Control-flow analysis of higher-order languages of taming lambda
Control-flow analysis of higher-order languages of taming lambda
A Linear Time Algorithm for Deciding Subject Security
Journal of the ACM (JACM)
Delegation logic: A logic-based approach to distributed authorization
ACM Transactions on Information and System Security (TISSEC)
What You Always Wanted to Know About Datalog (And Never Dared to Ask)
IEEE Transactions on Knowledge and Data Engineering
The Confused Deputy: (or why capabilities might have been invented)
ACM SIGOPS Operating Systems Review
Joeq: a virtual machine and compiler infrastructure
Science of Computer Programming - Special issue on advances in interpreters, virtual machines and emulators (IVME'03)
Robust composition: towards a unified approach to access control and concurrency control
Robust composition: towards a unified approach to access control and concurrency control
Design and Semantics of a Decentralized Authorization Language
CSF '07 Proceedings of the 20th IEEE Computer Security Foundations Symposium
Context-sensitive pointer analysis using binary decision diagrams
Context-sensitive pointer analysis using binary decision diagrams
Proving the Correctness of Multiprocess Programs
IEEE Transactions on Software Engineering
Evaluating the benefits of context-sensitive points-to analysis using a BDD-based implementation
ACM Transactions on Software Engineering and Methodology (TOSEM)
Strictly declarative specification of sophisticated points-to analyses
Proceedings of the 24th ACM SIGPLAN conference on Object oriented programming systems languages and applications
Capsicum: practical capabilities for UNIX
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A practical formal model for safety analysis in capability-based systems
TGC'05 Proceedings of the 1st international conference on Trustworthy global computing
Automated Analysis of Security-Critical JavaScript APIs
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
| Hi-index | 0.00 |
Access control is a critical feature of many systems, including networks of services, processes within a computer, and objects within a running process. The security consequences of a particular architecture or access control policy are often difficult to determine, especially where some components are not under our control, where components are created dynamically, or where access policies are updated dynamically. The SERSCIS Access Modeller (SAM) takes a model of a system and explores how access can propagate through it. It can both prove defined safety properties and discover unwanted properties. By defining expected behaviours, recording the results as a baseline, and then introducing untrusted actors, SAM can discover a wide variety of design flaws. SAM is designed to handle dynamic systems (i.e., at runtime, new objects are created and access policies modified) and systems where some objects are not trusted. It extends previous approaches such as Scollar and Authodox to provide a programmer-friendly syntax for specifying behaviour, and allows modelling of services with mutually suspicious clients. Taking the Confused Deputy example from Authodox we show that SAM detects the attack automatically; using a web-based backup service, we show how to model RBAC systems, detecting a missing validation check; and using a proxy certificate system, we show how to extend it to model new access mechanisms. On discovering that a library fails to follow an RFC precisely, we re-evaluate our existing models under the new assumption and discover that the proxy certificate design is not safe with this library.