Automated Inference of Access Control Policies for Web Applications

H. Le, Duy Cu Nguyen, L. Briand, Benjamin Hourte
{"title":"Automated Inference of Access Control Policies for Web Applications","authors":"H. Le, Duy Cu Nguyen, L. Briand, Benjamin Hourte","doi":"10.1145/2752952.2752969","DOIUrl":null,"url":null,"abstract":"In this paper, we present a novel, semi-automated approach to infer access control policies automatically for web-based applications. Our goal is to support the validation of implemented access control policies, even when they have not been clearly specified or documented. We use role-based access control as a reference model. Built on top of a suite of security tools, our approach automatically exercises a system under test and builds access spaces for a set of known users and roles. Then, we apply a machine learning technique to infer access rules. Inconsistent rules are then analysed and fed back to the process for further testing and improvement. Finally, the inferred rules can be validated based on pre-specified rules if they exist. Otherwise, the inferred rules are presented to human experts for validation and for detecting access control issues. We have evaluated our approach on two applications; one is open source while the other is a proprietary system built by our industry partner. The obtained results are very promising in terms of the quality of inferred rules and the access control vulnerabilities it helped detect.","PeriodicalId":305802,"journal":{"name":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","volume":"172 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 20th ACM Symposium on Access Control Models and Technologies","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2752952.2752969","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 19

Abstract

In this paper, we present a novel, semi-automated approach to infer access control policies automatically for web-based applications. Our goal is to support the validation of implemented access control policies, even when they have not been clearly specified or documented. We use role-based access control as a reference model. Built on top of a suite of security tools, our approach automatically exercises a system under test and builds access spaces for a set of known users and roles. Then, we apply a machine learning technique to infer access rules. Inconsistent rules are then analysed and fed back to the process for further testing and improvement. Finally, the inferred rules can be validated based on pre-specified rules if they exist. Otherwise, the inferred rules are presented to human experts for validation and for detecting access control issues. We have evaluated our approach on two applications; one is open source while the other is a proprietary system built by our industry partner. The obtained results are very promising in terms of the quality of inferred rules and the access control vulnerabilities it helped detect.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
Web应用访问控制策略的自动推理
在本文中,我们提出了一种新颖的半自动方法来自动推断基于web的应用程序的访问控制策略。我们的目标是支持已实现的访问控制策略的验证,即使它们没有明确指定或文档化。我们使用基于角色的访问控制作为参考模型。我们的方法建立在一套安全工具之上,自动地测试系统,并为一组已知的用户和角色构建访问空间。然后,我们应用机器学习技术来推断访问规则。然后分析不一致的规则并将其反馈到流程中,以进行进一步的测试和改进。最后,可以根据预先指定的规则(如果存在)验证推断出的规则。否则,推断出的规则将提交给人类专家进行验证和检测访问控制问题。我们已经在两个应用中评估了我们的方法;一个是开源的,而另一个是由我们的行业合作伙伴构建的专有系统。就推断规则的质量和它帮助检测的访问控制漏洞而言,获得的结果非常有希望。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
On Missing Attributes in Access Control: Non-deterministic and Probabilistic Attribute Retrieval Towards Attribute-Based Authorisation for Bidirectional Programming Hard Instances for Verification Problems in Access Control Mitigating Access Control Vulnerabilities through Interactive Static Analysis A Logical Approach to Restricting Access in Online Social Networks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1