16 December 2010

Prasad Naldurg gives a seminar on Baaz — A System for Detecting Access Control Misconfigurations.

Salle Vert, 5th floor, INRIA Antenne Parisienne,
23 Avenue d’Italie, Paris, 75013

Baaz — A System for Detecting Access Control Misconfigurations
Prasad Naldurg
Microsoft Research India

Maintaining correct access control to shared resources such as file servers, wikis, and databases is an important part of enterprise network management. A combination of many factors, including high rates of churn in organizational roles, policy changes, and dynamic information-sharing scenarios, can trigger frequent updates to user permissions, leading to potential inconsistencies. We present Baaz, a completely automated system that monitors updates to access control metadata, and analyzes this information to alert administrators about potential security and accessibility issues, and recommends suitable changes. Baaz algorithms extract high-level policy-like statements from raw implementation metadata and argue about consistency, completeness, and coverage. We compare and contrast Baaz algorithms with traditional role mining algorithms, and examine their sensitivity with respect to convergence, when the changes suggested are implemented. This is joint work with Ranjita Bhagwan and Tathagata Das, and was presented at Usenix Security 2010. See our project webpage here: