Improving logging to reduce permission over-granting mistakes
Article No.: 24, Pages 409 - 426
Abstract
Access-deny issues are hard to fix because it implies both availability and security requirements. On one hand, system administrators (sysadmins) need to make a change quickly to enable legitimate access. On the other hand, sysadmins need to make sure the change does not allow excessive access. Fulfilling the second requirement on security is especially challenging because it highly requires the sysadmins' knowledge of the system environments and security context. Blind spots in knowledge and system settings may hinder sysadmins from finding solutions that align with the security context. Insecure fixes can over-grant permissions, which may only get noticed after the security vulnerability gets exploited.
This paper aims to help sysadmins reduce blind spots in diagnosis by providing multiple directions to resolve accessdeny issues. We propose a system, called Multiview, that automatically mutates the configurations to explore possible directions to fix the access-deny issue and lets the configuration changes in each direction grant as few permissions as possible. Multiview provides a detailed diagnosis report, including access-control configurations that are related to the denial, possible configuration changes in different directions to allow the request, as well as the impact on the access-control state of the entire system.
We conducted a user study to evaluate Multiview with 20 participants on five real-world access-deny issues. Multiview can reduce the percentage of insecure fixes from 44.0% to 2.0% and reduce the diagnosis time by 62.0% on average. We also evaluated Multiview on 112 real-world failure cases from eight different systems and server applications, and it can successfully diagnose 89 of them. Multiview accurately identifies the failure-causing configurations and provides possible directions to each access-deny issue within one minute.
References
[1]
Apache user mailing list. https://httpd.apache.org/lists.html#http-users.
[2]
Dba stack exchange. https://dba.stackexchange.com/.
[3]
Mongodb forum. https://www.mongodb.com/community/forums/.
[4]
Nginx user mailing list. https://mailman.nginx.org/archives/list/[email protected]/.
[5]
PostgreSQL Privileges. https://www.postgresql.org/docs/current/ddl-priv.html.
[6]
Postgresql user mailing list. https://www.postgresql.org/list/pgsql-general/.
[7]
Proftpd user mailing list. https://sourceforge.net/p/proftp/mailman/proftp-user/.
[8]
Server fault. https://serverfault.com.
[9]
Squid user mailing list. http://lists.squid-cache.org/pipermail/squid-users/.
[10]
Stack exchange. https://stackexchange.com/.
[11]
Stack overflow. https://stackoverflow.com/.
[12]
User study materials. https://drive.google.com/file/d/1JMBt-MC4kpJ8ix1L4YPlkgqRIQBJcrv0/view?usp=sharing.
[13]
Apache configuration parser. https://github.com/etingof/apacheconfig, 2022.
[14]
Nginx configuration parser. https://github.com/nginxinc/crossplane, 2022.
[15]
Supplementary materials. https://github.com/ucsdopera/Multivew/blob/main/supplementary.pdf, 2023.
[16]
ASKUBUNTU. Apache: access denied because search permissions are missing. https://askubuntu.com/questions/451922/apache-access-denied-because-search-permissions-aremissing, 2015.
[17]
ATTARIYAN, M., CHOW, M., AND FLINN, J. X-ray: Automating root-cause diagnosis of performance anomalies in production software. In Presented as part of the 10th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 12) (2012), pp. 307-320.
[18]
ATTARIYAN, M., AND FLINN, J. Using causality to diagnose configuration bugs. In USENIX Annual Technical Conference (2008), pp. 281-286.
[19]
ATTARIYAN, M., AND FLINN, J. Automating configuration troubleshooting with dynamic information flow analysis. In OSDI (2010), vol. 10, pp. 1-14.
[20]
BARKLEY, J. Comparing simple role based access control models and access control lists. In Proceedings of the second ACM workshop on Role-based access control (1997), pp. 127- 132.
[21]
BARRETT, R., KANDOGAN, E., MAGLIO, P. P., HABER, E. M., TAKAYAMA, L. A., AND PRABAKER, M. Field studies of computer system administrators: analysis of system management tools and practices. In Proceedings of the 2004 ACM conference on Computer supported cooperative work (2004), pp. 388-395.
[22]
BAUER, L., GARRISS, S., AND REITER, M. K. Detecting and resolving policy misconfigurations in access-control systems. ACM Transactions on Information and System Security (TISSEC) 14, 1 (2011), 1-28.
[23]
CASTRO, M., COSTA, M., AND MARTIN, J.-P. Better bug reporting with better privacy. ACM SIGOPS Operating Systems Review 42, 2 (2008), 319-328.
[24]
CHEN, Y., ZHANG, S., GUO, Q., LI, L., WU, R., AND CHEN, T. Deterministic replay: A survey. ACM Computing Surveys (CSUR) 48, 2 (2015), 1-47.
[25]
DALTON, M., KOZYRAKIS, C., AND ZELDOVICH, N. Nemesis: Preventing authentication & [and] access control vulnerabilities in web applications.
[26]
DAS, T., BHAGWAN, R., AND NALDURG, P. Baaz: A system for detecting access control misconfigurations. In USENIX Security Symposium (2010), pp. 161-176.
[27]
DEEPA, G., THILAGAM, P. S., PRASEED, A., AND PAIS, A. R. Detlogic: A black-box approach for detecting logic vulnerabilities in web applications. Journal of Network and Computer Applications 109 (2018), 89-109.
[28]
DETECTIVES, S. Australian sports fan portal leaks 132GB of private data. https://www.safetydetectives.com/blog/bigfooty-leak-report/, 2020.
[29]
DIETRICH, C., KROMBHOLZ, K., BORGOLTE, K., AND FIEBIG, T. Investigating system operators' perspective on security misconfigurations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (2018), pp. 1272-1289.
[30]
DIVVYCLOUD. 2020 cloud misconfigurations report. https://divvycloud.com/wp-content/uploads/2020/02/Cloud-Misconfiguration-Report-FINAL.pdf, 2020.
[31]
DOCS, N. Nginx rate limiting. https://docs.nginx.com/nginx/admin-guide/security-controls/controlling-access-proxied-http/, 2022.
[32]
FISLER, K., KRISHNAMURTHI, S., MEYEROVICH, L. A., AND TSCHANTZ, M. C. Verification and change-impact analysis of access-control policies. In Proceedings of the 27th international conference on Software engineering (2005), pp. 196- 205.
[33]
HATCH., B. Linux file permission confusion pt 2. https://www.hackinglinuxexposed.com/articles/20030424.html, 2003.
[34]
HUANG, H., SHEN, B., ZHONG, L., AND ZHOU, Y. Protecting data integrity of web applications with database constraints inferred from application code. In Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 2 (2023), pp. 632-645.
[35]
IBM SECURITY. Cost of a data breach report 2020. https://www.capita.com/sites/g/files/nginej146/files/2020-08/Ponemon-Global-Cost-of-Data-Breach-Study-2020.pdf, 2020.
[36]
JAYARAMAN, K., GANESH, V., TRIPUNITARA, M., RINARD, M., AND CHAPIN, S. Automatic error finding in access-control policies. In Proceedings of the 18th ACM conference on Computer and communications security (2011), pp. 163-174.
[37]
KERMAN, A., BORCHERT, O., ROSE, S., AND TAN, A. Implementing a zero trust architecture. National Institute of Standards and Technology 2020 (2020), 17-17.
[38]
LAMPSON, B. W. Protection. ACM SIGOPS Operating Systems Review 8, 1 (1974), 18-24.
[39]
LAWLER, R. Capital One data breach affected 100 million in the US. https://www.engadget.com/2019/07/29/capital-onedata-breach/, Jul. 2019.
[40]
LINUX. Overlay filesystem. https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html, 2021.
[41]
MANUAL, A. O. Apache authentication and authorization. https://httpd.apache.org/docs/2.4/howto/auth.html, 2022.
[42]
MARTIN, E., AND XIE, T. Automated test generation for access control policies via change-impact analysis. In Third International Workshop on Software Engineering for Secure Systems (SESS'07: ICSE Workshops 2007) (2007), IEEE, pp. 5- 5.
[43]
MARTIN, E., AND XIE, T. A fault model and mutation testing of access control policies. In Proceedings of the 16th international conference on World Wide Web (2007), pp. 667-676.
[44]
NEAR, J. P., AND JACKSON, D. Finding security bugs in web applications using a catalog of access control patterns. In Proceedings of the 38th International Conference on Software Engineering (2016), pp. 947-958.
[45]
NIGHT LION SECURITY. Astoria company data breach research and analysis. https://www.nightlion.com/blog/2021/astoria-company-breach/, 2021.
[46]
OASIS. Xacml v3.0 time extensions. https://docs.oasisopen.org/xacml/xacml-3.0-time-extensions/v1.0/csprd01/xacml-3.0-time-extensions-v1.0-csprd01.html, 2022.
[47]
OWASP. Owasp top 10 vulnerabilities - 2021. https://owasp.org/Top10/, 2021.
[48]
PARNO, B., MCCUNE, J. M., WENDLANDT, D., ANDERSEN, D. G., AND PERRIG, A. Clamp: Practical prevention of large-scale data leaks. In 2009 30th IEEE Symposium on Security and Privacy (2009), IEEE, pp. 154-169.
[49]
RABKIN, A., AND KATZ, R. Precomputing possible configuration error diagnoses. In 2011 26th IEEE/ACM International Conference on Automated Software Engineering (ASE 2011) (2011), IEEE, pp. 193-202.
[50]
RODEH, O., BACIK, J., AND MASON, C. Btrfs: The linux b-tree filesystem. ACM Transactions on Storage (TOS) 9, 3 (2013), 1-32.
[51]
ROSE, S., BORCHERT, O., MITCHELL, S., AND CONNELLY, S. Zero trust architecture. Tech. rep., National Institute of Standards and Technology, 2020.
[52]
SECURITY WORLD. 9 years to discover a data breach. https://www.secureworldexpo.com/industry-news/9-years-incident-to-breach-discovery-time, 2019.
[53]
SHEN, B. Automatic Methods to Enhance Server Systems in Access Control Diagnosis. University of California, San Diego, 2022.
[54]
SHEN, B., SHAN, T., AND ZHOU, Y. Improving logging to reduce permission over-granting mistakes. In USENIX Security Symposium (2023).
[55]
SHEN, B., WEI, L., XIANG, C., WU, Y., SHEN, M., ZHOU, Y., AND JIN, X. Can systems explain permissions better? understanding users' misperceptions under smartphone runtime permission model. In USENIX Security Symposium (2021), pp. 751-768.
[56]
SILICON ANGLE. Pharma giant pfizer exposes patient data on unsecured cloud storage. https://siliconangle.com/2020/10/20/pharma-giant-pfizer-exposes-patient-data-unsecured-cloud-storage/, 2020.
[57]
SON, S., MCKINLEY, K. S., AND SHMATIKOV, V. Fix me up: Repairing access-control bugs in web applications. In NDSS (2013).
[58]
SOPHOS. The state of cloud security 2020. https://secure2.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-the-state-of-cloud-security-2020-wp.pdf, 2020.
[59]
STACK OVERFLOW. Error message "forbidden you don't have permission to access / on this server". https://stackoverflow.com/questions/10873295/error-message-forbidden-you-dont-have-permission-to-access-on-this-server, 2013.
[60]
STACK OVERFLOW. Apache - Permissions are missing on a component of the path. https://stackoverflow.com/questions/25190043/apache-permissions-are-missing-on-a-component-of-the-path, 2015.
[61]
STACK OVERFLOW. Apache 2.4.7 / Search permissions. https://stackoverflow.com/questions/33477056/apache-2-4-7-search-permissions, 2016.
[62]
STACKOVERFLOW. Apache2 mod_wsgi access denied issue. https://serverfault.com/questions/357804/apache2-mod-wsgi-django-named-virtual-servers, Last accessed 2022.
[63]
SU, Y.-Y., ATTARIYAN, M., AND FLINN, J. Autobash: improving configuration management with operating system causality analysis. ACM SIGOPS Operating Systems Review 41, 6 (2007), 237-250.
[64]
SU, Y.-Y., AND FLINN, J. Automatically generating predicates and solutions for configuration troubleshooting. In USENIX Annual Technical Conference (2009).
[65]
SUN, F., XU, L., AND SU, Z. Static detection of access control vulnerabilities in web applications. In USENIX Security Symposium (2011), vol. 64.
[66]
SUPERUSER. Permission denied because search permissions are missing on a component of the path, after chmod and chgrp. https://superuser.com/questions/882594/permission-denied-because-search-permissions-are-missing-on-a-component-of-the-p, 2016.
[67]
TANEJA, K., GRECHANIK, M., GHANI, R., AND XIE, T. Testing software in age of data privacy: A balancing act. In Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering (2011), pp. 201-211.
[68]
TWITCH. Twitch update on the security incident. https://blog.twitch.tv/en/2021/10/15/updates-on-the-twitch-security-incident/, 2021.
[69]
UPDATE, B. Biometrics company allegedly leaves unhashed fingerprint data of thousands exposed to internet. https://www.biometricupdate.com/202003/biometrics-company-leaves-unhashed-fingerprint-data-of-thousands-exposed-to-internet, 2020.
[70]
VERIZON. 2020 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf, 2020.
[71]
WANG, H. J., PLATT, J. C., CHEN, Y., ZHANG, R., AND WANG, Y.-M. Automatic misconfiguration troubleshooting with peerpressure. In OSDI (2004), vol. 4, pp. 245-257.
[72]
WANG, R., WANG, X., AND LI, Z. Panalyst: Privacy-aware remote error analysis on commodity software. In USENIX Security Symposium (2008), pp. 291-306.
[73]
WANG, Y.-M., VERBOWSKI, C., DUNAGAN, J., CHEN, Y., WANG, H. J., YUAN, C., AND ZHANG, Z. Strider: A blackbox, state-based approach to change and configuration management and support. Science of Computer Programming 53, 2 (2004), 143-164.
[74]
WARD, R., AND BEYER, B. Beyondcorp: a new approach to enterprise security.; login: 39 (6), 6-11, 2014.
[75]
WHITAKER, A., COX, R. S., GRIBBLE, S. D., ET AL. Configuration debugging as search: Finding the needle in the haystack. In OSDI (2004), vol. 4, pp. 6-6.
[76]
XIANG, C. Detecting Access Control Misconfigurations with Change Validation. University of California, San Diego, 2021.
[77]
XIANG, C., WU, Y., SHEN, B., SHEN, M., HUANG, H., XU, T., ZHOU, Y., MOORE, C., JIN, X., AND SHENG, T. Towards continuous access control validation and forensics. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019), pp. 113-129.
[78]
XU, T., JIN, X., HUANG, P., ZHOU, Y., LU, S., JIN, L., AND PASUPATHY, S. Early detection of configuration errors to reduce failure damage. In 12th {USENIX} Symposium on Operating Systems Design and Implementation ({OSDI} 16) (2016), pp. 619-634.
[79]
XU, T., NAING, H. M., LU, L., AND ZHOU, Y. How do system administrators resolve access-denied issues in the real world? In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems (2017), ACM, pp. 348-361.
[80]
YIP, A., WANG, X., ZELDOVICH, N., AND KAASHOEK, M. F. Improving application security with data flow assertions. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles (2009), pp. 291-304.
[81]
YUAN, D., XIE, Y., PANIGRAHY, R., YANG, J., VERBOWSKI, C., AND KUMAR, A. Context-based online configuration-error detection. In Proceedings of the 2011 USENIX conference on USENIX annual technical conference (2011), USENIX Association, pp. 28-28.
[82]
ZDNET. Database leaks data on most of Ecuador's citizens, including 6.7 million children. https://www.zdnet.com/article/database-leaks-data-on-most-of-ecuadors-citizens-including-6-7-million-children/, 2019.
[83]
ZHANG, J., RENGANARAYANA, L., ZHANG, X., GE, N., BALA, V., XU, T., AND ZHOU, Y. Encore: Exploiting system environment and correlation information for misconfiguration detection. In Proceedings of the 19th international conference on Architectural support for programming languages and operating systems (2014), pp. 687-700.
[84]
ZHANG, S., AND ERNST, M. D. Automated diagnosis of software configuration errors. In 2013 35th International Conference on Software Engineering (ICSE) (2013), IEEE, pp. 312-321.
[85]
ZHANG, S., AND ERNST, M. D. Which configuration option should i change? In Proceedings of the 36th International Conference on Software Engineering (2014), pp. 152-163.
Recommendations
Constraints for Permission-Based Delegations
CITWORKSHOPS '08: Proceedings of the 2008 IEEE 8th International Conference on Computer and Information Technology WorkshopsPermission-Based Delegation Model (PBDM) is a flexible model for delegation of authority in RBAC. It supports permission level delegation through temporary delegation roles. Multi-step delegation is also supported. However, constraints for PBDM have not ...
Integrated Access Permission: Secure and Simple Policy Description by Integration of File Access Vector Permission
ISA '08: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008)In pervasive computing, embedded systems have a possibility to be attacked by crackers, including 0-day attack, as well as enterprise systems. In particular, in a case where a cracker gets a root privilege, damages are significant. To resolve this ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 08 Feb 2025