SaTC: CORE: Small: Practical methods for detecting access permission vulnerabilities caused by sysadmin's configuration errors

SaTC：核心：小：检测由系统管理员配置错误引起的访问权限漏洞的实用方法

• 批准号: 1814388
• 负责人: Yuanyuan Zhou
• 金额: $ 50万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814388&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Practical; methods

As data center systems become ever so complex, it has been ever so daunting for system administrators to configure various permission correctly without accidentally opening up permissions for unintended users (and also malicious users) and resulting in catastrophic security disasters. Since data centers have been used to store and manage data not only for financial, business, communication, but also our daily life such as emails, photos, even home appliances and automobile data, it has become ever so important to prevent human errors (system administrator errors) in access permission configurations to avoid security attacks and privacy leaks. This project will develop new methods to detect and prevent permission configuration errors. The project will involve various educational and outreach activities for students, especially women students in computer science; the investigator has been a role model and a mentor for women high school students, undergraduates, graduates and junior faculty.To address this access-control misconfigurations problem, the project has three main objectives: (i) providing sysadmins with precise, complete information, (ii) detecting suspicious accesses after access permission changes and (iii) eliminating access-control configuration mistakes. These three objectives will be achieved by using a combination of static program analysis, binary instrumentation, profiling, static and quantitative methods, decision tree machine learning, software testing, etc. The proposed research includes the following three synergistic thrusts: (1) Informative Logging for Access Permission-Related Errors. (2) Intelligent monitoring and detection of suspicious accesses. (3) Holistic Cross-component Access-Control Management. The three thrusts together well cover the important security problem that has never been addressed by prior work.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着数据中心系统变得越来越复杂，对于系统管理员来说，正确配置各种权限而不会意外地为非预期用户(以及恶意用户)打开权限并导致灾难性的安全灾难，已经变得非常令人望而生畏。由于数据中心不仅用于存储和管理金融、商业、通信数据，而且还用于存储和管理我们的日常生活数据，如电子邮件、照片，甚至家用电器和汽车数据，因此在访问权限配置中防止人为错误(系统管理员错误)以避免安全攻击和隐私泄露变得非常重要。该项目将开发新的方法来检测和防止权限配置错误。该项目将为学生，特别是计算机科学专业的女学生开展各种教育和外联活动；调查员一直是女高中生、本科生、研究生和初级教师的榜样和导师。为了解决这个访问控制错误配置问题，该项目有三个主要目标：(I)向系统管理员提供准确、完整的信息，(Ii)在访问权限更改后检测可疑访问，以及(Iii)消除访问控制配置错误。这三个目标将通过使用静态程序分析、二进制插装、剖析、静态和定量方法、决策树机器学习、软件测试等相结合来实现。(2)对可疑访问进行智能监控和检测。(3)整体跨组件访问控制管理。这三个奖项很好地涵盖了以前的工作从未解决过的重要安全问题。该奖项反映了NSF的法定使命，并通过使用基金会的智力优势和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Towards Continuous Access Control Validation and Forensics

• DOI: 10.1145/3319535.3363191
• 发表时间: 2019-11
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Chengcheng Xiang;Yudong Wu;Bingyu Shen;Mingyao Shen;Haochen Huang;Tianyin Xu;Yuanyuan Zhou;Cindy Moore;Xinxin Jin;Tianwei Sheng