As data center systems become ever so complex, it has been ever so daunting for system administrators to configure various permission correctly without accidentally opening up permissions for unintended users (and also malicious users) and resulting in catastrophic security disasters. Since data centers have been used to store and manage data not only for financial, business, communication, but also our daily life such as emails, photos, even home appliances and automobile data, it has become ever so important to prevent human errors (system administrator errors) in access permission configurations to avoid security attacks and privacy leaks. This project will develop new methods to detect and prevent permission configuration errors. The project will involve various educational and outreach activities for students, especially women students in computer science; the investigator has been a role model and a mentor for women high school students, undergraduates, graduates and junior faculty. To address this access-control misconfigurations problem, the project has three main objectives: (i) providing sysadmins with precise, complete information, (ii) detecting suspicious accesses after access permission changes and (iii) eliminating access-control configuration mistakes. These three objectives will be achieved by using a combination of static program analysis, binary instrumentation, profiling, static and quantitative methods, decision tree machine learning, software testing, etc. The proposed research includes the following three synergistic thrusts: (1) Informative Logging for Access Permission-Related Errors. (2) Intelligent monitoring and detection of suspicious accesses. (3) Holistic Cross-component Access-Control Management. The three thrusts together well cover the important security problem that has never been addressed by prior work.
SaTC: CORE: Small: Practical methods for detecting access permission vulnerabilities caused by sysadmin's configuration errors