Mining Positive and Negative Attribute-Based Access Control Policy Rules

Iyer, Padmavathi; Masoumzadeh, Amirreza

doi:10.1145/3205977.3205988

Cited by 42 publications

(23 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Molloy et al [37] proposed an approach that mines RBAC policies from existing logs, which reflect access traces of users recorded in the past. Medvet et al [38], Xu and Stoller [39,40], Cotrini et al [41], and Iyer and Masoumzadeh [42] proposed various approaches to mine attribute-based AC (ABAC) policies from existing logs. All these approaches rely only on existing logs; since the latter may only contain a fraction of possible access requests to resources, such approaches could miss many AC policies.…”

Section: Inference Of Ac Policies Using Black-box Analysismentioning

confidence: 99%

“…Several approaches [39,42,43] have proposed to mine AC policies from existing AC implementations, often as part of the migration to a modern access control paradigm; for example, Bui et al [44,43] proposed an approach to mine relationship-based AC (ReBAC) policies-an object-oriented extension of ABAC policiesfrom existing access control lists. Slankas and Williams [45] and Xiao et al [46] proposed approaches to extract AC policies from requirement documents written in natural language, using NLP (natural language processing) techniques to extract AC concepts like subjects, actions, and resources.…”

Section: Inference Of Ac Policies Using Black-box Analysismentioning

confidence: 99%

See 1 more Smart Citation

Automated reverse engineering of role-based access control policies of web applications

Shar

Bianculli

et al. 2022

Journal of Systems and Software

View full text Add to dashboard Cite

Access control (AC) is an important security mechanism used in software systems to restrict access to sensitive resources. Therefore, it is essential to validate the correctness of AC implementations with respect to policy specifications or intended access rights. However, in practice, AC policy specifications are often missing or poorly documented; in some cases, AC policies are hard-coded in business logic implementations. This leads to difficulties in validating the correctness of policy implementations and detecting AC defects.In this paper, we present a semi-automated framework for reverse-engineering of AC policies from Web applications. Our goal is to learn and recover role-based access control (RBAC) policies from implementations, which are then used to validate implemented policies and detect AC issues. Our framework, built on top of a suite of security tools, automatically explores a given Web application, mines domain input specifications from access logs, and systematically generates and executes more access requests using combinatorial test generation. To learn policies, we apply machine learning on the obtained data to characterize relevant attributes that influence AC. Finally, the inferred policies are presented to the security engineer, for validation with respect to intended access rights and for detecting AC issues. Inconsistent and insufficient policies are highlighted as potential AC issues, being either vulnerabilities or implementation errors.We evaluated our approach on four Web applications (three open-source and a proprietary one built by our industry partner) in terms of the correctness of inferred policies. We also evaluated the usefulness of our approach by investigating whether it facilitates the detection of AC issues. The results show that 97.8% of the inferred policies are correct with respect to the actual AC implementation; the analysis of these policies led to the discovery of 64 AC issues that were reported to the developers.

show abstract

Section: Inference Of Ac Policies Using Black-box Analysismentioning

confidence: 99%

Section: Inference Of Ac Policies Using Black-box Analysismentioning

confidence: 99%

Automated reverse engineering of role-based access control policies of web applications

Shar

Bianculli

et al. 2022

Journal of Systems and Software

View full text Add to dashboard Cite

show abstract

“…An interesting question to consider when integrating Estrela with legacy applications is how to bootstrap policy specification to assist the developers. Policy inference, which is orthogonal to the problem studied in this paper, has been an area of active research where prior works have proposed approaches to mine meaningful policies using logs, traces and program specifications [1,4,5,11,22,24,29,37,[48][49][50][51]. The mined policies can be used to bootstrap the initial set of policies when migrating applications to Estrela.…”

Section: Integration With Legacy Applicationsmentioning

confidence: 99%

Contextual and Granular Policy Enforcement in Database-backed Applications

Bichhawat

Fredrikson

Yang

et al. 2020

Proceedings of the 15th ACM Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Database-backed applications rely on inlined policy checks to process users' private and confidential data in a policy-compliant manner as traditional database access control mechanisms cannot enforce complex policies. However, application bugs due to missed checks are common in such applications, which result in data breaches. While separating policy from code is a natural solution, many data protection policies specify restrictions based on the context in which data is accessed and how the data is used. Enforcing these restrictions automatically presents significant challenges, as the information needed to determine context requires a tight coupling between policy enforcement and an application's implementation. We present Estrela, a framework for enforcing contextual and granular data access policies. Working from the observation that API endpoints can be associated with salient contextual information in most database-backed applications, Estrela allows developers to specify API-specific restrictions on data access and use. Estrela provides a clean separation between policy specification and the application's implementation, which facilitates easier auditing and maintenance of policies. Policies in Estrela consist of pre-evaluation and post-evaluation conditions, which provide the means to modulate database access before a query is issued, and to impose finergrained constraints on information release after the evaluation of query, respectively. We build a prototype of Estrela and apply it to retrofit several real world applications (from 1000-80k LOC) to enforce different contextual policies. Our evaluation shows that Estrela can enforce policies with minimal overheads. CCS CONCEPTS • Security and privacy → Access control; Software security engineering; Web application security.

show abstract

“…Later, Gautam et al proposed to model the ABAC mining problem as Constrained Weighted Set Cover Heuristic to better optimize the mined policy (Gautam et al 2017). While Xu and Gautam focused on mining affirmative ABAC authorization rules, Padmavathi et al proposed a more systematic, yet heuristic, approach to mine both positive and negative rules (Iyer and Masoumzadeh 2018). Mocanu et al first designed and evaluated an ABAC candidate rules generation framework using machine learning techniques.…”

Section: Abac Policy Miningmentioning

confidence: 99%

Automated extraction of attributes from natural language attribute-based access control (ABAC) Policies

2019

View full text Add to dashboard Cite

The National Institute of Standards and Technology (NIST) has identified natural language policies as the preferred expression of policy and implicitly called for an automated translation of ABAC natural language access control policy (NLACP) to a machine-readable form. To study the automation process, we consider the hierarchical ABAC model as our reference model since it better reflects the requirements of real-world organizations. Therefore, this paper focuses on the questions of: how can we automatically infer the hierarchical structure of an ABAC model given NLACPs; and, how can we extract and define the set of authorization attributes based on the resulting structure. To address these questions, we propose an approach built upon recent advancements in natural language processing and machine learning techniques. For such a solution, the lack of appropriate data often poses a bottleneck. Therefore, we decouple the primary contributions of this work into: (1) developing a practical framework to extract authorization attributes of hierarchical ABAC system from natural language artifacts, and (2) generating a set of realistic synthetic natural language access control policies (NLACPs) to evaluate the proposed framework. Our experimental results are promising as we achieved -in average -an F1-score of 0.96 when extracting attributes values of subjects, and 0.91 when extracting the values of objects' attributes from natural language access control policies.

show abstract

Mining Positive and Negative Attribute-Based Access Control Policy Rules

Cited by 42 publications

References 21 publications

Automated reverse engineering of role-based access control policies of web applications

Automated reverse engineering of role-based access control policies of web applications

Contextual and Granular Policy Enforcement in Database-backed Applications

Automated extraction of attributes from natural language attribute-based access control (ABAC) Policies

Contact Info

Product

Resources

About