Two Stony Brook University computer science professors have received a prestigious Amazon Research Award for their work on Restricter, a groundbreaking automated reasoning and synthesis tool that automatically strengthens security policies written in Amazon's Cedar policy language. Associate Professor Omar Haider Chowdhury and Professor Scott Stoller are among only 73 global recipients honored in the Fall 2024 cycle, receiving $80,000 to advance their cybersecurity research.

Restricter addresses a critical challenge in modern cybersecurity: ensuring that developers grant users only the permissions they need—a fundamental principle known as the principle of least privilege. Manually authoring these security policies, even for experts, is time-consuming and error-prone, often resulting in overly permissive policies that attackers can exploit to circumvent security mechanisms. Restricter analyzes an application's existing Cedar policy and its usage logs to automatically generate clear, human-readable policy suggestions. These suggestions help administrators eliminate excess permissions and strengthen the system’s overall security posture.

 "We're thrilled to see Amazon recognize the importance of automated security policy strengthening," said Dr. Chowdhury. "Restricter represents a significant step forward in making robust cybersecurity accessible to organizations of all sizes, removing the complexity barrier that often impedes the proper implementation of least privilege principles."

The Amazon Research Awards program provides recipients with access to more than 700 public datasets, expert consultations, advanced training resources, and opportunities to participate in Amazon's research community. "This partnership with Amazon will accelerate our ability to test and refine Restricter in real-world environments," noted Professor Stoller, whose expertise spans cybersecurity, cyber-physical systems, distributed systems, and formal verification. "The AWS infrastructure and datasets will be invaluable for scaling our solution to handle enterprise-level security challenges." 

Restricter supports both role-based access control (RBAC) and attribute-based access control (ABAC), making it a versatile solution for organizations with diverse security requirements. Companies using Cedar—including those leveraging AWS Verified Permissions—will be able to use Restricter to accelerate policy deployment, reduce human error, and ensure compliance with security best practices. Initial testing demonstrates that Restricter effectively identifies over-privileges and proposes automated corrections for eliminating dangerous permission overreach.

 "This achievement exemplifies our department's commitment to developing practical security solutions that address real-world challenges," said Professor and Chair of the Department of Computer Science Samir Das. "Omar and Scott's innovative work on automated policy strengthening will have far-reaching implications for how organizations approach cybersecurity, making advanced protection accessible to companies that previously lacked the specialized expertise needed for proper implementation."

 The research team plans to integrate Restricter into open-source Cedar development tools later this year in collaboration with the Cedar development team at Amazon Web Services (AWS). As cyber threats become increasingly sophisticated, automated tools like Restricter provide essential capabilities for maintaining robust, scalable security architectures without compromising development velocity.