On risk in access control enforcement

Giuseppe Petracca; Frank Capobianco; Christian Skalka; Trent Jaeger

doi:10.1145/3078861.3078872

On risk in access control enforcement

Giuseppe Petracca, Frank Capobianco, Christian Skalka, Trent Jaeger

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

7 Scopus citations

Abstract

While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.

Original language	English (US)
Title of host publication	SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies
Publisher	Association for Computing Machinery
Pages	31-42
Number of pages	12
ISBN (Electronic)	9781450347020
DOIs	https://doi.org/10.1145/3078861.3078872
State	Published - Jun 7 2017
Event	22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017 - Indianapolis, United States Duration: Jun 21 2017 → Jun 23 2017

Publication series

Name	Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT
Volume	Part F128644

Other

Other	22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017
Country/Territory	United States
City	Indianapolis
Period	6/21/17 → 6/23/17

All Science Journal Classification (ASJC) codes

Software
Computer Networks and Communications
Safety, Risk, Reliability and Quality
Information Systems

Access to Document

10.1145/3078861.3078872

Cite this

Petracca, G., Capobianco, F., Skalka, C., & Jaeger, T. (2017). On risk in access control enforcement. In SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies (pp. 31-42). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT; Vol. Part F128644). Association for Computing Machinery. https://doi.org/10.1145/3078861.3078872

@inproceedings{0dc4b43a74024c0487981d8790ac525e,

title = "On risk in access control enforcement",

abstract = "While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.",

author = "Giuseppe Petracca and Frank Capobianco and Christian Skalka and Trent Jaeger",

note = "Funding Information: This research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF- 13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. This research is also based in part upon work supported by the National Science Foundation (NSF) under Grant Numbers CNS- 1408880 and CNS-1408801. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily re.ect the views of the National Science Foundation. Publisher Copyright: {\textcopyright} 2017 Association for Computing Machinery.; 22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017 ; Conference date: 21-06-2017 Through 23-06-2017",

year = "2017",

month = jun,

day = "7",

doi = "10.1145/3078861.3078872",

language = "English (US)",

series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

publisher = "Association for Computing Machinery",

pages = "31--42",

booktitle = "SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies",

}

Petracca, G, Capobianco, F, Skalka, C & Jaeger, T 2017, On risk in access control enforcement. in SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, vol. Part F128644, Association for Computing Machinery, pp. 31-42, 22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017, Indianapolis, United States, 6/21/17. https://doi.org/10.1145/3078861.3078872

On risk in access control enforcement. / Petracca, Giuseppe; Capobianco, Frank; Skalka, Christian et al.
SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2017. p. 31-42 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT; Vol. Part F128644).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - On risk in access control enforcement

AU - Petracca, Giuseppe

AU - Capobianco, Frank

AU - Skalka, Christian

AU - Jaeger, Trent

N1 - Funding Information: This research was sponsored by the Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF- 13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the U.S. Government. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation hereon. This research is also based in part upon work supported by the National Science Foundation (NSF) under Grant Numbers CNS- 1408880 and CNS-1408801. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily re.ect the views of the National Science Foundation. Publisher Copyright: © 2017 Association for Computing Machinery.

PY - 2017/6/7

Y1 - 2017/6/7

N2 - While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.

AB - While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.

UR - http://www.scopus.com/inward/record.url?scp=85025477567&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85025477567&partnerID=8YFLogxK

U2 - 10.1145/3078861.3078872

DO - 10.1145/3078861.3078872

M3 - Conference contribution

AN - SCOPUS:85025477567

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 31

EP - 42

BT - SACMAT 2017 - Proceedings of the 22nd ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

T2 - 22nd ACM Symposium on Access Control Models and Technologies, SACMAT 2017

Y2 - 21 June 2017 through 23 June 2017

ER -

On risk in access control enforcement

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this