skip to main content
research-article

Modelling Access Propagation in Dynamic Systems

Published:01 September 2013Publication History
Skip Abstract Section

Abstract

Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically.

The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws.

SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients.

Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.

References

  1. Anderson, J. P. 1972. Computer security technology planning study. Tech. rep., Electronic Systems Division, Air Force Systems Command, Hanscom Field, Bedford, MA.Google ScholarGoogle Scholar
  2. Becker, M. Y., Fournet, C., and Gordon, A. D. 2007. Design and semantics of a decentralized authorization language. In Proceedings of CSF. IEEE Computer Society, Los Alamitos, CA, 3--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Bravenboer, M. and Smaragdakis, Y. 2009. Strictly declarative specification of sophisticated points-to analyses. In Proceedings of the 24th ACM SIGPLAN Conference on Object Oriented Programming Systems Languages and Applications (OOPSLA’09). ACM, New York, 243--262. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. Ceri, S., Gottlob, G., and Tanca, L. 1989. What you always wanted to know about datalog (and never dared to ask). IEEE Trans. Knowl. Data Eng. 1, 146--166. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Ferraiolo, D. and Kuhn, R. 1992. Role-based access control. In Proceedings of the 15th NIST-NCSC National Computer Security Conference. Vol. 563, NIST, Baltimore, MD, 554--563.Google ScholarGoogle Scholar
  6. Formal Systems (Europe) Ltd and Oxford University Computing Laboratory 2010. Failures-Divergence Refinement - FDR2 User Manual. Formal Systems (Europe) Ltd and Oxford University Computing Laboratory.Google ScholarGoogle Scholar
  7. Hall-May, M., Chakravarthy, A., Leonard, T., and Surridge, M. 2011. Semantic modelling of resource dependability for SLA-based service governance. In Handbook of Research on Service-Oriented Systems and Non-Functional Properties: Future Directions, S. Reiff-Marganiec and M. Tilly Eds., IGI Global, Hershey, PA, 401--441.Google ScholarGoogle Scholar
  8. Hardy, N. 1988. The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22, 36--38. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Lam, P., Bodden, E., Lhoták, O., and Hendren, L. 2011. The Soot framework for Java program analysis: A retrospective. In Proceedings of the Cetus Users and Compiler Infrastructure Workshop (CETUS 2011).Google ScholarGoogle Scholar
  10. Lamport, L. 1977. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Eng. 3, 125--143. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Leonard, T. 2012. SERSCIS access modeller 0.16. IT Innovation Centre, University of Southampton, http://www.serscis.eu/sam/.Google ScholarGoogle Scholar
  12. Lhoták, O. and Hendren, L. 2008. Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation. ACM Trans. Softw. Eng. Method. 18, 1, 3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Li, N., Grosof, B. N., and Feigenbaum, J. 2003. Delegation logic: A logic-based approach to distributed authorization. ACM Trans. Inf. Syst. Secur. 6, 1, 128--171. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Lipton, R. J. and Snyder, L. 1977. A linear time algorithm for deciding subject security. J. ACM 24, 455--464. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Mettler, A., Wagner, D., and Close, T. 2010. Joe-E: A security-oriented subset of Java. In Proceedings of the NDSS Symposium. Internet Society, San Diego, CA.Google ScholarGoogle Scholar
  16. Miller, M. S. 2006. Robust composition: Towards a unified approach to access control and concurrency control. Ph.D. thesis, Johns Hopkins University, Baltimore, MD. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. Murray, T. 2008. Authodox Version 0.2.0 Manual. Oxford University Computing Laboratory.Google ScholarGoogle Scholar
  18. Murray, T. 2010. Analysing the security properties of object-capability patterns. Ph.D. thesis, Oxford University Computing Laboratory.Google ScholarGoogle Scholar
  19. Redell, D. D. 1974. Naming and protection in extendible operating systems. Ph.D. thesis, Department of Computer Science, University of California at Berkeley.Google ScholarGoogle Scholar
  20. Shapiro, J., Doerrie, M. S., Northup, E., Swaroop, S., and Miller, M. 2004. Towards a verified, general-purpose operating system kernel. In Proceedings of the NICTA Invitational Workshop on Operating System Verification. Sydney, Australia, 1--19.Google ScholarGoogle Scholar
  21. Shivers, O. 1991. Control-flow analysis of higher-order languages. Ph.D. thesis, School of Computer Science, Carnegie Mellon University. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Spiessens, A. 2007. Patterns of safe collaboration. Ph.D. thesis, Université catholique de Louvain.Google ScholarGoogle Scholar
  23. Spiessens, F. and Van Roy, P. 2005. A practical formal model for safety analysis in capability-based systems. In Trustworthy Global Computing, R. De Nicola and D. Sangiorgi Eds., Lecture Notes in Computer Science Series, vol. 3705, Springer, Berlin, Heidelberg, 248--278. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. STI. 2008. IRIS - Integrated Rule Inference System - API and User Guide. Semantic Technology Institute (STI) Innsbruck.Google ScholarGoogle Scholar
  25. Taly, A., Erlingsson, Ú., Mitchell, J. C., Miller, M. S., and Nagra, J. 2011. Automated analysis of security-critical JavaScript APIs. In Proceedings of the IEEE Symposium on Security and Privacy. 363--378. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. van Rossum, G. et al. 2011. Python 2.7.2’s urllib2.py.Google ScholarGoogle Scholar
  27. Watson, R. N. M., Anderson, J., Kennaway, K., and Laurie, B. 2010. Capsicum: Practical capabilities for UNIX. In Proceedings of the 19th USENIX Security Symposium. The USENIX Association. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Welch, V., Foster, I., Kesselman, C., Mulmo, O., Pearlman, L., Tuecke, S., Gawor, J., Meder, S., and Siebenlist, F. 2004. X.509 proxy certificates for dynamic delegation. In Proceedings of the 3rd Annual PKI R&D Workshop. NIST, Baltimore.Google ScholarGoogle Scholar
  29. Whaley, J. 2005. Joeq: A virtual machine and compiler infrastructure. Sci. Comput. Prog. 57, 3, 339--356. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Whaley, J. 2007. Context-sensitive pointer analysis using binary decision diagrams. Ph.D. thesis, Stanford University. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Modelling Access Propagation in Dynamic Systems

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image ACM Transactions on Information and System Security
              ACM Transactions on Information and System Security  Volume 16, Issue 2
              September 2013
              120 pages
              ISSN:1094-9224
              EISSN:1557-7406
              DOI:10.1145/2516951
              Issue’s Table of Contents

              Copyright © 2013 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 1 September 2013
              • Accepted: 1 February 2013
              • Revised: 1 September 2012
              • Received: 1 March 2012
              Published in tissec Volume 16, Issue 2

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article
              • Research
              • Refereed

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!