Creeper: a tool for detecting permission creep in file system access controls

Simon Parkinson, Saad Khan, James Bray, Daiyaan Shreef

Research output: Contribution to journalArticle

Abstract

Access control mechanisms are widely used in multi-user IT systems where it is necessary to restrict access to computing resources. This is certainly true of file systems whereby information needs to be protected against unintended access. User permissions often evolve over time, and changes are often made in an ad hoc manner and do not follow any rigorous process. This is largely due to the fact that the structure of the implemented permissions are often determined by experts during initial system configuration and documentation is rarely created. Furthermore, permissions are often not audited due to the volume of information, the requirement of expert knowledge, and the time required to perform manual analysis. This paper presents a novel, unsupervised technique whereby a statistical analysis technique is developed and applied to detect instances of permission creep. The system (herein refereed to as Creeper) has initially been developed for Microsoft systems; however, it is easily extensible and can be applied to other access control systems. Experimental analysis has demonstrated good performance and applicability on synthetic file system permissions with an average accuracy of 96%. Empirical analysis is subsequently performed on five real-world systems where an average accuracy of 98% is established.
Original languageEnglish
Article number14
Number of pages14
JournalCybersecurity
Volume2
Issue number1
Early online date15 Apr 2019
DOIs
Publication statusPublished - 1 Dec 2019

Fingerprint Dive into the research topics of 'Creeper: a tool for detecting permission creep in file system access controls'. Together they form a unique fingerprint.

Cite this