Abstract
Permissions that are granted but unused, or permission gaps, are needless risks to systems and should be removed expeditiously. More insidiously, granted permissions may not always be revoked when they are no longer required. In practice, identifying permission gaps can be hard since another reference point besides granted permissions is usually unavailable. Therefore, we argue that permission gaps often must be estimated. We propose DeGap, a framework that uses standard system logs as a reference point and a common logic for estimating the gaps in various services. DeGap identified potentially overly relaxed SSH server configurations, incorrect permissions on sensitive files, and dormant user groups. Just discovering permission gaps may be insufficient; administrators need to know how they can be fixed. DeGap can also identify changes to service configurations towards reducing permission gaps.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Beckmann, A.: Debian ‘openvswitch-pki’ Package Multiple Insecure File Permissions Vulnerabilities (August 2012), http://www.securityfocus.com/bid/54789
Beckmann, A.: Debian ‘logol’ Package Insecure File Permissions Vulnerability (August 2012), http://www.securityfocus.com/bid/54802
Beckmann, A.: Debian ‘extplorer’ Package Insecure File Permissions Vulnerability (August 2012), http://www.securityfocus.com/bid/54801/info
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM, New York (2011)
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 217–228. ACM, New York (2012)
Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Automatically securing permission-based software by reducing the attack surface: An application to android. CoRR, abs/1206.5829 (2012)
Johnson, R., Wang, Z., Gagnon, C., Stavrou, A.: Analysis of android applications’ permissions. In: SERE (Companion), pp. 45–46. IEEE (2012)
Molloy, I., Park, Y., Chari, S.: Generative models for access control policies: applications to role mining over logs with attribution. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 45–56. ACM, New York (2012)
Bay31. Role designer (2013), http://www.bay31.com/role_designer
Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux security module. NAI Labs Report #01-043, NAI Labs (December 2001) (revised May 2002)
Bauer, M.: Paranoid penguin: an introduction to novell apparmor. Linux J. 2006(148), 13 (2006)
Farmer, E.H.S.D.: The cops security checker system. In: USENIX Summer Conference, pp. 165–170 (June 1990)
Tiger analytical research assistant (2002), http://www-arc.com/tara/
The Bastille Hardening program: increase security for your OS, http://bastille-linux.sourceforge.net/
Files and file system security (June 2012), http://tldp.org/HOWTO/Security-HOWTO/file-security.html
Cannady, J.H.J.: A comparative analysis of current intrusion detection technologies. Technical report, Georgia Tech Research Institute, Atlanta, GA 30332-0800
Open Source Tripwire (2012), http://sourceforge.net/projects/tripwire/
Lampson, B.W.: Protection. In: Princeton University, pp. 437–443 (1971)
Gerhards, R.: Performance Optimizing Syslog Server (January 2004), http://www.monitorware.com/common/en/articles/performance-optimizing-syslog-server.php
Django: The Web framework for perfectioniss with deadlines (2012), http://www.djangoproject.com
Deshpande, A., Ives, Z., Raman, V.: Adaptive Query Processing 1 (2007)
Sirainen, T.: Dovecot SSL configuration (April 2012), http://wiki2.dovecot.org/SSL/DovecotConfiguration
Olzak, T.: Permissions Creep: The Bane of Tight Access Management (October 2009), http://olzak.wordpress.com/2009/10/01/permissions-creep/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ng, B.H., Prakash, A. (2013). Let the Right One in: Discovering and Mitigating Permission Gaps. In: Bagchi, A., Ray, I. (eds) Information Systems Security. ICISS 2013. Lecture Notes in Computer Science, vol 8303. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45204-8_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-45204-8_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-45203-1
Online ISBN: 978-3-642-45204-8
eBook Packages: Computer ScienceComputer Science (R0)