Generating access control policies using static analysis

    公开(公告)号:US11736525B1

    公开(公告)日:2023-08-22

    申请号:US16904467

    申请日:2020-06-17

    Abstract: Methods, systems, and computer-readable media for generating access control policies using static analysis are disclosed. An access control policy generator performs static analysis of program code of a software product. The static analysis identifies one or more calls to one or more external components in the program code. The access control policy generator determines a mapping of the one or more calls to one or more actions. The one or more actions are selected from a plurality of known actions supported by an access control policy manager. The access control policy generator generates an access control policy associated with the software product. The access control policy comprises one or more permissions with respect to the one or more external components. The access control policy permits the software product to access the plurality of external components using the access control policy manager during execution of the software product.

    ANALYSIS OF ROLE REACHABILITY USING POLICY COMPLEMENTS

    公开(公告)号:US20220191206A1

    公开(公告)日:2022-06-16

    申请号:US17119868

    申请日:2020-12-11

    Abstract: Methods, systems, and computer-readable media for analysis of role reachability using policy complements are disclosed. An access control analyzer determines two nodes in a graph that potentially have a common edge. The nodes correspond to roles in a provider network, and the roles are associated with first and second access control policies that grant or deny access to resources. The access control analyzer performs a role reachability analysis that determines whether the first role can assume the second role for a particular state of one or more key-value tags. The role reachability analysis determines a third access control policy authorizing a negation of a role assumption request for the second role. The role reachability analysis performs analysis of the third access control policy with respect to a role assumption policy for the second role for the particular state of the one or more key-value tags.

    Analyzing web service frontends to extract security-relevant behavior information

    公开(公告)号:US11509730B1

    公开(公告)日:2022-11-22

    申请号:US17119238

    申请日:2020-12-11

    Abstract: Techniques are described for generating a specification of security-relevant behavior associated with web services of a cloud provider network. Source code or software development artifacts associated with an implementation of a web service is obtained, where the source code of software development artifacts include an implementation of a request handler for an action of the service. The request handler includes a request authorization component, e.g., which may involve interaction with an identity and access management service of the cloud provider network to authenticate and authorize requests and may further rely upon one or more authorization contexts included in the requests received by the request handler. An interprocedural data flow analyzer is used to analyze a model representation of the bytecode to identify and generate specifications of authorization patterns associated with the request handler.

    Generating access management policies from example requests

    公开(公告)号:US11483353B1

    公开(公告)日:2022-10-25

    申请号:US17112849

    申请日:2020-12-04

    Abstract: Access management policies may be generated from example requests. An access management policy may be received. One or more example requests that have expected results when evaluated with respect to the access management policy may be received. Updates to the access management policy may be determined that cause the expected results to occur when a new version of the access management policy based on the updates is enforced. The new version of the access management policy may be generated based on the updates.

Patent Agency Ranking