Automatically Tightening Access Control Policies with Restricter

• URL: http://arxiv.org/abs/2601.14582v2
• Date: Thu, 22 Jan 2026 03:16:34 GMT
• Title: Automatically Tightening Access Control Policies with Restricter
• Authors: Ka Lok Wu, Christa Jenkins, Scott D. Stoller, Omar Chowdhury,
• Abstract summary: We propose Restricter, which automatically tightens each (permit) policy rule of a policy with respect to an access log.<n>Restricter achieves policy tightening by reducing the number of access requests permitted by a policy rule without sacrificing the functionality of the underlying system it is regulating.
• Score: 5.162447714074593
• License: http://creativecommons.org/licenses/by-nc-nd/4.0/
• Abstract: Robust access control is a cornerstone of secure software, systems, and networks. An access control mechanism is as effective as the policy it enforces. However, authoring effective policies that satisfy desired properties such as the principle of least privilege is a challenging task even for experienced administrators, as evidenced by many real instances of policy misconfiguration. In this paper, we set out to address this pain point by proposing Restricter, which automatically tightens each (permit) policy rule of a policy with respect to an access log, which captures some already exercised access requests and their corresponding access decisions (i.e., allow or deny). Restricter achieves policy tightening by reducing the number of access requests permitted by a policy rule without sacrificing the functionality of the underlying system it is regulating. We implement Restricter for Amazon's Cedar policy language and demonstrate its effectiveness through two realistic case studies.

Related papers

• Customize Multi-modal RAI Guardrails with Precedent-based predictions [55.63757336900865]
  A multi-modal guardrail must effectively filter image content based on user-defined policies.<n>Existing fine-tuning methods typically condition predictions on pre-defined policies.<n>We propose to condition model's judgment on "precedents", which are the reasoning processes of prior data points similar to the given input.
  arXiv  Detail & Related papers  (2025-07-28T03:45:34Z)
• MFAz: Historical Access Based Multi-Factor Authorization [2.729532849571912]
  Session hijacking-based attacks pose serious security concerns.<n>Traditional access control mechanisms are insufficient to prevent session hijacking or other advanced exploitation techniques.<n>We propose a new multi-factor authorization scheme that proactively mitigates unauthorized access attempts.
  arXiv  Detail & Related papers  (2025-07-21T20:54:04Z)
• Synthesizing Access Control Policies using Large Language Models [0.5762345156477738]
  Cloud compute systems allow administrators to write access control policies that govern access to private data.<n>While policies are written in convenient languages, such as AWS Identity and Access Management Policy Language, manually written policies often become complex and error prone.<n>In this paper, we investigate whether and how well Large Language Models (LLMs) can be used to synthesize access control policies.
  arXiv  Detail & Related papers  (2025-03-14T16:40:25Z)
• Residual Policy Gradient: A Reward View of KL-regularized Objective [48.39829592175419]
  Reinforcement Learning and Imitation Learning have achieved widespread success in many domains but remain constrained during real-world deployment.<n>Policy customization has been introduced, aiming to adapt a prior policy while preserving its inherent properties and meeting new task-specific requirements.<n>A principled approach to policy customization is Residual Q-Learning (RQL), which formulates the problem as a Markov Decision Process (MDP) and derives a family of value-based learning algorithms.<n>We introduce Residual Policy Gradient (RPG), which extends RQL to policy gradient methods, allowing policy customization in gradient-based RL settings.
  arXiv  Detail & Related papers  (2025-03-14T02:30:13Z)
• Extracting Database Access-control Policies From Web Applications [5.193592261722995]
  It is difficult for humans to discern what policy is embedded in application code and what data the application may access.<n>This paper tackles policy extraction: the task of extracting the access-control policy embedded in an application by summarizing its data queries.<n>We introduce Ote, a policy extractor for Ruby-on-Rails web applications.
  arXiv  Detail & Related papers  (2024-11-18T08:58:11Z)
• SoK: Access Control Policy Generation from High-level Natural Language Requirements [1.3505077405741583]
  Administrator-centered access control failures can cause data breaches, putting organizations at risk of financial loss and reputation damage. Existing graphical policy configuration tools and automated policy generation frameworks attempt to help administrators configure and generate access control policies by avoiding such failures. However, graphical policy configuration tools are prone to human errors, making them unusable. On the other hand, automated policy generation frameworks are prone to erroneous predictions, making them unreliable.
  arXiv  Detail & Related papers  (2023-10-05T03:45:20Z)
• Sparsity-Aware Intelligent Massive Random Access Control in Open RAN: A Reinforcement Learning Based Approach [61.74489383629319]
  Massive random access of devices in the emerging Open Radio Access Network (O-RAN) brings great challenge to the access control and management. reinforcement-learning (RL)-assisted scheme of closed-loop access control is proposed to preserve sparsity of access requests. Deep-RL-assisted SAUD is proposed to resolve highly complex environments with continuous and high-dimensional state and action spaces.
  arXiv  Detail & Related papers  (2023-03-05T12:25:49Z)
• Memory-Constrained Policy Optimization [59.63021433336966]
  We introduce a new constrained optimization method for policy gradient reinforcement learning. We form a second trust region through the construction of another virtual policy that represents a wide range of past policies. We then enforce the new policy to stay closer to the virtual policy, which is beneficial in case the old policy performs badly.
  arXiv  Detail & Related papers  (2022-04-20T08:50:23Z)
• An Automatic Attribute Based Access Control Policy Extraction from Access Logs [5.142415132534397]
  An attribute-based access control (ABAC) model provides a more flexible approach for addressing the authorization needs of complex and dynamic systems. We present a methodology for automatically learning ABAC policy rules from access logs of a system to simplify the policy development process.
  arXiv  Detail & Related papers  (2020-03-16T15:08:54Z)
• Policy Evaluation Networks [50.53250641051648]
  We introduce a scalable, differentiable fingerprinting mechanism that retains essential policy information in a concise embedding. Our empirical results demonstrate that combining these three elements can produce policies that outperform those that generated the training data.
  arXiv  Detail & Related papers  (2020-02-26T23:00:27Z)
• Preventing Imitation Learning with Adversarial Policy Ensembles [79.81807680370677]
  Imitation learning can reproduce policies by observing experts, which poses a problem regarding policy privacy. How can we protect against external observers cloning our proprietary policies? We introduce a new reinforcement learning framework, where we train an ensemble of near-optimal policies.
  arXiv  Detail & Related papers  (2020-01-31T01:57:16Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.