Michael S. Kirkpatrick

Prox-RBAC: a proximity-based spatially aware RBAC

As mobile computing devices are becoming increasingly dominant in enterprise and government organizations, the need for fine-grained access control in these environments continues to grow. Specifically, advanced forms of access control can be deployed to ensure authorized users can access sensitive resources only when in trusted locations. One technique that has been proposed is to augment role-based access control (RBAC) with spatial constraints. In such a system, an authorized user must be in a designated location in order to exercise the privileges associated with a role. In this work, we extend spatially aware RBAC systems by defining the notion of proximity-based RBAC. In our approach, access control decisions are not based solely on the requesting users location. Instead, we also consider the location of other users in the system. For instance, a policy in a government application could prevent access to a sensitive document if any civilians are present. We introduce our spatial model and the notion of proximity constraints. We define the syntax and semantics for the Prox-RBAC language, which can be used to specify these policy constraints. We introduce our enforcement architecture, including the protocols and algorithms for enforcing Prox-RBAC policies, and give a proof of functional correctness. Finally, we describe our work toward a Prox-RBAC prototype and present an informal security analysis.

Location-based access control systems for mobile users: concepts and research directions

Many organizations require that sensitive information only be accessed on the organization premises or in secure locations. Access to certain information is thus allowed to authorized users, provided that these users are in specific locations when accessing the information. The GEO-RBAC model addresses such requirement. It is based on the notion of a spatial role, that is, a geographically bounded organizational function. The boundary of a role is defined as a geographical feature, such as a hospital or a classified facility; it specifies the spatial extent in which the user must be located in order to use the role. Besides a physical position obtained from a mobile terminal, users are assigned a logical and device independent position, representing the feature where the user is located. Logical positions are computed from real positions by specific mapping functions. If the user is present within the spatial boundary of a role, the role is said to be enabled. The user is allowed to select (activate) a role and exercise the associated permissions only once the role is enabled. The deployment of an access control system based on GEO-RBAC entails addressing several challenges: (1) access policies may require that access be conditioned not only by the user location but also on the presence or absence of other users; (2) enforcing location-based access control requires making the access control server aware of user locations, which may lead to privacy breaches; (3) trustworthy information about user locations must be obtained. This paper elaborates on these challenges and outlines related research directions.

Privacy-Preserving Enforcement of Spatially Aware RBAC

Several models for incorporating spatial constraints into role-based access control (RBAC) have been proposed, and researchers are now focusing on the challenge of ensuring such policies are enforced correctly. However, existing approaches have a major shortcoming, as they assume the server is trustworthy and require complete disclosure of sensitive location information by the user. In this work, we propose a novel framework and a set of protocols to solve this problem. Specifically, in our scheme, a user provides a service provider with role and location tokens along with a request. The service provider consults with a role authority and a location authority to verify the tokens and evaluate the policy. However, none of the servers learn the requesting users identity, role, or location. In this paper, we define the protocols and the policy enforcement scheme, and present a formal proof of a number of security properties.

Location-Aware Authentication and Access Control Concepts and Issues

The paper first discusses motivations why taking into account location information in authentication and access control is important. The paper then surveys current approaches to location-aware authentication, including the notion of context-based flexible authentication policies, and to location-aware access control, with focus on the GEO-RBAC model. Throughout the discussion, the paper identifies open research directions.

Marlin: A Fine Grained Randomization Approach to Defend against ROP Attacks

Code-reuse attacks, such as return-oriented programming (ROP), bypass defenses against code injection by repurposing existing executable code toward a malicious end. A common feature of these attacks is the reliance on the knowledge of the layout of the executable code. We propose a fine grained randomization based approach that modifies the layout of executable code and hinders code-reuse attack. Our solution, Marlin, randomizes the internal structure of the executable code, thereby denying the attacker the necessary a priori knowledge of instruction addresses for constructing the desired exploit payload. Our approach can be applied to any ELF binary and every execution of this binary uses a different randomization. Our work shows that such an approach is feasible and significantly increases the level of security against code-reuse based attacks.

A formal proximity model for RBAC systems

To combat the threat of information leakage through pervasive access, researchers have proposed several extensions to the popular role-based access control (RBAC) model. Such extensions can incorporate contextual features, such as location, into the policy decision in an attempt to restrict access to trustworthy settings. In many cases, though, such extensions fail to reflect the true threat, which is the presence or absence of other users, rather than absolute locations. For instance, for location-aware separation of duty, it is more important to ensure that two people are in the same room, rather than in a designated, pre-defined location. Prox-RBAC was proposed as an extension to consider the relative proximity of other users with the help of a pervasive monitoring infrastructure. However, that work offered only an informal view of proximity, and unnecessarily restricted the domain to spatial concerns. In this work, we present a more rigorous definition of proximity based on formal topological relations. In addition, we show that this definition can be applied to several additional domains, such as social networks, communication channels, attributes, and time; thus, our policy model and language is more flexible and powerful than the previous work. In addition to proposing the model, we present a number of theoretical results for such systems, including a complexity analysis, templates for cryptographic protocols, and proofs of security features.

PEAR: a hardware based protocol authentication system

As users have to manage an increasing number of accounts, they have to balance password security and password usability. As such, many users use insecure passwords resulting in their accounts and data being vulnerable to unauthorized accesses. In this paper, we present Physically Enhanced Authentication Ring, or PEAR, a system that alleviates this problem. We leverage Physically Unclonable Functions (PUF) to create unclonable hardware devices, which users use to authenticate. Using a hardware device, our system uses zero-knowledge proofs, which provide better security than traditional passwords, yet users must only enter a simple PIN. As such, our system is very usable and imposes little to no burden on end users and service providers. We present transaction levels on top of PEAR of as an extension and then discuss some other work that could be done in the future.

Context-Dependent Authentication and Access Control

As mobile computing continues to rise, users are increasingly able to connect to remote services from a wide range of settings. To provide this flexibility, security policies must be adaptive to the user’s environment when the request is made. In our work, we define context to include the spatiotemporal aspects of the user request, in addition to quantifiable environmental factors determined by the server hosting the resource. We identify a number of key open problems in this field and propose potential solutions to some of the problems.

Marlin: Mitigating Code Reuse Attacks Using Code Randomization

Code-reuse attacks, such as return-oriented programming (ROP), are a class of buffer overflow attacks that repurpose existing executable code towards malicious purposes. These attacks bypass defenses against code injection attacks by chaining together sequence of instructions, commonly known as gadgets, to execute the desired attack logic. A common feature of these attacks is the reliance on the knowledge of memory layout of the executable code. We propose a fine grained randomization based approach that breaks these assumptions by modifying the layout of the executable code and hinders code-reuse attack. Our solution, Marlin, randomizes the internal structure of the executable code by randomly shuffling the function blocks in the target binary. This denies the attacker the necessary a priori knowledge of instruction addresses for constructing the desired exploit payload. Our approach can be applied to any ELF binary and every execution of this binary uses a different randomization. We have integrated Marlin into the bash shell that randomizes the target executable before launching it. Our work shows that such an approach incurs low overhead and significantly increases the level of security against code-reuse based attacks.

Resilient Authenticated Execution of Critical Applications in Untrusted Environments

Modern computer systems are built on a foundation of software components from a variety of vendors. While critical applications may undergo extensive testing and evaluation procedures, the heterogeneity of software sources threatens the integrity of the execution environment for these trusted programs. For instance, if an attacker can combine an application exploit with a privilege escalation vulnerability, the operating system (OS) can become corrupted. Alternatively, a malicious or faulty device driver running with kernel privileges could threaten the application. While the importance of ensuring application integrity has been studied in prior work, proposed solutions immediately terminate the application once corruption is detected. Although, this approach is sufficient for some cases, it is undesirable for many critical applications. In order to overcome this shortcoming, we have explored techniques for leveraging a trusted virtual machine monitor (VMM) to observe the application and potentially repair damage that occurs. In this paper, we describe our system design, which leverages efficient coding and authentication schemes, and we present the details of our prototype implementation to quantify the overhead of our approach. Our work shows that it is feasible to build a resilient execution environment, even in the presence of a corrupted OS kernel, with a reasonable amount of storage and performance overhead.