Author_Institution : 
Nat. Inst. of Stand. & Technol., Gaithersburg, MD, USA
         
        
            Abstract : 
This paper applies methods for analyzing fault hierarchies to the analysis of relationships among vulnerabilities in misconfigured access control rule structures. Hierarchies have been discovered previously for faults in arbitrary logic formulae [11,10,9,21], such that a test for one class of fault is guaranteed to detect other fault classes subsumed by the one tested, but access control policies reveal more interesting hierarchies. These policies are normally composed of a set of rules of the form “if [conditions] then [decision]”, where [conditions] may include one or more terms or relational expressions connected by logic operators, and [decision] is often 2-valued (“grant” or “deny”), but may be n-valued. Rule sets configured for access control policies, while complex, often have regular structures or patterns that make it possible to identify generic vulnerability hierarchies for various rule structures such that an exploit for one class of configuration error is guaranteed to succeed for others downstream in the hierarchy. A taxonomy of rule structures is introduced and detection conditions computed for nine classes of vulnerability: added term, deleted term, replaced term, stuck-at-true condition, stuck-at-false condition, negated condition, deleted rule, replaced decision, negated decision. For each configuration rule structure, detection conditions were analyzed for the existence of logical implication relations between detection conditions. It is shown that hierarchies of detection conditions exist, and that hierarchies vary among rule structures in the taxonomy. Using these results, tests may be designed to detect configuration errors, and resulting vulnerabilities, using fewer tests than would be required without knowledge of the hierarchical relationship among common errors. In addition to practical applications, these results may help to improve the understanding of access control policy configurations.
         
        
            Keywords : 
authorisation; set theory; software fault tolerance; access control policy configuration; added term; configuration rule structure; deleted rule; deleted term; detection condition; fault classes; fault hierarchy analysis; generic vulnerability hierarchies; logic operators; logical implication relations; misconfigured access control rule structure; negated condition; negated decision; regular patterns; regular structures; relational expression; replaced decision; replaced term; rule sets; stuck-at-false condition; stuck-at-true condition; Access control; Analytical models; Computer crime; Impedance matching; Taxonomy; Testing; access control; change impact analysis; configuration analysis;