SaTC: CORE: Small: Practical methods for detecting access permission vulnerabilities caused by sysadmin's configuration errors

SaTC：核心：小：检测由系统管理员配置错误引起的访问权限漏洞的实用方法

• 批准号: 1814388
• 负责人: Yuanyuan Zhou
• 金额: $ 50万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814388&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Practical; methods

As data center systems become ever so complex, it has been ever so daunting for system administrators to configure various permission correctly without accidentally opening up permissions for unintended users (and also malicious users) and resulting in catastrophic security disasters. Since data centers have been used to store and manage data not only for financial, business, communication, but also our daily life such as emails, photos, even home appliances and automobile data, it has become ever so important to prevent human errors (system administrator errors) in access permission configurations to avoid security attacks and privacy leaks. This project will develop new methods to detect and prevent permission configuration errors. The project will involve various educational and outreach activities for students, especially women students in computer science; the investigator has been a role model and a mentor for women high school students, undergraduates, graduates and junior faculty.To address this access-control misconfigurations problem, the project has three main objectives: (i) providing sysadmins with precise, complete information, (ii) detecting suspicious accesses after access permission changes and (iii) eliminating access-control configuration mistakes. These three objectives will be achieved by using a combination of static program analysis, binary instrumentation, profiling, static and quantitative methods, decision tree machine learning, software testing, etc. The proposed research includes the following three synergistic thrusts: (1) Informative Logging for Access Permission-Related Errors. (2) Intelligent monitoring and detection of suspicious accesses. (3) Holistic Cross-component Access-Control Management. The three thrusts together well cover the important security problem that has never been addressed by prior work.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着数据中心系统变得如此复杂，系统管理员可以正确配置各种许可，而无意为意外用户（以及恶意用户）打开权限，并导致灾难性的安全灾难。由于数据中心已被用来存储和管理用于财务，业务，通信的数据，而且还用于我们的日常生活，例如电子邮件，照片，甚至家庭用具和汽车数据，因此防止人体错误（系统管理员错误）在访问许可配置中以避免安全攻击和隐私泄漏变得非常重要。该项目将开发新方法来检测和防止权限配置错误。 该项目将涉及针对学生的各种教育和外展活动，尤其是计算机科学领域的女学生； the investigator has been a role model and a mentor for women high school students, undergraduates, graduates and junior faculty.To address this access-control misconfigurations problem, the project has three main objectives: (i) providing sysadmins with precise, complete information, (ii) detecting suspicious accesses after access permission changes and (iii) eliminating access-control configuration mistakes.这三个目标将通过使用静态程序分析，二进制仪器，分析，静态和定量方法，决策树的机器学习，软件测试等的组合来实现这三个目标。拟议的研究包括以下三个协同的推力：（1）提供访问访问许可相关错误的信息记录。 （2）可疑访问的智能监控和检测。 （3）整体跨组件访问控制管理。这三个推力很好地涵盖了先前工作从未解决过的重要安全问题。该奖项反映了NSF的法定任务，并且使用基金会的知识分子优点和更广泛的影响评估标准，被认为值得通过评估来获得支持。

项目成果

Towards Continuous Access Control Validation and Forensics

• DOI: 10.1145/3319535.3363191
• 发表时间: 2019-11
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Chengcheng Xiang;Yudong Wu;Bingyu Shen;Mingyao Shen;Haochen Huang;Tianyin Xu;Yuanyuan Zhou;Cindy Moore;Xinxin Jin;Tianwei Sheng