ANALYZING ACCESS CONTROL CONFIGURATIONS

US 20150143525A1
Filed: 04/15/2014
Published: 05/21/2015
Est. Priority Date: 10/31/2006
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility is described for analyzing access control configurations. In various embodiments, the facility comprises an operating system having resources and identifications of principals, the principals having access control privileges relating to the resources, the access control privileges described by access control metadata; an access control scanner component that receives the access control metadata, determines relationships between the principals and the resources, and emits access control relations information; and an access control inference engine that receives the emitted access control relations information and an access control policy model, analyzes the received information and model, and emits a vulnerability report. In various embodiments, the facility generates an information flow based on access control relations, an access control mechanism model, and an access control policy model; determines, based on the generated information flow, whether privilege escalation is possible; and when privilege escalation is possible, indicates in a vulnerability report that the privilege escalation is possible.

Citations

40 Claims

1-20. -20. (canceled)

21. A system for analyzing access control, the system comprising:
- at least one memory;
  
  at least one processor;
  
  an operating system having resources and principals;
  
  an information flow module configured to generate an information flow comprising inferred read, write, and execute relations between one or more of the principals and one or more of the resources;
  
  an escalation checking module configured to determine, based on applying an access control policy model to the inferred read, write, and execute relations of the generated information flow, that one or more privilege escalations are possible; and
  
  a vulnerability report generation module configured to indicate in a vulnerability report that one or more privilege escalations are possible;
  
  wherein the vulnerability report comprises one or more hierarchical structures, andwherein each hierarchical structure comprises;
  
  a root element identifying a privilege escalation of the one or more privilege escalations; and
  
  a derivation comprising one or more non-root elements that are descendants of the root element and identify the source of each of the privilege escalations.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29)
- - 22. The system of claim 21 wherein generating the information flow uses:
    - an operating system-specific component identifying resources and principals; and
      
      a component that is general across several operating systems.
  - 23. The system of claim 22 wherein:
    - the operating system-specific component receives access control relations and emits a relationship dataset; and
      
      the component that is general across several operating systems receives the relationship dataset and emits the information flow.
  - 24. The system of claim 21 wherein the access control policy model defines system security policies.
  - 25. The system of claim 21 wherein:
    - the vulnerability report is provided in a hierarchical representation; and
      
      the vulnerability report identifies a security vulnerability in the operating system or identifies a reason for an identified vulnerability.
  - 26. The system of claim 21 further comprising an access control graph viewer module configured to access the vulnerability report and emit a graphical report that illustrates vulnerabilities identified by the vulnerability report.
  - 27. The system of claim 21 wherein:
    - the escalation checking module is further configured to determine, based on the generated information flow, whether taint is possible; and
      
      the vulnerability report generation module is further configured to, when taint is possible, indicate in the vulnerability report that the taint is possible.
  - 28. The system of claim 21 wherein:
    - the escalation checking module is further configured to determine, based on the generated information flow, whether integrity can be compromised; and
      
      the vulnerability report generation module is further configured to, when integrity can be compromised, indicate in the vulnerability report that the integrity can be compromised.
  - 29. The system of claim 21 wherein the information flow identifies relationships between at least one of the principals and at least two of the resources.

30. A method for analyzing access control, the method comprising:
- generating an information flow comprising inferred read, write, and execute relations between one or more principals and one or more resources;
  
  determining, based on applying an access control policy model to the inferred read, write, and execute relations of the generated information flow, that one or more privilege escalations are possible; and
  
  indicating in a vulnerability report that one or more privilege escalations are possible;
  
  wherein the vulnerability report comprises one or more hierarchical structures, and wherein each hierarchical structure comprises;
  
  a root element identifying a privilege escalation of the one or more privilege escalations; and
  
  a derivation comprising one or more non-root elements that are descendants of the root element and identify the source of the privilege escalation.
- View Dependent Claims (31, 32, 33, 34)
- - 31. The method of claim 30 wherein the information flow identifies relationships between principals and resources.
  - 32. The method of claim 30 wherein the access control policy model defines system security policies.
  - 33. The method of claim 30 wherein generating the information flow uses an operating system-specific component identifying resources and principals, and a component that is general across several operating systems.
  - 34. The method of claim 33 further comprising:
    - receiving, by the operating system-specific component, access control relations and emitting a relationship dataset; and
      
      receiving, by the component that is general across several operating systems, the relationship dataset and emitting the information flow.

35. A computer-readable memory device encoded with computer-executable instructions that, when executed by a computing system, cause the computing system to perform operations for analyzing access control, the operations comprising:
- generating an information flow comprising inferred read, write, and execute relations between one or more principals and one or more resources;
  
  determining, based on applying an access control policy model to the inferred read, write, and execute relations of the generated information flow, that one or more privilege escalations are possible; and
  
  indicating in a vulnerability report that one or more privilege escalations are possible;
  
  wherein the vulnerability report comprises one or more hierarchical structures, and wherein each hierarchical structure comprises;
  
  a root element identifying a privilege escalation of the one or more privilege escalations; and
  
  a derivation comprising one or more non-root elements that are descendants of the root element and identify the source of the privilege escalation.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The computer-readable memory device of claim 35 wherein the information flow identifies relationships between one of the principals and at least two of the resources.
  - 37. The computer-readable memory device of claim 35 wherein the access control policy model defines system security policies.
  - 38. The computer-readable memory device of claim 35 wherein generating the information flow uses an operating system-specific component identifying resources and principals and a component that is general across several operating systems.
  - 39. The computer-readable memory device of claim 38 wherein:
    - the operating system-specific component receives access control relations and emits a relationship dataset; and
      
      the component that is general across several operating systems receives the relationship dataset and emits the information flow.
  - 40. The computer-readable memory device of claim 35 wherein:
    - the operations further comprise determining that taint is possible or that integrity can be compromised;
      
      in response to determining that taint is possible, the vulnerability report indicates that taint is possible; and
      
      in response to determining that that integrity can be compromised, the vulnerability report indicates that that integrity can be compromised.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Naldurg, Prasad G., Rajamani, Sriram K., Schwoon, Stefan, Lambert, John

Granted Patent

US 9,213,843 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/25
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

G06F 2221/034 Test or assess a computer o...

ANALYZING ACCESS CONTROL CONFIGURATIONS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

ANALYZING ACCESS CONTROL CONFIGURATIONS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links