Abstract
Due to the lack of both precise definitions and effective software engineering methodologies, security design principles are often neglected by software architects, resulting in potentially high-risk threats to systems. This work lays the formal foundations for understanding the security design principle of least privilege in software architectures and provides a technique to identify violations against this principle. The technique can also be leveraged to analyze violations against the security design principle of separation of duties. The proposed approach is supported by tools and has been validated in four case studies, two of which are presented in detail in this paper.
Similar content being viewed by others
References
Alexandrov, A.D., Ibel, M., Schauser, K.E., Scheiman, C.J.: Extending the operating system at the user level: the Ufo global file system. In: 1997 Annual Technical Conference on UNIX and Advanced Computing Systems (USENIX’97) (1997)
Alexandrov, A., Kmiec, P., Schauser, K.: Consh: a confined execution environment for internet computations. In: USENIX Annual Technical Conference (1999)
Acharya, A., Raje, M.: Mapbox: using parameterized behavior classes to confine applications. Technical report, Santa Barbara, CA, USA (1999)
Barkley, J.: Comparing simple role based access control models and access control lists. In: ACM Workshop on Role Based Access Control (RBAC) (1997)
Basin, D., Burri, S.J., Karjoth, G.: Dynamic enforcement of abstract separation of duty constraints. In: European Conference on Research in Computer Security (ESORICS) (2009)
Berman, A., Bourassa, V., Selberg, E.: TRON: process-specific file protection for the UNIX operating system. In: Proceedings of the USENIX 1995 Technical Conference Proceedings on USENIX 1995 Technical Conference Proceedings, p. 14. USENIX Association (1995)
Buyens, K., De Win, B., Joosen, W.: Resolving least privilege violations in software architectures. In: Workshop on Software Engineering for Secure Systems (SESS) (2009)
Bernstein, D.J.: Some thoughts on security after ten years of qmail 1.0. In: CSAW ’07, pp. 1–10. ACM, New York (2007)
Brumley, D., Song, D.: Privtrans: automatically partitioning programs for privilege separation. In: USENIX (2004)
Buyens, K., Scandariato, R., Joosen, W.: Process activities supporting security principles. In: International Workshop on Security in Software Engineering (IWSSE) (2007)
Buyens, K.: Security principle tool. http://people.cs.kuleuven.be/~koen.buyens/securityprinciples/ (2011)
Chari S.N., Cheng P.-C.: Bluebox: a policy-driven, host-based intrusion detection system. ACM Trans. Inf. Syst. Secur. 6(2), 173–200 (2003)
Crampton, J.: Specifying and enforcing constraints in role-based access control. In: ACM Symposium on Access Control Models and Technologies (SACMAT) (2003)
Dashofy, E., Asuncion, H., Hendrickson, S., Suryanarayana, G., Georgas, J., Taylor, R.: Archstudio 4: an architecture-based meta-modeling environment. In: ICSE Companion (2007)
Debie, E., De Ryck, P.: Non-repudiation middleware for web-based architectures. Master’s thesis, Katholieke Universiteit Leuven (2009)
Evans, C.: Comments on the Overall Architecture of Vsftpd, from a Security Standpoint. Internet, February 2001
Fernandez, E.B., Hawkins, J.C.: Determining role rights from use cases. In: Proceedings of the Second ACM workshop on Role-based Access Control, pp. 121–125. ACM, New York (1997)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements engineering meets trust management. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) Trust Management. Lecture Notes in Computer Science, vol. 2995, pp. 176–190. Springer, Berlin (2004)
Höhn, S., Jürjens, J.: Rubacon: automated support for model-based compliance engineering. In: ICSE (2008)
Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press (2006)
Jürjens J.: Secure Systems Development with UML. Springer, Berlin (2005)
Jordan, D., Evdemon, J.: WS-BPEL 2.0. Oasis (2007)
Jain, K., Sekar, R.: User-level infrastructure for system call interposition: a platform for intrusion detection and confinement. (2000)
Karger, P.A.: Limiting the damage potential of discretionary Trojan horses. In: Proceedings of the 1987 Symposium on Security and Privacy, pp. 32–37 (1987)
Li, N., Tripunitara, M.V., Bizri, Z.: On mutually exclusive roles and separation-of-duty. ACM Trans. Inf. Syst. Secur. (TISSEC) 10(2) (2007)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting
Microsoft. Msdn library—access control lists. http://msdn.microsoft.com (2010)
Mazieres, D., Kaashoek, M.F.: Secure applications need flexible operating systems. In: Workshop on Hot Topics in Operating Systems (1997)
Morandini, M., Nguyen, D.C., Perini, A., Siena, A., Susi, A.: Tool-supported development with Tropos: the conference management system case study. In: Workshop on Agent Oriented Software Engineering (AOSE) (2008)
Nash, M.J., Poland, K.R.: Transaction control expressions for separation of duties. In: Annual Computer Security Applications Conference (ACSAC) (1988)
Nash, M.J., Poland, K.R.: Some conundrums concerning separation of duty. In: IEEE Symposium on Research in Security and Privacy (1990)
Peterson G.: Service oriented security architecture. Inf. Secur. Bull. 10, 325–330 (2005)
Provos, N.: Systrace—interactive policy generation for system calls
Provos, N.: Preventing privilege escalation. In: In Proceedings of the 12th USENIX Security Symposium (2003)
Raza, A., Vogel, G., Plodereder, E.: Bauhaus—a tool suite for program analysis and reverse engineering. In: Ada Europe (2006)
Ren, J.: A connector-centric approach to architectural access control. PhD thesis, University of California Irvine (2006)
Robertson S., Robertson J.: Mastering the Requirements Process. Addison-Wesley, Boston (1999)
Rozanski N., Woods E.: Software Systems Architecture: Working with Stakeholders Using Viewpoints and Perspectives. Addison-Wesley Professional, Boston (2005)
Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E.: The protection of information in computer systems. IEEE Comput. 29(2), 38–47 (1996)
Sandhu R.S., Coyne E.J., Feinstein H.L., Youman C.E.: Role-based access control models. Computer 29(2), 38–47 (1996)
Schneider F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Spitz, B.: Architecture recovery for security. K.U. Leuven Master Thesis (2011)
Saltzer J.H., Schroeder M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Van Landuyt, D., Grégoire, J., Michiels, S., Truyen, E., Joosen, W.: Architectural design of a digital publishing system. Technical Report CW465, Katholieke Universiteit Leuven (2006)
Venema, W.Z.: Postfix home page
Viega J., McGraw G.: Building Secure Software. Addison- Wesley, Boston (2002)
Wagner, D.A.: Janus: an approach for confinement of untrusted applications. Technical Report CSD-99-1056, 12 (1999)
Walker, K.M., Sterne, D.F., Lee Badger, M., Petkac, M.J., Sherman, D.L., Oostendorp, K.A.: Confining root programs with domain and type enforcement (dte). In: SSYM’96: Proceedings of the 6th Conference on USENIX Security Symposium, Focusing on Applications of Cryptography, pp. 3–3, Berkeley, CA, USA, 1996. USENIX Association
Yu, E.S.K.: Towards modeling and reasoning support for early-phase requirements engineering. In: Proceedings of RE, p. 226 (1997)
Zdancewic S., Zheng L., Nystrom N., Myers A.C.: Secure program partitioning. ACM Trans. Comput. Syst. (TOCS) 20(3), 283–328 (2002)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Dr. Muhammad Ali Babar, Flavio Oquendo, and Ian Gorton.
Rights and permissions
About this article
Cite this article
Buyens, K., Scandariato, R. & Joosen, W. Least privilege analysis in software architectures. Softw Syst Model 12, 331–348 (2013). https://doi.org/10.1007/s10270-011-0218-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-011-0218-8