Producing Hook Placements to Enforce Expected Access Control Policies
作者: Divya Muthukumaran , Nirupama Talele , Trent Jaeger , Gang Tan
DOI: 10.1007/978-3-319-15618-7_14
关键词:
摘要: Many security-sensitive programs manage resources on behalf of mutually distrusting clients. To control access to resources, authorization hooks are placed before operations those resources. Manual hook placements by programmers often incomplete or incorrect, leading insecure programs. We advocate an approach that automatically identifies the set locations place mediates all in order enforce expected policies at deployment. However, one challenge is want minimize effort writing such policies. As a result, they may remove believe unnecessary, but too many hooks, preventing enforcement some desirable
springer.com
core.ac.uk
elsevier.com
sci-hub.st 参考文章(16)
James P. Anderson, Computer Security Technology Planning Study ,(1972)
Li Gong, Roland Schemers, Implementing Protection Domains in the Java TM Development Kit 1.2. network and distributed system security symposium. ,(1998)
Spiridon Aristides Eliopoulos, Joe Gibbs Politz, Shriram Krishnamurthi, Arjun Guha, ADsafety: type-based verification of JavaScript Sandboxing usenix security symposium. pp. 12- 12 ,(2011)
Antony Edwards, Trent Jaeger, Xiaolan Zhang, Using CQUAL for Static Analysis of Authorization Hook Placement usenix security symposium. pp. 33- 48 ,(2002)
Lin Tan, Weiwei Xiong, Yuanyuan Zhou, Xiaolan Zhang, Xiao Ma, AutoISES: automatically inferring security specifications and detecting violations usenix security symposium. pp. 379- 394 ,(2008)
James P. Anderson, Computer Security Technology Planning Study. Volume 2 Defense Technical Information Center. ,(1972) , 10.21236/AD0772806
D. Elliott Bell, Leonard J. La Padula, Secure Computer System: Unified Exposition and Multics Interpretation Defense Technical Information Center. ,(1976) , 10.21236/ADA023588
Divya Muthukumaran, Trent Jaeger, Vinod Ganapathy, Leveraging "choice" to automate authorization hook placement Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 145- 156 ,(2012) , 10.1145/2382196.2382215
Sooel Son, Kathryn S. McKinley, Vitaly Shmatikov, RoleCast: finding missing security checks when you do not know what checks are conference on object-oriented programming systems, languages, and applications. ,vol. 46, pp. 1069- 1084 ,(2011) , 10.1145/2048066.2048146
Vinod Ganapathy, David King, Trent Jaeger, Somesh Jha, Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis international conference on software engineering. pp. 458- 467 ,(2007) , 10.1109/ICSE.2007.54