User Account Access Graphs
dc.contributor.author
Hammann, Sven
dc.contributor.author
Radomirovic, Saša
dc.contributor.author
Sasse, Ralf
dc.contributor.author
Basin, David
dc.contributor.editor
Cavallaro, Lorenzo
dc.contributor.editor
Kinder, Johannes
dc.contributor.editor
Wang, XiaoFeng
dc.contributor.editor
Katz, Jonathan
dc.date.accessioned
2019-11-26T08:27:29Z
dc.date.available
2019-09-20T13:01:27Z
dc.date.available
2019-09-20T13:22:58Z
dc.date.available
2019-09-24T06:33:50Z
dc.date.available
2019-11-26T08:27:29Z
dc.date.issued
2019-11
dc.identifier.isbn
978-1-4503-6747-9/19/11
en_US
dc.identifier.other
10.1145/3319535.3354193
en_US
dc.identifier.uri
http://hdl.handle.net/20.500.11850/365578
dc.identifier.doi
10.3929/ethz-b-000365578
dc.description.abstract
The primary authentication method for a user account is rarely
the only way to access that account. Accounts can often be accessed
through other accounts, using recovery methods, password
managers, or single sign-on. This increases each account’s attack
surface, giving rise to subtle security problems. These problems
cannot be detected by considering each account in isolation, but
require analyzing the links between a user’s accounts. Furthermore,
to accurately assess the security of accounts, the physical world
must also be considered. For example, an attacker with access to a
physical mailbox could obtain credentials sent by post.
Despite the manifest importance of understanding these interrelationships
and the security problems they entail, no prior methods
exist to perform an analysis thereof in a precise way. To address this
need, we introduce account access graphs, the first formalism that
enables a comprehensive modeling and analysis of a user’s entire
setup, incorporating all connections between the user’s accounts,
devices, credentials, keys, and documents. Account access graphs
support systematically identifying both security vulnerabilities and
lockout risks in a user’s accounts. We give analysis algorithms and
illustrate their effectiveness in a case study, where we automatically
detect significant weaknesses in a user’s setup and suggest
improvement options.
en_US
dc.format
application/pdf
en_US
dc.language.iso
en
en_US
dc.publisher
Association for Computing Machinery
dc.rights.uri
http://rightsstatements.org/page/InC-NC/1.0/
dc.subject
Security
en_US
dc.subject
Formal Security Model
en_US
dc.subject
Authentication
en_US
dc.title
User Account Access Graphs
en_US
dc.type
Conference Paper
dc.rights.license
In Copyright - Non-Commercial Use Permitted
dc.date.published
2019-11-06
ethz.book.title
CCS '19 Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
en_US
ethz.pages.start
1405
en_US
ethz.pages.end
1422
en_US
ethz.size
18 p. accepted version
en_US
ethz.version.deposit
acceptedVersion
en_US
ethz.event
26th ACM Conference on Computer and Communications Security (CCS 2019)
en_US
ethz.event.location
London, United Kingdom
ethz.event.date
November 11-15, 2019
en_US
ethz.identifier.wos
ethz.identifier.scopus
ethz.publication.place
New York, NY
ethz.publication.status
published
en_US
ethz.leitzahl
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::03634 - Basin, David / Basin, David
en_US
ethz.leitzahl.certified
ETH Zürich::00002 - ETH Zürich::00012 - Lehre und Forschung::00007 - Departemente::02150 - Dep. Informatik / Dep. of Computer Science::02660 - Institut für Informationssicherheit / Institute of Information Security::03634 - Basin, David / Basin, David
en_US
ethz.date.deposited
2019-09-20T13:01:36Z
ethz.source
FORM
ethz.eth
yes
en_US
ethz.availability
Open access
en_US
ethz.rosetta.installDate
2019-11-26T08:27:44Z
ethz.rosetta.lastUpdated
2024-02-02T09:53:56Z
ethz.rosetta.versionExported
true
ethz.COinS
ctx_ver=Z39.88-2004&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.atitle=User%20Account%20Access%20Graphs&rft.date=2019-11&rft.spage=1405&rft.epage=1422&rft.au=Hammann,%20Sven&Radomirovic,%20Sa%C5%A1a&Sasse,%20Ralf&Basin,%20David&rft.isbn=978-1-4503-6747-9/19/11&rft.genre=proceeding&rft_id=info:doi/10.1145/3319535.3354193&rft.btitle=CCS%20'19%20Proceedings%20of%20the%202019%20ACM%20SIGSAC%20Conference%20on%20Computer%20and%20Communications%20Security
Files in this item
Publication type
-
Conference Paper [35768]