ACCESSPROV: Tracking the Provenance of Access Control Decisions.

Access control protects security-sensitive operations from access by unauthorized subjects. Unfortunately, access control mechanisms are implemented manually in practice, which can lead to exploitable errors. Prior work aims to find such errors through static analysis, but the correctness of access control enforcement depends on runtime factors, such as the access control policies enforced and adversary control of the program inputs. As a result, we propose to apply provenance tracking to find flaws in access control enforcement. To do so, we track the inputs used in access control decisions to enable detection of flaws. We have developed ACCESSPROV, a Java bytecode analysis tool capable of retrofitting legacy Java applications with provenance hooks. We utilize ACCESSPROV to add provenance hooks at all locations that either may require access control enforcement or may impact access control policy decisions. We evaluate ACCESSPROV on OpenMRS, an open-source medical record system, detecting access control errors while incurring only 2.1% overhead when running the OpenMRS test suite on the instrumented OpenMRS program.