Fail-Secure Access Control

Decentralized and distributed access control systems are subject to communication and component failures. These can affect access decisions in surprising and unintended ways, resulting in insecure systems. Existing analysis frameworks however ignore the influence of failure handling in decision making. Thus, it is currently all but impossible to derive security guarantees for systems that may fail. To address this, we present (1) a model in which the attacker can explicitly induce failures, (2) failure-handling idioms, and (3) a method and an associated tool for verifying fail-security requirements, which describe how access control systems should handle failures. To illustrate these contributions, we analyze the consequences of failure handling in the XACML 3 standard and other domains, revealing security flaws.