Internet Archive Scholar

Detection of Multiple-Duty-Related Security Leakage in Access Control Policies

JeeHyun Hwang, Tao Xie, Vincent C. Hu
2009 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (291.6 kB)
https://web.archive.org/web/20110414035839/http://people.engr.ncsu.edu/txie/publications/ssiri09-policy.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2011; you can also visit the original URL. The file type is application/pdf.

Access control mechanisms control which subjects (such as users or processes) have access to which resources. To facilitate managing access control, policy authors increasingly write access control policies in XACML. Access control policies written in XACML could be amenable to multiple-duty-related security leakage, which grants unauthorized access to a user when the user takes multiple duties (e.g., multiple roles in role-based access control policies). To help policy authors detect
more » ... uty-related security leakage, we develop a novel framework that analyzes policies and detects cases that potentially cause the leakage. In such cases, a user taking multiple roles (e.g., both r 1 and r 2 ) is given a different access decision from the decision given to a user taking an individual role (e.g., r 1 and r 2 , respectively). We conduct experiments on 11 XACML policies and our empirical results show that our framework effectively pinpoints potential multiple-duty-related security leakage for policy authors to inspect.
doi:10.1109/ssiri.2009.63 dblp:conf/ssiri/HwangXH09 fatcat:d3qc2cphhbe5hdxe6oqzlmwamm
Citation

JeeHyun Hwang, Tao Xie, Vincent C. Hu. "Detection of Multiple-Duty-Related Security Leakage in Access Control Policies." 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement (2009) 65-74