SaTC: CORE: Small: Practical methods for detecting access permission vulnerabilities caused by sysadmin's configuration errors

SaTC：核心：小：检测由系统管理员配置错误引起的访问权限漏洞的实用方法

• 批准号: 1814388
• 负责人: Yuanyuan Zhou
• 金额: $ 50万
• 依托单位: University of California-San Diego
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814388&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Practical; methods

As data center systems become ever so complex, it has been ever so daunting for system administrators to configure various permission correctly without accidentally opening up permissions for unintended users (and also malicious users) and resulting in catastrophic security disasters. Since data centers have been used to store and manage data not only for financial, business, communication, but also our daily life such as emails, photos, even home appliances and automobile data, it has become ever so important to prevent human errors (system administrator errors) in access permission configurations to avoid security attacks and privacy leaks. This project will develop new methods to detect and prevent permission configuration errors. The project will involve various educational and outreach activities for students, especially women students in computer science; the investigator has been a role model and a mentor for women high school students, undergraduates, graduates and junior faculty.To address this access-control misconfigurations problem, the project has three main objectives: (i) providing sysadmins with precise, complete information, (ii) detecting suspicious accesses after access permission changes and (iii) eliminating access-control configuration mistakes. These three objectives will be achieved by using a combination of static program analysis, binary instrumentation, profiling, static and quantitative methods, decision tree machine learning, software testing, etc. The proposed research includes the following three synergistic thrusts: (1) Informative Logging for Access Permission-Related Errors. (2) Intelligent monitoring and detection of suspicious accesses. (3) Holistic Cross-component Access-Control Management. The three thrusts together well cover the important security problem that has never been addressed by prior work.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

随着数据中心系统变得越来越复杂，正确配置各种权限而不意外地为非预期用户（以及恶意用户）打开权限并导致灾难性的安全灾难，对系统管理员来说是一件非常艰巨的任务。由于数据中心不仅用于存储和管理金融、商业、通信数据，而且还用于我们的日常生活，如电子邮件、照片，甚至家用电器和汽车数据，因此防止访问权限配置中的人为错误（系统管理员错误）以避免安全攻击和隐私泄露变得非常重要。该项目将开发新的方法来检测和防止权限配置错误。该项目将包括为学生，特别是计算机科学专业的女学生举办各种教育和外展活动；她一直是女高中生、本科生、毕业生和初级教师的榜样和导师。为了解决这个访问控制配置错误的问题，该项目有三个主要目标：(i)为系统管理员提供精确、完整的信息；（ii）在访问权限更改后检测可疑访问；（iii）消除访问控制配置错误。这三个目标将通过结合使用静态程序分析、二进制仪器、分析、静态和定量方法、决策树机器学习、软件测试等来实现。建议的研究包括以下三个协同重点：(1)访问权限相关错误的信息记录。(2)对可疑访问进行智能监控和检测。(3)整体跨组件访问控制管理。这三个重点结合在一起很好地涵盖了以前的工作从未解决过的重要安全问题。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Towards Continuous Access Control Validation and Forensics

• DOI: 10.1145/3319535.3363191
• 发表时间: 2019-11
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Chengcheng Xiang;Yudong Wu;Bingyu Shen;Mingyao Shen;Haochen Huang;Tianyin Xu;Yuanyuan Zhou;Cindy Moore;Xinxin Jin;Tianwei Sheng