Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Vulnerability Hierarchies in Access Control Configurations



David R. Kuhn


This paper applies methods for analyzing fault hierarchies to the analysis of relationships among vulnerabilities in misconfigured access control rule structures. Hierarchies have been discovered previously for faults in arbitrary logic formulae, such that a test for one class of fault is guaranteed to detect other fault classes subsumed by the one tested, but access control policies reveal more interesting hierarchies. These policies are normally composed of a set of rules of the form "if [conditions] then [decision]", where [conditions] may include one or more terms or relational expressions connected by logic operators, and [decision] is often 2-valued ("grant" or "deny"), but may be n-valued. Rule sets configured for access control policies, while complex, often have regular structures or patterns that make it possible to identify generic vulnerability hierarchies for various rule structures such that an exploit for one class of configuration error is guaranteed to succeed for others downstream in the hierarchy. A taxonomy of rule structures is introduced and detection conditions computed for nine classes of vulnerability: added term, deleted term, replaced term, stuck-at-true condition, stuck-at-false condition, negated condition, deleted rule, replaced decision, negated decision. For each configuration rule structure, detection conditions were analyzed for the existence of logical implication relations between detection conditions. It is shown that hierarchies of detection conditions exist, and that hierarchies vary among rule structures in the taxonomy. Using these results, tests may be designed to detect configuration errors, and resulting vulnerabilities, using fewer tests than would be required without knowledge of the hierarchical relationship among common errors. In addition to practical applications, these results may help to improve the understanding of access control policy configurations.
Conference Dates
October 31-November 1, 2011
Conference Location
Crystal City, VA
Conference Title
4th Symposium on Configuration Analytics and Automation (SAFECONFIG), 2011


access control, change impact analysis, configuration analysis


Kuhn, D. (2011), Vulnerability Hierarchies in Access Control Configurations, 4th Symposium on Configuration Analytics and Automation (SAFECONFIG), 2011 , Crystal City, VA, [online], (Accessed June 12, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created December 27, 2011, Updated May 4, 2021