UC San Diego

Access-control misconfigurations are among the main causes of today’s security incidents. One main reason is that access-control configurations need to be frequently changed by system administrators (sysadmins) to accommodate dynamic information sharing. Unfortunately, to err is human—sysadmins often make mistakes (e.g., over-granting privileges) when changing access control configurations. Such mistakes can stay unnoticed for a long time until eventually being exploited by attackers, causing catastrophic security incidents.

This dissertation explores two validation approaches to detect access-control misconfigurations at different life-cycle stages of systems. The first approach is to test access-control configuration changes before they are deployed to production. This can help sysadmins detect access-control misconfigurations before they bring any real harm to production systems. The second approach is to monitor access-control behavior changes after the configuration changes are deployed to production. This can help sysadmins detect and diagnose potential data leaks caused by access-control misconfigurations quickly so that they can be fixed timely.

First, this dissertation presents a new type of test programs, ACTESTs, to test access- control configuration changes and a new approach to generate such test programs from existing program code. ACTESTs output the impacts of access-control changes—what requests were denied, but will be allowed after a change, and vice versa. With this, sysadmins can validate if the changed requests are intended or not and identify potential security vulnerabilities. The key challenges this dissertation addressed include making ACTESTs safe to run in production environments and making them performance-efficient. ACTESTs help detect 168 new misconfigurations from 72 Docker images.

Second, this dissertation presents P-DIFF, a practical tool for monitoring access-control behavior to help sysadmins early detect unintended access-control configuration changes and perform postmortem forensic analysis upon security attacks. P-DIFF continuously monitors access logs and infers access-control behavior changes from them. This dissertation devises a novel time-changing decision tree to effectively represent access-control behavior changes, coupled with a new learning algorithm to infer the tree from access logs. Evaluation shows that P-DIFF can detect 76%–100% of access control behavior changes.