Producing Hook Placements to Enforce Expected Access Control Policies

Many security-sensitive programs manage resources on behalf of mutually distrusting clients. To control access to resources, authorization hooks are placed before operations on those resources. Manual hook placements by programmers are often incomplete or incorrect, leading to insecure programs. We advocate an approach that automatically identifies the set of locations to place authorization hooks that mediates all security-sensitive operations in order to enforce expected access control policies at deployment. However, one challenge is that programmers often want to minimize the effort of writing such policies. As a result, they may remove authorization hooks that they believe are unnecessary, but they may remove too many hooks, preventing the enforcement of some desirable access control policies.

[1]  Robert Love Get on the D-BUS , 2005 .

[2]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[3]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[4]  Trent Jaeger,et al.  Using CQUAL for Static Analysis of Authorization Hook Placement , 2002, USENIX Security Symposium.

[5]  James P Anderson Computer Security Technology Planning Study. Volume 2 , 1972 .

[6]  Joe Gibbs Politz,et al.  ADsafety: Type-Based Verification of JavaScript Sandboxing , 2011, USENIX Security Symposium.

[7]  Li Gong,et al.  Implementing Protection Domains in the JavaTM Development Kit 1.2 , 1998, NDSS.

[8]  Using GConf as an Example of How to Create an Userspace Object Manager , 2007 .

[9]  Trent Jaeger,et al.  Leveraging "choice" to automate authorization hook placement , 2012, CCS '12.

[10]  Xiao Ma,et al.  AutoISES: Automatically Inferring Security Specification and Detecting Violations , 2008, USENIX Security Symposium.

[11]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[12]  Somesh Jha,et al.  Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis , 2007, 29th International Conference on Software Engineering (ICSE'07).

[13]  George C. Necula,et al.  CIL: Intermediate Language and Tools for Analysis and Transformation of C Programs , 2002, CC.

[14]  Trent Jaeger,et al.  Runtime verification of authorization hook placement for the linux security modules framework , 2002, CCS '02.

[15]  Somesh Jha,et al.  Retrofitting legacy code for authorization policy enforcement , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Zhendong Su,et al.  Static Detection of Access Control Vulnerabilities in Web Applications , 2011, USENIX Security Symposium.

[17]  Benjamin Livshits,et al.  Automatic Mediation of Privacy-Sensitive Resource Access in Smartphone Applications , 2013, USENIX Security Symposium.

[18]  Somesh Jha,et al.  Automatic placement of authorization hooks in the linux security modules framework , 2005, CCS '05.

[19]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[20]  Vitaly Shmatikov,et al.  RoleCast: finding missing security checks when you do not know what checks are , 2011, OOPSLA '11.