Stratified abstraction of access control policies

John Backes,Ulises Berrueco,Tyler Stuart Bray,Daniel Brim,Byron Cook,Andrew Gacek,Ranjit Jhala,Kasper Søe Luckow,Sean McLaughlin,Madhav Menon,Daniel Peebles,Ujjwal Pugalia,Neha Rungta,Cole Schlesinger,Adam Schodde,Anvesh Tanuku,Carsten Varming,Deepa Viswanathan

Stratified abstraction of access control policies

2020

John Backes
Ulises Berrueco
Tyler Stuart Bray
Daniel Brim
Byron Cook
Andrew Gacek
Ranjit Jhala
Kasper Søe Luckow
Sean McLaughlin
Madhav Menon
Daniel Peebles
Ujjwal Pugalia
Neha Rungta
Cole Schlesinger
Adam Schodde
Anvesh Tanuku
Carsten Varming
Deepa Viswanathan

The shift to cloud-based APIs has made application security critically depend on understanding and reasoning about policies that regulate access to cloud resources. We present stratified predicate abstraction, a new approach that summarizes complex security policies into a compact set of positive and declarative statements that precisely state who has access to a resource. We have implemented stratified abstraction and deployed it as the engine powering AWS’s IAM Access Analyzer service, and hence, demonstrate how formal methods and SMT can be used for security policy explanation .

Keywords:

Software engineering
Abstraction
Access control
Computer science

Correction
Source
Cite
Save
Machine Reading By IdeaReader

References

Citations