Skip to main content
SpringerLink
Log in

Auto-generation of Least Privileges Access Control Policies for Applications Supported by User Input Recognition

  • Chapter
Book cover Transactions on Computational Science XI

Part of the book series: Lecture Notes in Computer Science ((TCOMPUTATSCIE,volume 6480))

  • 554 Accesses

Abstract

Applications are typically executed in the security context of the user. Nonetheless, they do not need all the access rights granted. Executing applications with minimal rights (least privileges) is desirable. In case of an attack, only a fraction of resources can be accessed. The state-of-the-art on application-based access control policy generation has limitations: existing work does not generate least privileges policies, policies are not always complete and the process requires complex manual interaction. This paper presents an almost fully automated approach which counters these limitations. It achieves this by (1) extending a static analysis approach by user input recognition, by (2) introducing a new runtime approach on user input recognition which is based on information tracking and Aspect-Oriented Programming and by (3) combining the other two contributions with some of the existing work. The combined approaches are integrated into the software development life cycle and thus, policy generation becomes practicable. A prototype of the runtime approach is implemented which proves feasibility and scalability.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  2. McGraw, G.: Software Security - Building Security. Addison-Wesley, USA (2006)

    Google Scholar 

  3. National Institute of Standards and Technology: National vulnerability database statistics, http://nvd.nist.gov/statistics.cfm (last checked: August 2010)

  4. Koved, L., Pistoia, M., Kershenbaum, A.: Access rights analysis for java. In: OOPSLA 2002: Proceedings of the 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 359–372. ACM, New York (2002)

    Chapter  Google Scholar 

  5. Centonze, P., Flynn, R., Pistoia, M.: Combining Static and Dynamic Analysis for Automatic Identification of Precise Access-Control Policies. In: Proceedings of the 23rd Annual Computer Security Applications Conference, ACSAC 2007, pp. 292–303 (December 2007)

    Google Scholar 

  6. Geay, E., Pistoia, M., Tateishi, T., Ryder, B.G., Dolby, J.: Modular String-Sensitive Permission Analysis with Demand-Driven Precision. In: Proceedings of the 31st International Conference on Software Engineering, pp. 177–187. IEEE, Los Alamitos (May 2009)

    Google Scholar 

  7. Provos, N.: Improving host security with system call policies. In: SSYM 2003: Proceedings of the 12th conference on USENIX Security Symposium, Berkeley, CA, USA, pp. 18–18. USENIX Association (2003)

    Google Scholar 

  8. Novell, Inc.: AppArmor, http://en.opensuse.org/AppArmor/ (last checked: August 2010)

  9. Goldberg, A., Kay, A.: Smalltalk-72 Instruction Manual. Technical Report SSL 76-6, Learning Research Group, Xerox Palo Alto Research Center, California, USA (1976)

    Google Scholar 

  10. Eckel, B.: Thinking in Java, 3rd edn. Prentice Hall, Nwe Jersey (2003)

    Google Scholar 

  11. Gong, L., Ellison, G., Dagenforde, M.: Inside Java 2 Platform Security, 2nd edn. Addison-Wesley, Reading (2003)

    Google Scholar 

  12. Horwitz, S., Reps, T., Binkley, D.: Interprocedural Slicing Using Dependence Graphs. In: PLDI 1988: Proceedings of the ACM SIGPLAN 1988 Conference on Programming Language Design and Implementation, pp. 35–46. ACM, New York (1988)

    Chapter  Google Scholar 

  13. Shivers, O.: Control flow analysis in scheme. In: Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 164–174 (1988)

    Google Scholar 

  14. Cowan, C., Wright, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux security modules: General security support for the linux kernel. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA (August 2002)

    Google Scholar 

  15. Wagner, D., Dean, D.: Intrusion detection via static analysis. In: Proceedings of the 22nd IEEE Symposium on Security and Privacy, pp. 156–169 (May 2001)

    Google Scholar 

  16. Bauer, L., Ligatti, J., Walker, D.: Composing security policies with Polymer. In: Proceedings of the 2005 ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2005), Chicago, IL, USA, pp. 305–314 (2005)

    Google Scholar 

  17. Miller, M.S.: Robust Composition - Towards a Unified Approach to Access Control and Concurrency Control. PhD thesis, Johns Hopkins University, Baltimore, MD, USA (May 2006)

    Google Scholar 

  18. Xu, W., Bhatkar, E., Sekar, R.: Taint-enhanced policy enforcement: A practical approach to defeat a wide range of attacks. In: 15th USENIX Security Symposium, pp. 121–136 (2006)

    Google Scholar 

  19. Nguyen-Tuong, A., Guarnieri, S., Greene, D., Shirley, J., Evans, D.: Automatically hardening web applications using precise tainting. In: 20th IFIP International Information Security Conference (SEC), pp. 372–382 (2005)

    Google Scholar 

  20. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21 (2003)

    Google Scholar 

  21. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Communications of the ACM 20(7), 504–513 (1977)

    Article  MATH  Google Scholar 

  22. Wallach, D.S., Felten, E.W.: Understanding java stack inspection. In: Proceedings of the 1998 IEEE Symposium on Security and Privacy, pp. 52–63 (1998)

    Google Scholar 

  23. Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Loingtier, J.M., Irwin, J.: Aspect-Oriented Programming. In: Liu, Y., Auletta, V. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  24. Hengst, G.: Auto-generation of access-control policies - elaboration of an information tracking approach and its prototype implementation. Bachelor’s thesis, Munich University of Applied Sciences (September 2009)

    Google Scholar 

  25. Sun Microsystems Inc.: Java Technology, http://java.sun.com/ (last checked: August 2010)

  26. Eclipse Foundation: Aspectj, http://www.eclipse.org/aspectj/ (last checked: August 2010)

  27. Eclipse Foundation: eclipse, http://www.eclipse.org (last checked: August 2010)

  28. Dólera Tormo, G., Martinez Perez, G.: UMU XACML-Editor, http://sourceforge.net/projects/umu-xacmleditor/ (last checked: August 2010)

  29. S3MS project consortium: Security of Software and Services for Mobile Systems (S3MS), European research project, http://www.s3ms.org/ (last checked: August 2010)

  30. Dragoni, N., Martinelli, F., Massacci, F., Mori, P., Schaefer, C., Walter, T., Vetillard, E.: Security-by-Contract (SxC) for Software and Services of Mobile Systems. In: Nitto, E.D., Sassen, A.M., Traverso, P., Zwegers, A. (eds.) At Your Service-Oriented Computing From an EU Perspective, pp. 429–455. MIT Press, Cambridge (2009)

    Google Scholar 

  31. Aktug, I., Naliuka, K.: ConSpec - a formal language for policy specification. In: First International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 2007), Dresden, Germany (September 27, 2007)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. DOCOMO Euro-Labs, Munich, Germany

    Sven Lachmund & Gregor Hengst

Authors
  1. Sven Lachmund
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gregor Hengst
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary , 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina L. Gavrilova

  2. Exascala Ltd. , Unit 9, 97 Rickman Drive, B15 2AL, Birmingham, UK

    C. J. Kenneth Tan

  3. DCOMP/UFS - Federal University of Sergipe , Aracaju, SE, Brazil

    Edward David Moreno

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Lachmund, S., Hengst, G. (2010). Auto-generation of Least Privileges Access Control Policies for Applications Supported by User Input Recognition. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds) Transactions on Computational Science XI. Lecture Notes in Computer Science, vol 6480. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17697-5_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-17697-5_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-17696-8

  • Online ISBN: 978-3-642-17697-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation