Take a sneak peek at the new NIST.gov and let us know what you think!
(Please note: some content may not be complete on the beta site.).

View the beta site
NIST logo

Publication Citation: Vulnerability Hierarchies in Access Control Configurations

NIST Authors in Bold

Author(s): David R. Kuhn;
Title: Vulnerability Hierarchies in Access Control Configurations
Published: December 27, 2011
Abstract: This paper applies methods for analyzing fault hierarchies to the analysis of relationships among vulnerabilities in misconfigured access control rule structures. Hierarchies have been discovered previously for faults in arbitrary logic formulae, such that a test for one class of fault is guaranteed to detect other fault classes subsumed by the one tested, but access control policies reveal more interesting hierarchies. These policies are normally composed of a set of rules of the form "if [conditions] then [decision]", where [conditions] may include one or more terms or relational expressions connected by logic operators, and [decision] is often 2-valued ("grant" or "deny"), but may be n-valued. Rule sets configured for access control policies, while complex, often have regular structures or patterns that make it possible to identify generic vulnerability hierarchies for various rule structures such that an exploit for one class of configuration error is guaranteed to succeed for others downstream in the hierarchy. A taxonomy of rule structures is introduced and detection conditions computed for nine classes of vulnerability: added term, deleted term, replaced term, stuck-at-true condition, stuck-at-false condition, negated condition, deleted rule, replaced decision, negated decision. For each configuration rule structure, detection conditions were analyzed for the existence of logical implication relations between detection conditions. It is shown that hierarchies of detection conditions exist, and that hierarchies vary among rule structures in the taxonomy. Using these results, tests may be designed to detect configuration errors, and resulting vulnerabilities, using fewer tests than would be required without knowledge of the hierarchical relationship among common errors. In addition to practical applications, these results may help to improve the understanding of access control policy configurations.
Conference: 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), 2011
Pages: 9 pp.
Location: Crystal City, VA
Dates: October 31-November 1, 2011
Keywords: access control, change impact analysis, configuration analysis,
Research Areas: Conformance Testing, Threats & Vulnerabilities, Computer Security
PDF version: PDF Document Click here to retrieve PDF version of paper (311KB)