Producing Hook Placements to Enforce Expected Access Control Policies

Many security-sensitive programs manage resources on behalf of mutually distrusting clients. To control access to resources, authorization hooks are placed before operations on those resources. Moreover, manual hook placements by programmers are often incomplete or incorrect, leading to insecure programs. We advocate an approach that automatically identifies the set of program locations to place authorization hooks. The set of hooks completely mediates all security-sensitive operations in order to enforce expected access control policies at deployment. However, one challenge is that programmers often want to minimize the effort of writing such policies. In this paper, we show how static and dynamic analysis may be applied to help programmers iteratively derive a constraint system for the expected access control policies that enables removal of unnecessary hooks. These authorization constraints reduce the space of allowable access control policies; i.e., those policies that are compatible with the constraints. We further propose algorithms that compute a minimal authorization hook placement based on a set of authorization constraints automatically. We have built a tool that implements this authorization hook placement method, demonstrating how programmers can produce authorization hooks for real-world programs and leverage policy goal-specific constraint selectors to automatically identify many authorization constraints. Our experiments show that our technique reduces manual programmer effort by as much as 67% and produce placements that reduce the amount of policy specification by as much as 36%.