Mitigating Authorisation Flaws with Hydrid Enforcement of Category-Based Access Control
By Dr. Asad Ali, Identity Methods Ltd and Prof. Maribel Fernandez, King’s College London
Asad researches Access Control in a "holistic" sense, covering the specification of what the access rights within a system are, as well as ensuring those access rights are adhered to within applications. Asad currently leads an R&D team at a consultancy SME in the Identity & Access Management domain.
Authorisation features prominently among the top 10 security design flaws . This is where a user gains access to a sensitive resource in an application when they should not be allowed to, due to either a missing or erroneous check of their access rights. It is a critical source of security attacks including data leaks and system hijacks. We mitigate flaws where an authorisation policy is bypassed via inadequately protected sensitive method invocations.
We provide an authorisation policy language, software design patterns that incorporate elements of the policy and label sensitive methods, a static analyser to detect code-level policy violations, and a code generator to prevent policy violations at run-time which cannot be caught earlier –. Our approach is based on Category-based Access Control (CBAC) , , a meta-model of access control which can be instantiated to any other, including the widely-used Role- and Attribute-based Access Control models . Targeting CBAC means our solution is applicable to any access model and therefore the widest range of authorisation scenarios. This includes cutting-edge systems where existing models struggle, including microservices and agent systems where, for example, access decisions may require collaboration or full automation ( is an example in AI argumentation).
Through our solution, all sensitive methods are detected and protected. We can catch policy violations that do not require run-time information (e.g., time/location) at compile-time. For the remaining ones, we generate code surrounding them that invokes an access policy system to perform a run-time check. This “hybrid enforcement” reduces run-time overheads and detects some flaws earlier at the implementation phase, when they are easier to fix. We propagate the philosophy of shifting security earlier - “to the left” - in the application life cycle. Our solution provides critical support to developers to integrate access control into applications, mitigating authorisation flaws.
- I. Arce et al., ‘Avoiding the top 10 software security design flaws’, IEEE Comput. Soc. Cent. Secure Des. CSD Tech Rep, 2014.
- A. Ali, ‘Enforcing role-based and category-based access control in Java: a hybrid approach.’, PhD Thesis, King’s College London, 2018.
- A. Ali and M. Fernández, ‘Hybrid enforcement of category-based access control’, in International Workshop on Security and Trust Management, 2014, pp. 178–182.
- A. Ali and M. Fernández, ‘Static Enforcement of Role-Based Access Control’, Electron. Proc. Theor. Comput. Sci., vol. 163, pp. 36–50, Sep. 2014, doi: 10.4204/eptcs.163.4.
- C. Bertolissi and M. Fernández, ‘Category-based authorisation models: operational semantics and expressive power’, in International Symposium on Engineering Secure Software and Systems, 2010, pp. 140–156.
- S. Barker, ‘The next 700 access control models or a unifying meta-model?’, in Proceedings of the 14th ACM symposium on Access control models and technologies, Stresa, Italy, Jun. 2009, pp. 187–196, doi: 10.1145/1542207.1542238.
- M. Fernández, I. Mackie, and B. Thuraisingham, ‘Specification and Analysis of ABAC Policies via the Category-based Metamodel’, in Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, Richardson, Texas, USA, Mar. 2019, pp. 173–184, doi: 10.1145/3292006.3300033.
- A. R. Panisson, A. Ali, P. McBurney, and R. H. Bordini, ‘Argumentation Schemes for Data Access Control.’, in COMMA, 2018, pp. 361–368.