Automatic Identification of Precise Access-Control Policies

Paolina Centonze
IBM T. J. Watson Research Center

Robert J. Flynn
Polytechnic University

Marco Pistoia
IBM T. J. Watson Research Center

Given a large and complex component-based program, it is very difficult to define an optimal security policy that satisfies the Principle of Least Privilege—a policy that, without being overly permissive, allows the program to execute without authorization failures. This paper presents a novel, automated approach based on a combination of static and dynamic analysis for Java programs. The static analysis soundly models the execution of the program taking into account native methods, reflection, and multithreaded code. The dynamic analysis interactively refines the potentially conservative results of the static analysis, with no need for writing or generating test cases or for restarting the system if an authorization
failure occurs during testing, and no risk of corrupting the underlying system on which the analysis is performed.
We implemented the analysis framework presented by this paper in a tool called Access Control Explorer (ACE), which allows for automatic, safe, and precise identification of:
- Access-right requirements, and
- Library code locations that should be made privilege-asserting to prevent client code from requiring unnecessary access rights.
This paper presents experimental results obtained on large production-level applications..

Keywords: Access control, static analysis, dynamic analysis, testing

Read Paper Read Paper (in PDF)