Modeling and Analysis of Access Control Survivability

July 14, 2005
Prasad Naldurg | University of Illinois at Urbana-Champaign

In traditional models of access control systems, the emphasis is on validating security as safety properties, defined over state-transition graphs that represent system behavior. The goal of access control analysis in this context is to assert that all states reachable from known safe states using valid transitions are also safe, where any integrity, confidentiality, or availability policies are not violated. However, once an attacker compromises these policies, e.g., in a privilege escalation attack, this safety analysis is of limited use to security engineers who wish to design systems that are survivable and can withstand or recover from attacks.

In this talk, I present an extended access control framework that can represent an attack and its impact by explicitly modeling unsafe states, incorporate response strategies, and reason about the ability of these strategies to recover from the attack and restore safety. As an example, I show how we can model privilege separation and evaluate its effectiveness as a countermeasure against privilege escalation attacks. By extending the nature and scope of access control analysis, this framework allows us to describe a new class of access control survivability properties.

Speaker Details

Prasad Naldurg is a postdoctoral research scholar at the Department of Computer Science at the University of Illinois at Urbana-Champaign. His research interests include systems and network security, applications of formal methods, and applied cryptography. He graduated from the University of Mysore, India in 1996 with a Bachelor of Engineering degree in Computer Science and Engineering. He enrolled in the graduate program at the Department of Computer Science, University of Illinois at Urbana-Champaign in 1997. He obtained his Master of Science Degree from the University of Illinois in Computer Science in August 2000 and his Doctor of Philosophy Degree in May 2004. He was also a Visiting Lecturer at the Department of Computer Science at Illinois from August 2003 to December 2004. In Fall 2003 and Fall 2004, he taught an introductory course on computer security and cryptography entitled “Introduction to Information Assurance” for senior undergraduates and graduate students. In Spring 2004 he taught a follow-up course “Computer Security Architecture” covering advanced material related to formal methods for secure systems and protocol design.