Skip to main content
SpringerLink
Log in

Let the Right One in: Discovering and Mitigating Permission Gaps

  • Conference paper
Information Systems Security (ICISS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8303))

Included in the following conference series:

  • 1010 Accesses

Abstract

Permissions that are granted but unused, or permission gaps, are needless risks to systems and should be removed expeditiously. More insidiously, granted permissions may not always be revoked when they are no longer required. In practice, identifying permission gaps can be hard since another reference point besides granted permissions is usually unavailable. Therefore, we argue that permission gaps often must be estimated. We propose DeGap, a framework that uses standard system logs as a reference point and a common logic for estimating the gaps in various services. DeGap identified potentially overly relaxed SSH server configurations, incorrect permissions on sensitive files, and dormant user groups. Just discovering permission gaps may be insufficient; administrators need to know how they can be fixed. DeGap can also identify changes to service configurations towards reducing permission gaps.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Beckmann, A.: Debian ‘openvswitch-pki’ Package Multiple Insecure File Permissions Vulnerabilities (August 2012), http://www.securityfocus.com/bid/54789

  2. Beckmann, A.: Debian ‘logol’ Package Insecure File Permissions Vulnerability (August 2012), http://www.securityfocus.com/bid/54802

  3. Beckmann, A.: Debian ‘extplorer’ Package Insecure File Permissions Vulnerability (August 2012), http://www.securityfocus.com/bid/54801/info

  4. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM, New York (2011)

    Google Scholar 

  5. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 217–228. ACM, New York (2012)

    Google Scholar 

  6. Bartel, A., Klein, J., Monperrus, M., Traon, Y.L.: Automatically securing permission-based software by reducing the attack surface: An application to android. CoRR, abs/1206.5829 (2012)

    Google Scholar 

  7. Johnson, R., Wang, Z., Gagnon, C., Stavrou, A.: Analysis of android applications’ permissions. In: SERE (Companion), pp. 45–46. IEEE (2012)

    Google Scholar 

  8. Molloy, I., Park, Y., Chari, S.: Generative models for access control policies: applications to role mining over logs with attribution. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 45–56. ACM, New York (2012)

    Google Scholar 

  9. Bay31. Role designer (2013), http://www.bay31.com/role_designer

  10. Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a Linux security module. NAI Labs Report #01-043, NAI Labs (December 2001) (revised May 2002)

    Google Scholar 

  11. Bauer, M.: Paranoid penguin: an introduction to novell apparmor. Linux J. 2006(148), 13 (2006)

    Google Scholar 

  12. Farmer, E.H.S.D.: The cops security checker system. In: USENIX Summer Conference, pp. 165–170 (June 1990)

    Google Scholar 

  13. Tiger analytical research assistant (2002), http://www-arc.com/tara/

  14. The Bastille Hardening program: increase security for your OS, http://bastille-linux.sourceforge.net/

  15. Files and file system security (June 2012), http://tldp.org/HOWTO/Security-HOWTO/file-security.html

  16. Cannady, J.H.J.: A comparative analysis of current intrusion detection technologies. Technical report, Georgia Tech Research Institute, Atlanta, GA 30332-0800

    Google Scholar 

  17. Open Source Tripwire (2012), http://sourceforge.net/projects/tripwire/

  18. Lampson, B.W.: Protection. In: Princeton University, pp. 437–443 (1971)

    Google Scholar 

  19. Gerhards, R.: Performance Optimizing Syslog Server (January 2004), http://www.monitorware.com/common/en/articles/performance-optimizing-syslog-server.php

  20. Django: The Web framework for perfectioniss with deadlines (2012), http://www.djangoproject.com

  21. Deshpande, A., Ives, Z., Raman, V.: Adaptive Query Processing 1 (2007)

    Google Scholar 

  22. Sirainen, T.: Dovecot SSL configuration (April 2012), http://wiki2.dovecot.org/SSL/DovecotConfiguration

  23. Olzak, T.: Permissions Creep: The Bane of Tight Access Management (October 2009), http://olzak.wordpress.com/2009/10/01/permissions-creep/

Download references

Author information

Authors and Affiliations

  1. University of Michigan, Ann Arbor, MI, 48105, USA

    Beng Heng Ng & Atul Prakash

Authors
  1. Beng Heng Ng
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Atul Prakash
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electronics & Communication Sciences Unit, Indian Statistical Institute, 203, B. T. Road, 700108, Kolkata, India

    Aditya Bagchi

  2. Computer Science Department, Colorado State University, 1873 Campus Delivery, 80523, Fort Collins, CO, USA

    Indrakshi Ray

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ng, B.H., Prakash, A. (2013). Let the Right One in: Discovering and Mitigating Permission Gaps. In: Bagchi, A., Ray, I. (eds) Information Systems Security. ICISS 2013. Lecture Notes in Computer Science, vol 8303. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-45204-8_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-45204-8_23

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-45203-1

  • Online ISBN: 978-3-642-45204-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation