TY - GEN
T1 - On risk in access control enforcement
AU - Petracca, Giuseppe
AU - Capobianco, Frank
AU - Skalka, Christian
AU - Jaeger, Trent
N1 - Publisher Copyright:
© 2017 Association for Computing Machinery.
PY - 2017/6/7
Y1 - 2017/6/7
N2 - While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.
AB - While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.
UR - http://www.scopus.com/inward/record.url?scp=85025477567&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85025477567&partnerID=8YFLogxK
U2 - 10.1145/3078861.3078872
DO - 10.1145/3078861.3078872
M3 - Conference contribution
AN - SCOPUS:85025477567
T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
SP - 31
EP - 42
BT - SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies
PB - Association for Computing Machinery
T2 - 22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017
Y2 - 21 June 2017 through 23 June 2017
ER -