Quals research talk: XRAY: Reasoning about file permission security
Have you ever wondered if the file permissions on a directory were
correct? Have you worried that you were allowing too much access or
too little? You’re not alone. File permissions are both difficult for
humans to reason about and important to cybersecurity practitioners.
File permission errors can reveal sensitive information, including
private education, medical and defense data. We present XRAY, a
system to find errors in systems with Unix style file permissions.
XRAY uses a constraint based approach coupled with an expressive domain specific language and visualization to find file permission errors. XRAY represents permissions as a set of constraints allowing an action at a location in the file system. This representation allows efficient answers to questions about who can perform an action and where they can do so across an entire file system. XRAY provides the user with an expressive domain specific language for stating security properties a file system in part or as a whole. XRAY finds examples where properties hold and counterexamples showing violations. We present the results of three case studies employing XRAY for finding file permission errors and detail the future work for this system.