TY - GEN
T1 - Mutated policies
T2 - 4th ACM Workshop on Moving Target Defense, MTD 2017
AU - Rubio-Medrano, Carlos E.
AU - Lamp, Josephine
AU - Doupe, Adam
AU - Zhao, Ziming
AU - Ahn, Gail-Joon
N1 - Funding Information:
The authors would like to thank Marthony Taguinod for his valuable contributions towards thiswork,whichwas partially supported by a grant from the National Science Foundation (NSF-SFS-1129561), a grant from the Department of Energy (DE-SC0004308) and by a grant from the Center for Cybersecurity and Digital Forensics at Arizona State University.
Publisher Copyright:
© 2017 Association for Computing Machinery.
PY - 2017/10/30
Y1 - 2017/10/30
N2 - Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.
AB - Recently, both academia and industry have recognized the need for leveraging real-time information for the purposes of specifying, enforcing and maintaining rich and flexible authorization policies. In such a context, security-related properties, a.k.a., attributes, have been recognized as a convenient abstraction for providing a welldefined representation of such information, allowing for them to be created and exchanged by different independently-run organizational domains for authorization purposes. However, attackers may attempt to compromise the way attributes are generated and communicated by recurring to hacking techniques, e.g., forgery, in an effort to bypass authorization policies and their corresponding enforcement mechanisms and gain unintended access to sensitive resources as a result. In this paper,we propose a novel technique that allows for enterprises to pro-actively collect attributes fromthe different entities involved in the access request process, e.g., users, subjects, protected resources, and running environments. After the collection, we aim to carefully select the attributes that uniquely identify the aforementioned entities, and randomly mutate the original access policies over time by adding additional policy rules constructed from the newly-identified attributes. This way, even when attackers are able to compromise the original attributes, our mutated policies may offer an additional layer of protection to deter ongoing and future attacks. We present the rationale and experimental results supporting our proposal, which provide evidence of its suitability for being deployed in practice.
UR - http://www.scopus.com/inward/record.url?scp=85043392811&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85043392811&partnerID=8YFLogxK
U2 - 10.1145/3140549.3140553
DO - 10.1145/3140549.3140553
M3 - Conference contribution
AN - SCOPUS:85043392811
T3 - MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017
SP - 39
EP - 49
BT - MTD 2017 - Proceedings of the 2017 Workshop on Moving Target Defense, co-located with CCS 2017
PB - Association for Computing Machinery, Inc
Y2 - 30 October 2017
ER -