Detecting Missing-Permission-Check Vulnerabilities in Distributed Cloud Systems - Citegraph

Paper Info

Title
Detecting Missing-Permission-Check Vulnerabilities in Distributed Cloud Systems

Abstract
ABSTRACTMissing- Permission-Check (MPC) vulnerability is a type of bug where permission checks are not enforced for privileged operations. MPC vulnerability is prevalent and can cause severe security impacts. This paper proposes the first tool to detect MPC vulnerabilities in distributed cloud systems. We conduct an in-depth study of 95 real-world MPC vulnerabilities and our findings motivate a new tool named MPChecker. The tool introduces a combined log-static analysis to automatically identify privileged operations by inferring variables representing user owned data and critical system states, whose accesses need to be protected. We have evaluated MPChecker with 6 popular distributed systems. The tool reports 44 new vulnerabilities, and 43 of them have been confirmed and labeled as critical bugs. Moreover, 1 bug is particular dangerous and the developers requested to keep it undisclosed.

Year	DOI	Venue
2022	10.1145/3548606.3560589	Computer and Communications Security
DocType	Citations	PageRank
Conference	0	0.34
References	Authors
0	5

Authors (5 rows)

Cited by (0 rows)

References (0 rows)

Name	Order	Citations	PageRank
Jie Lu	1	23	5.89
Haofeng Li	2	1	1.04
Liu Chen	3	25	5.30
Lian Li	4	31	4.24
Kun Cheng	5	0	1.01

1