M. and Smaragdakis, Y. 2009. Strictly declarative specification of sophisticated points-to analyses. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA’09). ACM, New York, 243--262. Google Scholar
Digital Library
- Ceri, S., Gottlob, G., and Tanca, L. 1989. What you always wanted to know about datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1, 146--166. Google Scholar
Digital Library
- Ferraiolo, D. and Kuhn, R. 1992. Role-based access control. In Proceedings of the 15th NIST-NCSC National Computer Security Conference. Vol. 563, NIST, Baltimore, MD, 554--563.Google Scholar
- Formal Systems (Europe) Ltd and Oxford University Computing Laboratory 2010. Failures-Divergence Refinement - FDR2 User Manual. Formal Systems (Europe) Ltd and Oxford University Computing Laboratory.Google Scholar
- Hall-May, M., Chakravarthy, A., Leonard, T., and Surridge, M. 2011. Semantic modelling of resource dependability for SLA-based service governance. In Handbook of Research on Service-Oriented Systems and Non-Functional Properties: Future Directions, S. Reiff-Marganiec and M. Tilly Eds., IGI Global, Hershey, PA, 401--441.Google Scholar
- Hardy, N. 1988. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 36--38. Google Scholar
Digital Library
- Lam, P., Bodden, E., Lhoták, O., and Hendren, L. 2011. The Soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS 2011).Google Scholar
- Lamport, L. 1977. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3, 125--143. Google Scholar
Digital Library
- Leonard, T. 2012. SERSCIS access modeller 0.16. IT Innovation Centre, University of Southampton, http://www.serscis.eu/sam/.Google Scholar
- Lhoták, O. and Hendren, L. 2008. Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation. ACM Trans. Softw. Eng. Method. 18, 1, 3. Google Scholar
Digital Library
- Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. 6, 1, 128--171. Google Scholar
Digital Library
- Lipton, R. J. and Snyder, L. 1977. A linear time algorithm for deciding subject security. J. ACM 24, 455--464. Google Scholar
Digital Library
- Mettler, A., Wagner, D., and Close, T. 2010. Joe-E: A security-oriented subset of Java. In Proceedings of the NDSS Symposium. Internet Society, San Diego, CA.Google Scholar
- Miller, M. S. 2006. Robust composition: Towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD. Google Scholar
Digital Library
- Murray, T. 2008. Authodox Version 0.2.0 Manual. Oxford University Computing Laboratory.Google Scholar
- Murray, T. 2010. Analysing the security properties of object-capability patterns. Ph.D. thesis, Oxford University Computing Laboratory.Google Scholar
- Redell, D. D. 1974. Naming and protection in extendible operating systems. Ph.D. thesis, Department of Computer Science, University of California at Berkeley.Google Scholar
- Shapiro, J., Doerrie, M. S., Northup, E., Swaroop, S., and Miller, M. 2004. Towards a verified, general-purpose operating system kernel. In Proceedings of the NICTA Invitational Workshop on Operating System Verification. Sydney, Australia, 1--19.Google Scholar
- Shivers, O. 1991. Control-flow analysis of higher-order languages. Ph.D. thesis, School of Computer Science, Carnegie Mellon University. Google Scholar
Digital Library
- Spiessens, A. 2007. Patterns of safe collaboration. Ph.D. thesis, Université catholique de Louvain.Google Scholar
- Spiessens, F. and Van Roy, P. 2005. A practical formal model for safety analysis in capability-based systems. In Trustworthy Global Computing, R. De Nicola and D. Sangiorgi Eds., Lecture Notes in Computer Science Series, vol. 3705, Springer, Berlin, Heidelberg, 248--278. Google Scholar
Digital Library
- STI. 2008. IRIS - Integrated Rule Inference System - API and User Guide. Semantic Technology Institute (STI) Innsbruck.Google Scholar
- Taly, A., Erlingsson, Ú., Mitchell, J. C., Miller, M. S., and Nagra, J. 2011. Automated analysis of security-critical JavaScript APIs. In Proceedings of the IEEE Symposium on Security and Privacy. 363--378. Google Scholar
Digital Library
- van Rossum, G. et al. 2011. Python 2.7.2’s urllib2.py.Google Scholar
- Watson, R. N. M., Anderson, J., Kennaway, K., and Laurie, B. 2010. Capsicum: Practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium. The USENIX Association. Google Scholar
Digital Library
- Welch, V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S., and Siebenlist, F. 2004. X.509 proxy certificates for dynamic delegation. In Proceedings of the 3rd Annual PKI R&D Workshop. NIST, Baltimore.Google Scholar
- Whaley, J. 2005. Joeq: A virtual machine and compiler infrastructure. Sci. Comput. Prog. 57, 3, 339--356. Google Scholar
Digital Library
- Whaley, J. 2007. Context-sensitive pointer analysis using binary decision diagrams. Ph.D. thesis, Stanford University. Google Scholar
Digital Library
Index Terms
Modelling Access Propagation in Dynamic Systems
Recommendations
Discretionary access control with the administrative role graph model
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologiesPrevious research examining the mapping of discretionary access control (DAC) to role-based access control (RBAC) has considered neither ownership nor further granting of privileges. We show how to accomplish this by mapping from a relational database ...
A Mandatory Access Control Model with Enhanced Flexibility
MINES '09: Proceedings of the 2009 International Conference on Multimedia Information Networking and Security - Volume 01The discretionary access control and mandatory access control are two main access control modes which are broadly used in secure operating systems. Discretionary access control is based on user identity and/or groups and mandatory access control is ...
An attribute-based access matrix model
SAC '05: Proceedings of the 2005 ACM symposium on Applied computingIn traditional access control models like MAC, DAC, and RBAC, authorization decisions are determined according to identities of subjects and objects, which are authenticated by a system completely. Modern access control practices, such as DRM, trust ...






Comments