Abstract
The primary authentication method for a user account is rarely the only way to access that account. Accounts can often be accessed through other accounts, using recovery methods, password managers, or single sign-on. This increases each account's attack surface, giving rise to subtle security problems. These problems cannot be detected by considering each account in isolation, but require analyzing the links between a user's accounts. Furthermore, to accurately assess the security of accounts, the physical world must also be considered. For example, an attacker with access to a physical mailbox could obtain credentials sent by post. Despite the manifest importance of understanding these interrelationships and the security problems they entail, no prior methods exist to perform an analysis thereof in a precise way. To address this need, we introduce account access graphs, the first formalism that enables a comprehensive modeling and analysis of a user's entire setup, incorporating all connections between the user's accounts, devices, credentials, keys, and documents. Account access graphs support systematically identifying both security vulnerabilities and lockout risks in a user's accounts. We give analysis algorithms and illustrate their effectiveness in a case study, where we automatically detect significant weaknesses in a user's setup and suggest improvement options.
Original language | English |
---|---|
Title of host publication | CCS 2019: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security |
Publisher | Association for Computing Machinery |
Pages | 1405-1422 |
Number of pages | 18 |
ISBN (Electronic) | 9781450367479 |
DOIs | |
Publication status | Published - 6 Nov 2019 |
Event | 26th ACM Conference on Computer and Communications Security 2019 - London, United Kingdom Duration: 11 Nov 2019 → 15 Nov 2019 |
Conference
Conference | 26th ACM Conference on Computer and Communications Security 2019 |
---|---|
Abbreviated title | ACM CCS 2019 |
Country/Territory | United Kingdom |
City | London |
Period | 11/11/19 → 15/11/19 |
ASJC Scopus subject areas
- Software
- Computer Networks and Communications