Li Zhong

2023-04-21

Abstract:Broken access control is one of the most common security vulnerabilities in web applications. These vulnerabilities are the major cause of many data breach incidents, which result in privacy concern and revenue loss. However, preventing and detecting access control vulnerabilities proactively in web applications could be difficult. Currently, these vulnerabilities are actively detected by bug bounty hunters post-deployment, which creates attack windows for malicious access. To solve this problem proactively requires security awareness and expertise from developers, which calls for systematic solutions. This survey targets to provide a structured overview of approaches that tackle access control vulnerabilities. It firstly discusses the unique feature of access control vulnerabilities, then studies the existing works proposed to tackle access control vulnerabilities in web applications, which span the spectrum of software development from software design and implementation, software analysis and testing, and runtime monitoring. At last we discuss the open problem in this field.

Cryptography and Security,Software Engineering

Qian Wang,Jinan Sun,Chen Wang,Shikun Zhang,Sisi Xuanyuan,Bin Zheng

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00016

2020-01-01

Abstract:In this paper we review the research progress of the mainstream approaches of detecting access control vulnerabilities and classify them based on the key techniques for web application components. And we compare different detection methods, analyze their advantages and flaws. Then we discuss the experimental results of relevant detection tools for realistic usage. Finally, we summarize the general framework of detection method and provide future research directions in this area.

Jun Zhu,Bill Chu,Heather Richter Lipford,Tyler Thomas

DOI: https://doi.org/10.1145/2752952.2752976

2015-01-01

Abstract:ABSTRACTAccess control vulnerabilities due to programming errors have consistently ranked amongst top software vulnerabilities. Previous research efforts have concentrated on using automatic program analysis techniques to detect access control vulnerabilities in applications. We report a comparative study of six open source PHP applications, and find that implicit assumptions of previous research techniques can significantly limit their effectiveness. We propose a more effective hybrid approach to mitigate access control vulnerabilities. Developers are reminded in-situ of potential access control vulnerabilities, where self-review of code can help them discover mistakes. Additionally, developers are prompted for application-specific access control knowledge, providing samples of code that could be thought of as static analysis by example. These examples are turned into code patterns that can be used in performing static analysis to detect additional access control vulnerabilities and alert the developer to take corrective actions. Our evaluation of six open source applications detected 20 zero-day access control vulnerabilities in addition to finding all access control vulnerabilities detected in previous works.

Yunpeng Zhang,Xuqing Wu

DOI: https://doi.org/10.48550/arXiv.1610.01065

2016-10-05

Abstract:Cheating is a real problem in the Internet of Things. The fundamental question that needs to be answered is how we can trust the validity of the data being generated in the first place. The problem, however, isn't inherent in whether or not to embrace the idea of an open platform and open-source software, but to establish a methodology to verify the trustworthiness and control any access. This paper focuses on building an access control model and system based on trust computing. This is a new field of access control techniques which includes Access Control, Trust Computing, Internet of Things, network attacks, and cheating technologies. Nevertheless, the target access control systems can be very complex to manage. This paper presents an overview of the existing work on trust computing, access control models and systems in IoT. It not only summarizes the latest research progress, but also provides an understanding of the limitations and open issues of the existing work. It is expected to provide useful guidelines for future research.

Cryptography and Security,Networking and Internet Architecture,Systems and Control

Tian Wang,Weidong Fang,Mufan Ni,Xiaoliang Yang,Wei Chen,Wentao Chen,Wuxiong Zhang

DOI: https://doi.org/10.1007/978-981-97-5603-2_25

2024-01-01

Abstract:Access control is an important component of information security system. It protects resources from unauthorized users or misuses by authorized users. Yet, the security of cipher-based access control may be compromised due to its fixed and predefined features. As an intelligent computing technology that simulates human behavior, trust evaluation can be an effective method for capturing users' unpredictable actions. Trust-based access control is a better method for tracking dynamic user behavior. Researchers are becoming increasingly enthusiastic in integrating Intelligent Computing concepts with access control. However, there is no article that covers all aspects of trust-based access control. Therefore, a comprehensive survey in this area of study is desperately needed. In this paper, we will investigate a novel approach to access control with trust. Access control is thus becoming more secure by incorporating trust evaluation. Furthermore, we will demonstrate how trust can be used to enhance access control secure by combining it with other intelligent computing technology like game theory.

Yu-Ding WANG,Jia-Hai YANG,Cong XU,Xiao LING,Yang YANG

DOI: https://doi.org/10.13328/j.cnki.jos.004820

2015-01-01

Abstract:With the intensive and large scale development of cloud computing, security becomes one of the most important problems. As an important part of security domain, access control technique is used to limit users' capability and scope to access data and ensure the information resources not to be used and accessed illegally. This paper focuses on the state-of-the-art research of access control technology in cloud computing environment. First, it briefly introduces access control theory, and discusses the access control framework in cloud computing environment. Then, it thoroughly surveys the access control problems in cloud computing environment from three aspects including cloud access control model, cloud access control based on ABE (attribute-based encryption) cryptosystem, and multi-tenant and virtualization access control in cloud. In addition, it probes the best current practices of access control technologies within the major cloud service providers and open source cloud platforms. Finally, it summarizes the problems in the current research and prospects the development of future research.

Wei Wei,Zhang Qing,Liang Wenzheng

DOI: https://doi.org/10.3969/j.issn.1006-1576.2011.02.015

2011-01-01

Abstract:Through analyzing the compulsion access in HTTP request and information juggle and forgery,design data access control model and task purview model,and realize access filtering of task data and URL verifying request.The technology can solve the access control problem in B/S system and realize multi-dimension data logic in encrypt system.

Xiaowei Li,Xujie Si,Yuan Xue

DOI: https://doi.org/10.1145/2557547.2557552

2014-01-01

Abstract:Access control vulnerabilities within web applications pose serious security threats to the sensitive information stored at back-end databases. Existing approaches are limited from several aspects, including the coarse granularity at which the access control is modeled, the incapability of handling complex relationship between data entities and the requirement of source code and the specific application platform. In this paper, we present an automated black-box technique for identifying a broad range of access control vulnerabilities, which can be applied to applications that are developed using different languages and platforms. We model the access control policy based on a novel virtual SQL query concept, which captures both the database access operations (i.e., through SQL queries) and the post-processing filters within the web application. We leverage a crawler to automatically explore the application and collect execution traces. From the traces, we identify the set of database access operations that are allowed for each role (i.e., role-level policy inference) and extract the constraints over the operation parameters to characterize the relationship between the users and the accessed data (i.e., user-level policy inference). Based on the inferred policy, we construct test inputs to exploit the application for potential access control flaws. We implement a prototype system BATMAN and evaluate it over a set of PHP and JSP web applications. The experiment results demonstrate the effectiveness and accuracy of our approach.

Mingjie Yu,Fenghua Li,Nenghai Yu,Xiao Wang,Yunchuan Guo

DOI: https://doi.org/10.1016/j.dcan.2022.09.002

IF: 6.348

2022-10-01

Digital Communications and Networks

Abstract:Policy conflicts may cause substantial economic losses. Although a large amount of effort has been spent on detecting intra-domain policy conflict, it can not detect conflicts of heterogeneous policies. In this paper, considering background knowledge, we propose a conflict detection mechanism to search and locate conflicts of heterogeneous policies. First, we propose a general access control model to describe authorization mechanisms of cloud service and a translation scheme designed to translate a cloud service policy to an Extensible Access Control Markup Language (XACML) policy. Then the scheme based on Multi-terminal Multi-data-type Interval Decision Diagram (MTMIDD) and Extended MTMIDD (X-MTMIDD) is designed to represent XACML policy and search the conflict among heterogeneous policies. To reduce the rate of false positives, the description logic is used to represent XACML policy and eliminate false conflicts. Experimental results show the efficiency of our scheme.

telecommunications

Wangli He,Wenying Xu,Xiaohua Ge,Qing-Long Han,Wenli Du,Feng Qian

DOI: https://doi.org/10.1109/TII.2021.3126644

IF: 12.3

2022-01-01

IEEE Transactions on Industrial Informatics

Abstract:Multiagent systems (MASs) provide an effective means for coordinating spatially distributed and networked agents (or nodes, subsystems) such that the desired cooperative tasks can be accomplished with promising reliability, manipulability, scalability, and efficiency. One key issue in the study of MASs is the design of distributed cooperative control protocol and algorithm that depend on only local and real-time information exchanges among interacting agents over networks. However, network-enabled information sharing and increasing connectivity in practical MASs present several attack factors for malicious adversaries, thereby rendering secure control of MASs fundamentally significant. This article provides a brief survey of systems and control technologies that have been available for addressing different secure control problems of MASs in the face of various malicious attacks. First, attacks on MASs are classified based on different configuration layers. Then, the existing attack models and strategies on communication layer and agent layer are systematically examined, respectively. Furthermore, some typical secure control techniques for MASs that have been employed to handle these attacks are surveyed. Finally, several challenging issues are envisioned for potential future research.

Chao-sheng FENG,Zhi-guang QIN,Ding YUAN,Yu QING

DOI: https://doi.org/10.3969/j.issn.0372-2112.2015.02.017

2015-01-01

Abstract:The loss of on-board domain and appearance of multi-tenant context bring some new problems and challenges to access control .In this paper ,these problems are listed and the reasons are analyzed first .And then ,aiming at these problems ,the corresponding solutions and techniques are introduced in terms of identity provision ,authentication ,authorization ,identity federation and single sign-on .Next ,latest works about access control of cloud computing are reviewed in terms of access control models ,at-tribute based access control of cipher text ,and access control of outsourcing data .At last ,the trend of study on access control of cloud computing is analyzed and predicted .

Yizhong Liu,Meikang Qiu,Jianwei Liu,Meiqin Liu

DOI: https://doi.org/10.1109/cscloud-edgecom52276.2021.00032

2021-01-01

Abstract:In this paper, we study the existing blockchain consensus mechanisms that can be applied to access control scenarios and analyze advantages and disadvantages for each category. Besides, we divide access control procedures into policy formulation, storage, and request processing. For each procedure, we summarize existing methods and analyze possible problems. Finally, we give the potential future research directions. This paper provides a clear framework for access control, on which researchers can explore new types of blockchain-based access control solutions to solve the existing security and performance problems.

Ming Zhao,Jinqiang Ren,Huiping Sun,Suming Li,Zhong Chen

DOI: https://doi.org/10.1109/icycs.2008.226

2008-01-01

Abstract:In ubiquitous computing environment, resources become invisible, heterogeneous and anywhere. Traditional access control mechanism could not handle such dynamic and complex environment. In our proposed work, we view access control mechanism as a non-cooperative game. Thus, a game theoretic model for access control has been proposed to assist such mechanism. Different from traditional one, which depended on complex policies for decision-making, our model uses game theory to evaluate all possible results and select the most expected one as final decision. In the end, a practical example has been presented and its result shows that our access control model is more suitable for nowadays dynamic access control environment.

Chao Huang,Jianling Sun,Xinyu Wang,Yuanjie Si

DOI: https://doi.org/10.1109/ebiss.2009.5138002

2009-01-01

Abstract:Access control becomes more and more essential for safe and security access to the system resources. Role based access control policy widely used in industry enterprise systems nowadays is a statement which specifies the rules about how to setup the process for granting or denying authorizations. It is extremely important to make sure that there is no inconsistency of an access control policy, since otherwise it may conceal the security danger or even break down the entire access control system. In this paper, we analyze the inconsistencies of role based access control policy, and give the formal definition for the inconsistency. We then propose an inconsistency checking algorithm to detect the inconsistencies of a role based access control policy.

Elisa Bertino

DOI: https://doi.org/10.1561/1900000014

2010-01-01

Foundations and Trends in Databases

Abstract:<div>As organizations depend on, possibly distributed, information systems for operational, decisional and strategic activities, they are vulnerable to security breaches leading to data theft and unauthorized disclosures even as they gain productivity and efficiency advantages. Though several techniques, such as encryption and digital signatures, are available to protect data when transmitted across sites, a truly comprehensive approach for data protection must include mechanisms for enforcing access control policies based on data contents, subject qualifications and characteristics, and other relevant contextual information, such as time. It is well understood today that the semantics of data must be taken into account in order to specify effective access control policies. To address such requirements, over the years the database security research community has developed a number of access control techniques and mechanisms that are specific to database systems. In this monograph, we present a comprehensive state of the art about models, systems and approaches proposed for specifying and enforcing access control policies in database management systems. In addition to surveying the foundational work in the area of access control for database systems, we present extensive case studies covering advanced features of current database management systems, such as the support for fine-grained and context-based access control, the support for mandatory access control, and approaches for protecting the data from insider threats. The monograph also covers novel approaches, based on cryptographic techniques, to enforce access control and surveys access control models for objectdatabases and XML data. For the reader not familiar with basic notions concerning access control and cryptography, we include a tutorial presentation on these notions. Finally, the monograph concludes with a discussion on current challenges for database access control and security, and preliminary approaches addressing some of these challenges.<h3>Suggested Citation</h3>Elisa Bertino, Gabriel Ghinita and Ashish Kamra (2011), "Access Control for Databases: Concepts and Systems", Foundations and Trends® in Databases: Vol. 3: No. 1–2, pp 1-148. http://dx.doi.org/10.1561/1900000014</div>

JeeHyun Hwang,Tao Xie,Vincent Hu,Mine Altunay

DOI: https://doi.org/10.1007/978-3-642-13739-6_13

2010-01-01

Abstract:Access control mechanisms are used to control which principals (such as users or processes) have access to which resources based on access control policies. To ensure the correctness of access control policies, policy authors conduct policy verification to check whether certain properties are satisfied by a policy. However, these properties are often not written in practice. To facilitate property verification, we present an approach that automatically mines likely properties from a policy via the technique of association rule mining. In our approach, mined likely properties may not be true for all the policy behaviors but are true for most of the policy behaviors. The policy behaviors that do not satisfy likely properties could be faulty. Therefore, our approach then conducts likely-property verification to produce counterexamples, which are used to help policy authors identify faulty rules in the policy. To show the effectiveness of our approach, we conduct evaluation on four XACML policies. Our evaluation results show that our approach achieves more than 30% higher fault-detection capability than that of an existing approach. Our approach includes additional techniques such as basic and prioritization techniques that help reduce a significant percentage of counterexamples for inspection compared to the existing approach.

Malik Imran-Daud

DOI: https://doi.org/10.48550/arXiv.1612.09527

2016-12-30

Cryptography and Security

Abstract:Thanks to the advent of the Internet, it is now possible to easily share vast amounts of electronic information and computer resources (which include hardware, computer services, etc.) in open distributed environments. These environments serve as a common platform for heterogeneous users (e.g., corporate, individuals etc.) by hosting customized user applications and systems, providing ubiquitous access to the shared resources and requiring less administrative efforts; as a result, they enable users and companies to increase their productivity. Unfortunately, sharing of resources in open environments has significantly increased the privacy threats to the users. Indeed, shared electronic data may be exploited by third parties, such as Data Brokers, which may aggregate, infer and redistribute (sensitive) personal features, thus potentially impairing the privacy of the individuals. A way to palliate this problem consists on controlling the access of users over the potentially sensitive resources. Specifically, access control management regulates the access to the shared resources according to the credentials of the users, the type of resource and the privacy preferences of the resource/data owners. The efficient management of access control is crucial in large and dynamic environments. Moreover, in order to propose a feasible and scalable solution, we need to get rid of manual management of rules/constraints (in which most available solutions rely) that constitutes a serious burden for the users and the administrators. Finally, access control management should be intuitive for the end users, who usually lack technical expertise, and they may find access control mechanism more difficult to understand and rigid to apply due to its complex configuration settings.

Jun Zhu,Bill Chu,Heather Richter Lipford

DOI: https://doi.org/10.1145/2914642.2914661

2016-01-01

Abstract:ABSTRACTPrivilege Escalation is a common and serious type of security attack. Although experience shows that many applications are vulnerable to such attacks, attackers rarely succeed upon first trial. Their initial probing attempts often fail before a successful breach of access control is achieved. This paper presents an approach to automatically instrument application source code to report events of failed access attempts that may indicate privilege escalation attacks to a run time application protection mechanism. The focus of this paper is primarily on the problem of instrumenting web application source code to detect access control attack events. We evaluated false positives and negatives of our approach using two open source web applications.

JeeHyun Hwang,Vincent C. Hu,Tao Xie

DOI: https://doi.org/10.1109/sere-c.2012.14

2012-01-01

Abstract:Access control (AC) is one of the most fundamental and widely used requirements for privacy and security. Given a subject's access request on a resource in a system, AC determines whether this request is permitted or denied based on AC policies (ACPs). This position paper introduces our approach to ensure the correctness of AC using verification. More specifically, given a model of an ACP, our approach detects inconsistencies between models, specifications, and expected behaviors of AC. Such inconsistencies represent faults (in the ACP), which we target at detecting before ACP deployment.

Lianshan Sun,Gang Huang

DOI: https://doi.org/10.1016/j.sysarc.2010.11.001

IF: 5.836

2011-01-01

Journal of Systems Architecture

Abstract:Access control is a common concern in most software applications. In component-based systems, although developers can implement access control requirements (ACRs) by simply declaring role-based access control configurations (ACCs) of components, it is still difficult for them to define and evolve ACCs accurately implementing ACRs due to the gap between the complex high-level ACRs and the voluminous ACCs enforced by underlying middleware platforms, and the ad hoc mistakes of human. This paper introduces and clarifies the concept of accuracy of ACCs relative to ACRs, and presents a set of metrics and algorithms which can be used to automatically evaluate and improve accuracy of ACCs by evaluating and reconfiguring the software architecture with ACCs. We apply our achievements in a composed e-shop application.