Modelling Access Propagation in Dynamic Systems

Q Engineering

ACM Transactions on Information and System Security Pub Date : 2013-09-01 DOI:10.1145/2516951.2516952

T. Leonard, M. Hall-May, M. Surridge

{"title":"Modelling Access Propagation in Dynamic Systems","authors":"T. Leonard, M. Hall-May, M. Surridge","doi":"10.1145/2516951.2516952","DOIUrl":null,"url":null,"abstract":"Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically.\n The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws.\n SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients.\n Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2013-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Information and System Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2516951.2516952","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q","JCRName":"Engineering","Score":null,"Total":0}

引用次数: 7

Abstract

Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically. The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws. SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients. Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.

查看原文本刊更多论文

动态系统中的访问传播建模

访问控制是许多系统的关键特性，包括服务网络、计算机中的进程和运行进程中的对象。特定体系结构或访问控制策略的安全后果通常很难确定，特别是当某些组件不在我们的控制之下、组件是动态创建的，或者访问策略是动态更新的时候。SERSCIS访问建模器(SAM)采用一个系统模型，并探索访问如何通过它传播。它既可以证明已定义的安全属性，也可以发现不需要的属性。通过定义预期的行为，将结果记录为基线，然后引入不可信的参与者，SAM可以发现各种各样的设计缺陷。SAM设计用于处理动态系统(即，在运行时创建新对象并修改访问策略)和某些对象不受信任的系统。它扩展了以前的方法，如sclar和authordox，为指定行为提供了一种程序员友好的语法，并允许对具有相互怀疑的客户端的服务进行建模。以authordox的“糊涂代理”为例，证明了SAM能够自动检测攻击;使用基于web的备份服务，我们展示了如何对RBAC系统建模，检测缺失的验证检查;通过使用代理证书系统，我们展示了如何扩展它来模拟新的访问机制。在发现库不能精确地遵循RFC时，我们在新的假设下重新评估现有模型，并发现代理证书设计使用该库是不安全的。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

ACM Transactions on Information and System Security 工程技术-计算机：信息系统

CiteScore

4.50

自引率

0.00%

发文量

审稿时长

3.3 months

期刊介绍： ISSEC is a scholarly, scientific journal that publishes original research papers in all areas of information and system security, including technologies, systems, applications, and policies.