User account access graphs

Sven Hammann, Saša Radomirović, Ralf Sasse, David Basin

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

The primary authentication method for a user account is rarely the only way to access that account. Accounts can often be accessed through other accounts, using recovery methods, password managers, or single sign-on. This increases each account's attack surface, giving rise to subtle security problems. These problems cannot be detected by considering each account in isolation, but require analyzing the links between a user's accounts. Furthermore, to accurately assess the security of accounts, the physical world must also be considered. For example, an attacker with access to a physical mailbox could obtain credentials sent by post. Despite the manifest importance of understanding these interrelationships and the security problems they entail, no prior methods exist to perform an analysis thereof in a precise way. To address this need, we introduce account access graphs, the first formalism that enables a comprehensive modeling and analysis of a user's entire setup, incorporating all connections between the user's accounts, devices, credentials, keys, and documents. Account access graphs support systematically identifying both security vulnerabilities and lockout risks in a user's accounts. We give analysis algorithms and illustrate their effectiveness in a case study, where we automatically detect significant weaknesses in a user's setup and suggest improvement options.

Original languageEnglish
Title of host publicationCCS 2019: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PublisherAssociation for Computing Machinery
Pages1405-1422
Number of pages18
ISBN (Electronic)9781450367479
DOIs
Publication statusPublished - 6 Nov 2019
Event26th ACM Conference on Computer and Communications Security 2019 - London, United Kingdom
Duration: 11 Nov 201915 Nov 2019

Conference

Conference26th ACM Conference on Computer and Communications Security 2019
Abbreviated titleACM CCS 2019
CountryUnited Kingdom
CityLondon
Period11/11/1915/11/19

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'User account access graphs'. Together they form a unique fingerprint.

Cite this