Automatically Tightening Access Control Policies with Restricter
Ka Lok Wu, Christa Jenkins, Scott D. Stoller, Omar Chowdhury
TL;DR
This work tackles the challenge of over-permissive access control policies by introducing Restricter, an automated method that tightens Cedar policies through log-guided, rule-by-rule refinement. The approach combines SMT-based symbolic encoding with SyGuS-driven synthesis to add conjunctions to permit rules while preserving the log-consistent behavior and the overall least-privilege principle. Through two realistic case studies, Restricter demonstrates scalability and effectiveness, tightening most loosened rules and preserving intended permissions, with scalability primarily affected by entity-store size rather than log density. The work contributes a formal problem formulation, a local tightening strategy, and a practical implementation that can extend to other ABAC languages beyond Cedar, advancing automated policy maintenance in secure systems.
Abstract
Robust access control is a cornerstone of secure software, systems, and networks. An access control mechanism is as effective as the policy it enforces. However, authoring effective policies that satisfy desired properties such as the principle of least privilege is a challenging task even for experienced administrators, as evidenced by many real instances of policy misconfiguration. In this paper, we set out to address this pain point by proposing Restricter, which automatically tightens each (permit) policy rule of a policy with respect to an access log, which captures some already exercised access requests and their corresponding access decisions (i.e., allow or deny). Restricter achieves policy tightening by reducing the number of access requests permitted by a policy rule without sacrificing the functionality of the underlying system it is regulating. We implement Restricter for Amazon's Cedar policy language and demonstrate its effectiveness through two realistic case studies.
