Frank Capobianco

Abstract:
While we have long had principles describing how access control enforcement should be implemented, such as the reference monitor concept, imprecision in access control mechanisms and access control policies leads to risks that may enable exploitation. In practice, least privilege access control policies often allow information flows that may enable exploits. In addition, the implementation of access control mechanisms often tries to balance security with ease of use implicitly (e.g., with respect to determining where to place authorization hooks) and approaches to tighten access control, such as accounting for program context, are ad hoc. In this paper, we define four types of risks in access control enforcement and explore possible approaches and challenges in tracking those types of risks. In principle, we advocate runtime tracking to produce risk estimates for each of these types of risk. To better understand the potential of risk estimation for authorization, we propose risk estimate functions for each of the four types of risk, finding that benign program deployments accumulate risks in each of the four areas for ten Android programs examined. As a result, we find that tracking of relative risk may be useful for guiding changes to security choices, such as authorized unsafe operations or placement of authorization checks, when risk differs from that expected.

Abstract:
Access control is a necessary defense to protect security-sensitive operations. Unfortunately, access control mechanisms are implemented manually in practice, which can lead to errors that can be exploited. Prior work aims to find such errors through static analysis, but the correctness of access control enforcement depends on runtime factors, such as the access control policies enforced and adversary control of the program inputs. As a result, we propose to apply provenance tracking to find flaws in access control enforcement. To do so, we track decisions made in deploying access control enforcement to enable detection of flaws. We have developed AutoProv, a Java bytecode analysis tool capable of retrofitting legacy Java applications with provenance hooks. We utilize AutoProv to add provenance hooks at all locations that either may require access control enforcement or may impact access control policy decisions. We evaluate our tool on OpenMRS, an open source medical record system,which is used across the globe to manage sensitive data for millions of patients.