Automated methods for generating least privilege access control policies

Abstract

Access controls are the processes and mechanisms that allow only authorized users to perform operations upon the resources of a system. Using access controls, administrators attempt to implement the Principle of Least Privilege, a design principle where privileged entities operate using the minimal set of privileges necessary to complete their job. This protects the system against threats and vulnerabilities by reducing exposure to unauthorized activities. Although access control can be considered only one area of security research, it is a pervasive and omnipresent aspect of information security. But achieving the Principle of Least Privilege is a difficult task. It requires the administrators of the access control policies to have an understanding of the overall system, each user's job function, the operations and resources necessary to those job functions, and how to express these using the access control model and language of the system. In almost all production systems today, this process of defining access control policies is performed manually. It is error prone and done without quantitative metrics to help administrators and auditors determine if the Principle of Least Privilege has been achieved for the system. In this dissertation, we explore the use of automated methods to create least privilege access control policies. Specifically, we (1) develop a framework for policy generation algorithms, derive metrics for determining adherence to the Principle of Least Privilege, and apply these to evaluate a real world dataset, (2) develop two machine learning based algorithms for generating role based policies and compare their performance to naive methods, and (3) develop a rule mining based algorithm to create attribute based policies and evaluate its effectiveness to role based methods. By quantifying the performance of access control policies, developing methods to create least privilege policies, and evaluating their performance using real world data, the projects presented in this dissertation advance the state of access control research and address a problem of great significance to security professionals.