Types and Abstract Interpretation for Authorization Hook Advice

Christian Skalka; David Darais; Trent Jaeger; Frank Capobianco

doi:10.1109/CSF49147.2020.00018

Types and Abstract Interpretation for Authorization Hook Advice

Christian Skalka, David Darais, Trent Jaeger, Frank Capobianco

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Scopus citations

Abstract

Authorization hooks are access control checks that prevent unauthorized principals from interacting with some protected resource, and are used extensively in critical software such as operating systems, middleware, and server programs. They are often intended to mediate information flow between subjects (e.g., file owners), but typically in an ad-hoc manner. In this paper we present a static type and effect system for detecting whether authorization hooks in programs properly defend against undesired information flow between subjects. A significant novelty of our approach is an integrated abstract interpretation-based tool that guides system clients through the information flow consequences of access control policy decisions.

Original language	English (US)
Title of host publication	Proceedings - 2020 IEEE 33rd Computer Security Foundations Symposium, CSF 2020
Publisher	IEEE Computer Society
Pages	139-152
Number of pages	14
ISBN (Electronic)	9781728165721
DOIs	https://doi.org/10.1109/CSF49147.2020.00018
State	Published - Jun 2020
Event	33rd IEEE Computer Security Foundations Symposium, CSF 2020 - Virtual, Online, United States Duration: Jun 22 2020 → Jun 25 2020

Publication series

Name	Proceedings - IEEE Computer Security Foundations Symposium
Volume	2020-June
ISSN (Print)	1940-1434

Conference

Conference	33rd IEEE Computer Security Foundations Symposium, CSF 2020
Country/Territory	United States
City	Virtual, Online
Period	6/22/20 → 6/25/20

All Science Journal Classification (ASJC) codes

General Engineering

Access to Document

10.1109/CSF49147.2020.00018

Cite this

Skalka, C., Darais, D., Jaeger, T., & Capobianco, F. (2020). Types and Abstract Interpretation for Authorization Hook Advice. In Proceedings - 2020 IEEE 33rd Computer Security Foundations Symposium, CSF 2020 (pp. 139-152). Article 9155216 (Proceedings - IEEE Computer Security Foundations Symposium; Vol. 2020-June). IEEE Computer Society. https://doi.org/10.1109/CSF49147.2020.00018

@inproceedings{b290b16842c9434980492b47c84a0c14,

title = "Types and Abstract Interpretation for Authorization Hook Advice",

abstract = "Authorization hooks are access control checks that prevent unauthorized principals from interacting with some protected resource, and are used extensively in critical software such as operating systems, middleware, and server programs. They are often intended to mediate information flow between subjects (e.g., file owners), but typically in an ad-hoc manner. In this paper we present a static type and effect system for detecting whether authorization hooks in programs properly defend against undesired information flow between subjects. A significant novelty of our approach is an integrated abstract interpretation-based tool that guides system clients through the information flow consequences of access control policy decisions.",

author = "Christian Skalka and David Darais and Trent Jaeger and Frank Capobianco",

note = "Publisher Copyright: {\textcopyright} 2020 IEEE.; 33rd IEEE Computer Security Foundations Symposium, CSF 2020 ; Conference date: 22-06-2020 Through 25-06-2020",

year = "2020",

month = jun,

doi = "10.1109/CSF49147.2020.00018",

language = "English (US)",

series = "Proceedings - IEEE Computer Security Foundations Symposium",

publisher = "IEEE Computer Society",

pages = "139--152",

booktitle = "Proceedings - 2020 IEEE 33rd Computer Security Foundations Symposium, CSF 2020",

address = "United States",

}

Skalka, C, Darais, D, Jaeger, T & Capobianco, F 2020, Types and Abstract Interpretation for Authorization Hook Advice. in Proceedings - 2020 IEEE 33rd Computer Security Foundations Symposium, CSF 2020., 9155216, Proceedings - IEEE Computer Security Foundations Symposium, vol. 2020-June, IEEE Computer Society, pp. 139-152, 33rd IEEE Computer Security Foundations Symposium, CSF 2020, Virtual, Online, United States, 6/22/20. https://doi.org/10.1109/CSF49147.2020.00018

Types and Abstract Interpretation for Authorization Hook Advice. / Skalka, Christian; Darais, David; Jaeger, Trent et al.
Proceedings - 2020 IEEE 33rd Computer Security Foundations Symposium, CSF 2020. IEEE Computer Society, 2020. p. 139-152 9155216 (Proceedings - IEEE Computer Security Foundations Symposium; Vol. 2020-June).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Types and Abstract Interpretation for Authorization Hook Advice

AU - Skalka, Christian

AU - Darais, David

AU - Jaeger, Trent

AU - Capobianco, Frank

PY - 2020/6

Y1 - 2020/6

N2 - Authorization hooks are access control checks that prevent unauthorized principals from interacting with some protected resource, and are used extensively in critical software such as operating systems, middleware, and server programs. They are often intended to mediate information flow between subjects (e.g., file owners), but typically in an ad-hoc manner. In this paper we present a static type and effect system for detecting whether authorization hooks in programs properly defend against undesired information flow between subjects. A significant novelty of our approach is an integrated abstract interpretation-based tool that guides system clients through the information flow consequences of access control policy decisions.

AB - Authorization hooks are access control checks that prevent unauthorized principals from interacting with some protected resource, and are used extensively in critical software such as operating systems, middleware, and server programs. They are often intended to mediate information flow between subjects (e.g., file owners), but typically in an ad-hoc manner. In this paper we present a static type and effect system for detecting whether authorization hooks in programs properly defend against undesired information flow between subjects. A significant novelty of our approach is an integrated abstract interpretation-based tool that guides system clients through the information flow consequences of access control policy decisions.

UR - http://www.scopus.com/inward/record.url?scp=85090461134&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85090461134&partnerID=8YFLogxK

U2 - 10.1109/CSF49147.2020.00018

DO - 10.1109/CSF49147.2020.00018

M3 - Conference contribution

AN - SCOPUS:85090461134

T3 - Proceedings - IEEE Computer Security Foundations Symposium

SP - 139

EP - 152

BT - Proceedings - 2020 IEEE 33rd Computer Security Foundations Symposium, CSF 2020

PB - IEEE Computer Society

T2 - 33rd IEEE Computer Security Foundations Symposium, CSF 2020

Y2 - 22 June 2020 through 25 June 2020

ER -

Types and Abstract Interpretation for Authorization Hook Advice

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this