Modeling and Analysis of Access Control Survivability

Опубликовано 6 сентября 2016, 5:41

In traditional models of access control systems, the emphasis is on validating security as safety properties, defined over state-transition graphs that represent system behavior. The goal of access control analysis in this context is to assert that all states reachable from known safe states using valid transitions are also safe, where any integrity, confidentiality, or availability policies are not violated. However, once an attacker compromises these policies, e.g., in a privilege escalation attack, this safety analysis is of limited use to security engineers who wish to design systems that are survivable and can withstand or recover from attacks. In this talk, I present an extended access control framework that can represent an attack and its impact by explicitly modeling unsafe states, incorporate response strategies, and reason about the ability of these strategies to recover from the attack and restore safety. As an example, I show how we can model privilege separation and evaluate its effectiveness as a countermeasure against privilege escalation attacks. By extending the nature and scope of access control analysis, this framework allows us to describe a new class of access control survivability properties.