Authority Analysis for Least Privilege Environments
Toby Murray and Gavin Lowe
The rise of limited-privilege environments has been accompanied by the emergence of vulnerabilities in which a subject is able to maliciously wield their limited privileges to indirectly cause unwanted effects. Unfortunately, conventional safety analyses for access control systems are ill-equipped to deal with this problem because they do not detect the indirect effects that a subject can cause, but merely the permissions a subject can acquire. We present a technique that characterises a subject's authority as all of the effects they can cause to occur. Our technique is based on an analysis of causation, applied to a CSP model of a system. These analyses can be expressed as CSP refinements and, hence, automatically performed by a refinement-checker such as FDR. We demonstrate the ability of our technique to successfully identify excess authority by examining the 'Confused Deputy' scenario, whose vulnerability goes undetected with conventional safety analyses.
Proceedings of Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (FCS−ARSPA'07)