The University of Southampton
University of Southampton Institutional Repository

Modelling access propagation in dynamic systems

Modelling access propagation in dynamic systems
Modelling access propagation in dynamic systems


Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically.

The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws.

SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients.

Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.
object-capabilities, datalog, proxy certificates
1094-9224
1-31
Leonard, Thomas
2db98a87-70fb-435e-8d4c-058278c454c5
Hall-May, Martin
f082897f-a6ec-4fae-b555-a514ae3bd717
Surridge, Mike
3bd360fa-1962-4992-bb16-12fc4dd7d9a9
Leonard, Thomas
2db98a87-70fb-435e-8d4c-058278c454c5
Hall-May, Martin
f082897f-a6ec-4fae-b555-a514ae3bd717
Surridge, Mike
3bd360fa-1962-4992-bb16-12fc4dd7d9a9

Leonard, Thomas, Hall-May, Martin and Surridge, Mike (2013) Modelling access propagation in dynamic systems. ACM Transactions on Information and System Security, 16 (2), 1-31. (doi:10.1145/2516951.2516952).

Record type: Article

Abstract



Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically.

The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws.

SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients.

Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.

This record has no associated files available for download.

More information

Published date: September 2013
Keywords: object-capabilities, datalog, proxy certificates
Organisations: Electronics & Computer Science

Identifiers

Local EPrints ID: 372445
URI: http://eprints.soton.ac.uk/id/eprint/372445
ISSN: 1094-9224
PURE UUID: 4f18b6fd-2833-4712-a33d-d1a43272f5a6

Catalogue record

Date deposited: 03 Dec 2014 16:45
Last modified: 14 Mar 2024 18:37

Export record

Altmetrics

Contributors

Author: Thomas Leonard
Author: Martin Hall-May
Author: Mike Surridge

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×