Authority Analysis for Least Privilege Environments

The rise of limited-privilege environments has been accompanied by the emergence of vulnerabilities in which a subject is able to maliciously wield their limited privileges to indirectly cause unwanted effects. Unfortunately, conventional safety analyses for access control systems are ill-equipped to deal with this problem because they do not detect the indirect effects that a subject can cause, but merely the permissions a subject can acquire. We present a technique that characterises a subject’s authority as all of the effects they can cause to occur. Our technique is based on an analysis of causation, applied to a CSP model of a system. These analyses can be expressed as CSP refinements and, hence, automatically performed by a refinement-checker such as FDR. We demonstrate the ability of our technique to successfully identify excess authority by examining the “Confused Deputy” scenario, whose vulnerability goes undetected with conventional safety analyses.

[1]  Fred Spiessens,et al.  Patterns of safe collaboration , 2007 .

[2]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[3]  J. Shapiro,et al.  EROS: a fast capability system , 2000, OPSR.

[4]  Matt Bishop,et al.  A Flexible Containment Mechanism for Executing Untrusted Code , 2002, USENIX Security Symposium.

[5]  P. V. Roy,et al.  SCOLL and SCOLLAR Safe Collaboration based on Partial Trust , 2005 .

[6]  Lawrence Snyder,et al.  The transfer of information and authority in a protection system , 1979, SOSP '79.

[7]  Jonathan S. Shapiro,et al.  Paradigm Regained: Abstraction Mechanisms for Access Control , 2003, ASIAN.

[8]  Ka-Ping Yee,et al.  Aligning Security and Usability , 2004, IEEE Secur. Priv..

[9]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[10]  Jonathan S. Shapiro,et al.  The Structure of Authority: Why Security Is Not a Separable Concern , 2004, MOZ.

[11]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[12]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[13]  Gavin Lowe,et al.  On Information Flow and Refinement−Closure , 2007 .

[14]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[15]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[16]  Franz von Kutschera,et al.  Causation , 1993, J. Philos. Log..

[17]  Mark S. Miller,et al.  Robust composition: towards a unified approach to access control and concurrency control , 2006 .

[18]  Peter Van Roy,et al.  A Language for Safe Capability Based Collaboration , 2005 .

[19]  Peter Y. A. Ryan,et al.  A Process Algebraic Approach to Security Policies , 2002, DBSec.

[20]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[21]  Alan H. Karp,et al.  Polaris: virus-safe computing for Windows XP , 2006, CACM.

[22]  Jeremy Bryans,et al.  Reasoning about XACML policies using CSP , 2005, SWS '05.

[23]  E. Kleiner,et al.  On the Decidability of the Safety Problem for Access Control Policies , 2007, AVoCS.

[24]  Peter Y. A. Ryan,et al.  Mathematical Models of Computer Security , 2000, FOSAD.

[25]  Peter Van Roy,et al.  A Practical Formal Model for Safety Analysis in Capability-Based Systems , 2005, TGC.

[26]  Stephen Smalley,et al.  Integrating Flexible Support for Security Policies into the Linux Operating System , 2001, USENIX Annual Technical Conference, FREENIX Track.

[27]  Steve Vandebogart,et al.  Make Least Privilege a Right (Not a Privilege) , 2005, HotOS.