This program is tentative and subject to change.
Access control policies are programs used to secure cloud resources. These polices should only grant the necessary permissions that a given application needs. However, it is challenging to write and maintain policies as applications and their required permissions change over time. In this paper, we focus on the Amazon Web Services (AWS) IAM policy language and present an approach that, given a policy, synthesizes a modified policy that is more restrictive and better abides to the principle of least privilege. Our approach looks at the actual access history (e.g., access logs) used by an application and computes the least permissive local modification of the user-given policy that still provides the same permissions that were observed in the access history. We treat the problem of computing the least permissive policy as a generalization problem in a lattice of possible policies (i.e., the set of local modifications). We show that our synthesis algorithm comes with correctness guarantees and is amendable to an efficient implementation that is easy to parallelize. We implement our algorithm in a tool IAM-PolicyRefiner and evaluate it on policies attached to AWS roles with access logs. For each role, IAM-PolicyRefiner can compute easy-to-inspect refined policies in less than 1 minute, and the refined policies do not overfit to the requests in the log—i.e., the policies also allow requests in a left-out test set of requests.
This program is tentative and subject to change.
Wed 23 OctDisplayed time zone: Pacific Time (US & Canada) change
10:40 - 12:20 | |||
10:40 20mTalk | Law and Order for Typestate with Borrowing OOPSLA 2024 Hannes Saffrich University of Freiburg, Yuki Nishida Tohoku University, Peter Thiemann University of Freiburg, Germany | ||
11:00 20mTalk | Taypsi: Static Enforcement of Privacy Policies for Policy-Agnostic Oblivious Computation OOPSLA 2024 | ||
11:20 20mTalk | Gradient: Gradual Compartmentalization via Object Capabilities Tracked in Types OOPSLA 2024 Aleksander Boruch-Gruszecki EPFL, Adrien Ghosn Microsoft Research, Mathias Payer EPFL, Clément Pit-Claudel EPFL | ||
11:40 20mTalk | Automatically Reducing Privilege for Access Control Policies OOPSLA 2024 Loris D'Antoni University of Wisconsin-Madison, Shuo Ding Georgia Institute of Technology, Amit Goel AWS, Mathangi Ramesh Amazon Web Services, Neha Rungta Amazon Web Services, Chungha Sung Amazon Web Services, USA | ||
12:00 20mTalk | Functional Ownership through Fractional Uniqueness OOPSLA 2024 DOI |