Automated Detection of Least Privilege Violations in Software Architectures

Scandariato, Riccardo; Buyens, Koen; Joosen, Wouter

doi:10.1007/978-3-642-15114-9_13

Riccardo Scandariato¹⁸,
Koen Buyens¹⁸ &
Wouter Joosen¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 6285))

Included in the following conference series:

European Conference on Software Architecture

2077 Accesses
5 Citations

Abstract

Due to the lack of both precise definitions and effective software engineering methodologies, security principles are often neglected by software architects, resulting in potentially high-risk threats to the systems. This work lays the formal foundations for the understanding of the least privilege (LP) principle in software architectures and provides a technique to identify LP violations. The proposed approach is supported by tools and has been validated in four case studies, one of which is presented in detail in this paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Barkley, J.: Comparing simple role based access control models and access control lists. In: ACM Workshop on Role Based Access Control, RBAC (1997)
Google Scholar
Bernstein, D.J.: Some thoughts on security after ten years of qmail 1.0. In: ACM Workshop on Computer Security Architecture (2007)
Google Scholar
Brumley, D., Song, D.: Privtrans: Automatically partitioning programs for privilege separation. In: USENIX (2004)
Google Scholar
Buyens, K., De Win, B., Joosen, W.: Resolving least privilege violations in software architectures. In: Workshop on Software Engineering for Secure Systems, SESS (2009)
Google Scholar
Buyens, K., Scandariato, R., Joosen, W.: Process activities supporting security principles. In: International Workshop on Security in Software Engineering, IWSSE (2007)
Google Scholar
Dashofy, E., Asuncion, H., Hendrickson, S., Suryanarayana, G., Georgas, J., Taylor, R.: Archstudio 4: An architecture-based meta-modeling environment. In: ICSE Companion (2007)
Google Scholar
Debie, E., De Ryck, P.: Non-repudiation middleware for web-based architectures. Master’s thesis, Katholieke Universiteit Leuven (2009)
Google Scholar
Höhn, S., Jürjens, J.: Rubacon: automated support for model-based compliance engineering. In: ICSE (2008)
Google Scholar
Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press (2006)
Google Scholar
Jürjens, J.: Secure Systems Development With UML. Springer, Heidelberg (2005)
MATH Google Scholar
Van Landuyt, D., Grégoire, J., Michiels, S., Truyen, E., Joosen, W.: Architectural design of a digital publishing system. Technical Report CW465, Katholieke Universiteit Leuven (2006)
Google Scholar
MSDN Library. Access control lists, http://msdn.microsoft.com
Morandini, M., Nguyen, D.C., Perini, A., Siena, A., Susi, A.: Tool-supported development with tropos: The conference management system case study. In: Luck, M., Padgham, L. (eds.) Agent-Oriented Software Engineering VIII. LNCS, vol. 4951, pp. 182–196. Springer, Heidelberg (2008)
Chapter Google Scholar
Provos, N.: Improving host security with system call policies. In: USENIX Security Symposium (2003)
Google Scholar
Ren, J.: A connector-centric approach to architectural access control. PhD thesis, University of California Irvine (2006)
Google Scholar
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proceedings of the IEEE 63(9), 1278–1308 (1975)
Article Google Scholar
Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: The protection of information in computer systems. IEEE Computer 29(2), 38–47 (1996)
Article Google Scholar
Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)
Article Google Scholar
Viega, J., McGraw, G.: Building Secure Software. Addison-Wesley, Reading (2002)
Google Scholar
White, S.A.: Business process modeling notation. BPMI.org (2004)
Google Scholar
Wing, J.: A call to action: Look beyond the horizon. IEEE Security & Privacy 1(6), 62–67 (2003)
Article Google Scholar

Download references

Author information

Authors and Affiliations

IBBT-DistriNet, Katholieke Universiteit Leuven, 3001, Leuven, Belgium
Riccardo Scandariato, Koen Buyens & Wouter Joosen

Authors

Riccardo Scandariato
View author publications
You can also search for this author in PubMed Google Scholar
Koen Buyens
View author publications
You can also search for this author in PubMed Google Scholar
Wouter Joosen
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Software Development Group, IT University of Copenhagen, Rued Langgaards, Vej 7, 2300, Copenhagen, S, Denmark
Muhammad Ali Babar
Computational and Information Sciences, Pacific Northwest National Laboratory, MS: K7-90, Richland, PO Box 999, 99352, WA, USA
Ian Gorton

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Scandariato, R., Buyens, K., Joosen, W. (2010). Automated Detection of Least Privilege Violations in Software Architectures. In: Babar, M.A., Gorton, I. (eds) Software Architecture. ECSA 2010. Lecture Notes in Computer Science, vol 6285. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15114-9_13

Download citation

DOI: https://doi.org/10.1007/978-3-642-15114-9_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15113-2
Online ISBN: 978-3-642-15114-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics