A graph-based system for network-vulnerability analysis
Proceedings of the 1998 workshop on New security paradigms
Model-based analysis of configuration vulnerabilities
Journal of Computer Security
MulVAL: a logic-based network security analyzer
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
A methodology to minimise excessively permissive security configurations
ACS'08 Proceedings of the 8th conference on Applied computer scince
Hi-index | 0.00 |
Various kinds of access control mechanisms have been employed in today's computer systems to protect confidential information. Since high expertise is required for the system configuration maintenance, detecting vulnerabilities due to configuration errors is a difficult task. In this paper, we propose a model-based configuration verification method that can find complex errors of two major access control mechanisms, network packet filtering and file access control. This method constructs an information flow model using the configurations of the two mechanisms and verifies whether the system is configured to suffice access policies defined by system administrators. Through the development of a prototype system and its experimental use, we confirmed that the proposed method could discover configuration errors of Web servers that might cause information leakage.