Wed 23 Oct 2024 11:40 - 12:00 at IBR West - Ownership, Security, and Privacy Chair(s): Tobias Wrigstad

Access control policies are programs used to secure cloud resources. These polices should only grant the necessary permissions that a given application needs. However, it is challenging to write and maintain policies as applications and their required permissions change over time. In this paper, we focus on the Amazon Web Services (AWS) IAM policy language and present an approach that, given a policy, synthesizes a modified policy that is more restrictive and better abides to the principle of least privilege. Our approach looks at the actual access history (e.g., access logs) used by an application and computes the least permissive local modification of the user-given policy that still provides the same permissions that were observed in the access history. We treat the problem of computing the least permissive policy as a generalization problem in a lattice of possible policies (i.e., the set of local modifications). We show that our synthesis algorithm comes with correctness guarantees and is amendable to an efficient implementation that is easy to parallelize. We implement our algorithm in a tool IAM-PolicyRefiner and evaluate it on policies attached to AWS roles with access logs. For each role, IAM-PolicyRefiner can compute easy-to-inspect refined policies in less than 1 minute, and the refined policies do not overfit to the requests in the log—i.e., the policies also allow requests in a left-out test set of requests.

Wed 23 Oct

Displayed time zone: Pacific Time (US & Canada) change

10:40 - 12:20
Ownership, Security, and PrivacyOOPSLA 2024 at IBR West
Chair(s): Tobias Wrigstad Uppsala University
10:40
20m
Talk
Law and Order for Typestate with Borrowing
OOPSLA 2024
Hannes Saffrich University of Freiburg, Yuki Nishida Tohoku University, Peter Thiemann University of Freiburg, Germany
DOI
11:00
20m
Talk
Taypsi: Static Enforcement of Privacy Policies for Policy-Agnostic Oblivious Computation
OOPSLA 2024
Qianchuan Ye University at Buffalo, SUNY, Benjamin Delaware Purdue University
DOI
11:20
20m
Talk
Gradient: Gradual Compartmentalization via Object Capabilities Tracked in Types
OOPSLA 2024
Aleksander Boruch-Gruszecki Charles University, Adrien Ghosn Microsoft Research, Mathias Payer EPFL, Clément Pit-Claudel EPFL
DOI
11:40
20m
Talk
Automatically Reducing Privilege for Access Control Policies
OOPSLA 2024
Loris D'Antoni University of Wisconsin-Madison, Shuo Ding Georgia Institute of Technology, Amit Goel AWS, Mathangi Ramesh Amazon Web Services, Neha Rungta Amazon Web Services, Chungha Sung Amazon Web Services, USA
DOI
12:00
20m
Talk
Functional Ownership through Fractional Uniqueness
OOPSLA 2024
Danielle Marshall University of Glasgow; University of Kent, Dominic Orchard University of Kent; University of Cambridge
DOI