Creeper

a tool for detecting permission creep in file system access controls

Simon Parkinson, Saad Khan, James Bray, Daiyaan Shreef

Research output: Contribution to journalArticle

Abstract

Access control mechanisms are widely used in multi-user IT systems where it is necessary to restrict access to computing resources. This is certainly true of file systems whereby information needs to be protected against unintended access. User permissions often evolve over time, and changes are often made in an ad hoc manner and do not follow any rigorous process. This is largely due to the fact that the structure of the implemented permissions are often determined by experts during initial system configuration and documentation is rarely created. Furthermore, permissions are often not audited due to the volume of information, the requirement of expert knowledge, and the time required to perform manual analysis. This paper presents a novel, unsupervised technique whereby a statistical analysis technique is developed and applied to detect instances of permission creep. The system (herein refereed to as Creeper) has initially been developed for Microsoft systems; however, it is easily extensible and can be applied to other access control systems. Experimental analysis has demonstrated good performance and applicability on synthetic file system permissions with an average accuracy of 96%. Empirical analysis is subsequently performed on five real-world systems where an average accuracy of 98% is established
Original languageEnglish
Article number14
Pages (from-to)1-14
Number of pages14
JournalCybersecurity
Volume2
DOIs
Publication statusPublished - 15 Apr 2019

Fingerprint

Access control
Creep
Statistical methods
Information systems
Control systems

Cite this

@article{6779355d62d14499bf1e1ef9b5ecc56f,
title = "Creeper: a tool for detecting permission creep in file system access controls",
abstract = "Access control mechanisms are widely used in multi-user IT systems where it is necessary to restrict access to computing resources. This is certainly true of file systems whereby information needs to be protected against unintended access. User permissions often evolve over time, and changes are often made in an ad hoc manner and do not follow any rigorous process. This is largely due to the fact that the structure of the implemented permissions are often determined by experts during initial system configuration and documentation is rarely created. Furthermore, permissions are often not audited due to the volume of information, the requirement of expert knowledge, and the time required to perform manual analysis. This paper presents a novel, unsupervised technique whereby a statistical analysis technique is developed and applied to detect instances of permission creep. The system (herein refereed to as Creeper) has initially been developed for Microsoft systems; however, it is easily extensible and can be applied to other access control systems. Experimental analysis has demonstrated good performance and applicability on synthetic file system permissions with an average accuracy of 96{\%}. Empirical analysis is subsequently performed on five real-world systems where an average accuracy of 98{\%} is established",
keywords = "Permission creep, Access control, Auditing, χ2 statistics",
author = "Simon Parkinson and Saad Khan and James Bray and Daiyaan Shreef",
year = "2019",
month = "4",
day = "15",
doi = "10.1186/s42400-019-0031-1",
language = "English",
volume = "2",
pages = "1--14",
journal = "Cybersecurity",
issn = "2523-3246",
publisher = "SpringerOpen",

}

Creeper : a tool for detecting permission creep in file system access controls. / Parkinson, Simon; Khan, Saad; Bray, James; Shreef, Daiyaan.

In: Cybersecurity, Vol. 2, 14, 15.04.2019, p. 1-14.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Creeper

T2 - a tool for detecting permission creep in file system access controls

AU - Parkinson, Simon

AU - Khan, Saad

AU - Bray, James

AU - Shreef, Daiyaan

PY - 2019/4/15

Y1 - 2019/4/15

N2 - Access control mechanisms are widely used in multi-user IT systems where it is necessary to restrict access to computing resources. This is certainly true of file systems whereby information needs to be protected against unintended access. User permissions often evolve over time, and changes are often made in an ad hoc manner and do not follow any rigorous process. This is largely due to the fact that the structure of the implemented permissions are often determined by experts during initial system configuration and documentation is rarely created. Furthermore, permissions are often not audited due to the volume of information, the requirement of expert knowledge, and the time required to perform manual analysis. This paper presents a novel, unsupervised technique whereby a statistical analysis technique is developed and applied to detect instances of permission creep. The system (herein refereed to as Creeper) has initially been developed for Microsoft systems; however, it is easily extensible and can be applied to other access control systems. Experimental analysis has demonstrated good performance and applicability on synthetic file system permissions with an average accuracy of 96%. Empirical analysis is subsequently performed on five real-world systems where an average accuracy of 98% is established

AB - Access control mechanisms are widely used in multi-user IT systems where it is necessary to restrict access to computing resources. This is certainly true of file systems whereby information needs to be protected against unintended access. User permissions often evolve over time, and changes are often made in an ad hoc manner and do not follow any rigorous process. This is largely due to the fact that the structure of the implemented permissions are often determined by experts during initial system configuration and documentation is rarely created. Furthermore, permissions are often not audited due to the volume of information, the requirement of expert knowledge, and the time required to perform manual analysis. This paper presents a novel, unsupervised technique whereby a statistical analysis technique is developed and applied to detect instances of permission creep. The system (herein refereed to as Creeper) has initially been developed for Microsoft systems; however, it is easily extensible and can be applied to other access control systems. Experimental analysis has demonstrated good performance and applicability on synthetic file system permissions with an average accuracy of 96%. Empirical analysis is subsequently performed on five real-world systems where an average accuracy of 98% is established

KW - Permission creep

KW - Access control

KW - Auditing

KW - χ2 statistics

U2 - 10.1186/s42400-019-0031-1

DO - 10.1186/s42400-019-0031-1

M3 - Article

VL - 2

SP - 1

EP - 14

JO - Cybersecurity

JF - Cybersecurity

SN - 2523-3246

M1 - 14

ER -