Towards Least Privilege Principle: Limiting Unintended Accesses in Software Systems

Adhering to the least privilege principle involves ensuring that only legitimate subjects have
access rights to objects. Sometimes, this is hard because of permission irrevocability, changing security
requirements, infeasibility of access control mechanisms, and permission creeps. If subjects turn rogue,
the accesses can be abused. This thesis examines three scenarios where accesses are commonly abused
and lead to security issues, and proposes solutions to detect, and where practical eliminate, unintended
accesses through SEAL, DeGap, and Expose.
Firstly, we examine abuses of email addresses, whose leakages are irreversible. Also, users can only hope
that businesses requiring their email addresses for validating affiliations do not misuse them. SEAL uses
semi-private aliases, which permits gradual and selective controls while providing privacy for affiliation
validations.
Secondly, access control mechanisms may be ineffective as subject roles change and administrative
oversights lead to permission gaps, which should be removed expeditiously. Identifying permission
gaps can be hard since another reference point besides granted permissions is often unavailable. DeGap
uses logs to estimate the gaps while using a common logic for various system services. DeGap also
recommends configuration changes towards reducing the gaps.
Lastly, unintended software code re-use can lead to intellectual property thefts and license violations.
Determining whether an application uses a library can be difficult. Compiler optimizations, function
inlining, and lack of symbols make using syntactic methods a challenge, while pure semantic analysis
is slow. Given a library and a set of applications, Expose combines syntactic and semantic analysis to
achieve performance and high quality rankings of applications.