UC San Diego

Access control configurations are gatekeepers to block unwelcome access to sensitive data. Unfortunately, system administrators (sysadmins) sometimes over-grant permissions when they resolve unintended access-deny issues reported by legitimate users. The mistakes in the access control configurations can result in severe consequences, such as data breaches and system compromises. To make things worse, the access control misconfigurations may stay silent until the security incident happens.

This dissertation explores two approaches to help sysadmins diagnose the access-deny issues and reduce the permission over-granting mistakes. The first approach takes the problem of insufficient access-control logging in server applications. We designed an automated tool, SecLog, to automatically add missing access-deny log messages, and also enhance existing ones with relevant information to guide sysadmins to diagnose the access-deny issues. The second approach tackles the problem of blind spots in knowledge and system settings for sysadmins in solving access-deny issues. We propose a system, Multiview, to automatically mutate the system configurations to explore possible directions and let each direction grant as few permissions as possible. Multiview provides a detailed diagnosis report, including access-control configurations that are related to the denial, possible directions to allow the request, as well as the impact of each direction on the access-control state of the entire system to assist sysadmins during diagnosis.