26
Baaz Finding Misconfigurations in Access Control Tathagata Das, Ranjita Bhagwan, Prasad Naldurg
BaazFinding Misconfigurations in Access Control
Tathagata Das, Ranjita Bhagwan, Prasad Naldurg
Access Control in the Enterprise
File Shares
Human Resources
Finance
Facilities
IT Support
Insider Threats: A motivating scenario• For any security incident, 69% chance that the culprit
was an insiderThe Global State of Information Security - PricewaterhouseCoopers survey in 2007
• In many organizations, up to 90% of the employees have permissions more than what they were entitled toInformation Risk in the Professional - Dartmouth College and Tuck School of Business in Dartmouth
• How do employees have so much extra permissions? Is managing access permissions so hard?
Managing Access Permissions
Security Group (SG)
Shared Resource Permissions
Security Policy
Exists for every role Do not exist for every role
Using SGs onlyMay not be with SGs,
exceptions present
Well documented Usually not well documented
Ideally… In practice…
Access Control in the Enterprise
File Shares
Human Resources
Finance
Facilities
IT Support
Baaz
Design Goals for Baaz• Prevention rather than forensics– Baaz is an auditing tool that periodically scans access
control permissions for finding potential misconfigurations
• No assumption of documented security policy– Rather than checking for “incorrect” access control, Baaz
checks for “inconsistent” access permissions
• High performance– Baaz uses fast algorithms that are scalable to thousands of
users and millions of resources
Outline• Motivation and Goals– Insider Threats: A motivating scenario– Managing Access Permissions– Design Goals
• Design & Algorithms– Matrix Reduction– Group Mapping
• Implementation & Results• Summary
Misconfigurations
A BBob
Bob has access to data he should not
Bob does not have access to data he should
SecurityMisconfiguration
AccessibilityMisconfiguration
Subject & Reference Datasets• Subject Dataset: the dataset where we want to find misconfigs• Reference Dataset: the dataset that is used as proxy for
security policy for checking consistency of the Subject Dataset
Baaz
Object Clustering
Matrix Reduction
Group MappingBaaz
Baaz: Design
Shared Files
Databases
OrganizationalGroups
Subject
Reference
Misconfiguration Candidates in
Subject Dataset
1 2 3 4 5 6 7 8 9A 0 0 0 0 0 0 0 1 1B 0 0 1 1 1 1 0 1 1C 0 0 1 1 1 1 0 1 0D 0 0 1 1 1 0 0 0 0E 0 0 0 0 0 0 0 0 0
1 2 3 4 5 6 7 8 9A 0 0 0 0 0 0 0 1 1B 0 0 1 1 1 1 0 1 1C 0 0 1 1 1 1 0 1 0D 0 0 1 1 1 0 0 0 0E 0 0 0 0 0 0 0 0 0
Relation Matrix•Binary matrix defining a relation between users and objects•Shared Files: Users X Files, relation = permissions•Org. Groups: Users X Groups, relation = group
memberships
Subject & Reference Datasets• Any data source than can be represented as binary matrix
can be used as a Subject/Reference Dataset
Group Mapping
Baaz: Algorithm
Focus of this presentation• Matrix Reduction• Group Mapping
Object Clustering
Matrix Reduction
1 2 3 4 5 6 7 8 9A 0 0 0 0 0 0 0 1 1B 0 0 1 1 1 1 0 1 1C 0 0 1 1 1 1 0 1 0D 0 0 1 1 1 0 0 0 0E 0 0 0 0 0 0 0 0 0
1 2 3 4 5 6 7 8 9A 0 0 0 0 0 0 0 1 1B 0 0 1 1 1 1 0 1 1C 0 0 1 1 1 1 0 1 0D 0 0 1 1 1 0 0 0 0E 0 0 0 0 0 0 0 0 0
SubjectRelation Matrix
ReferenceRelation Matrix
SummaryStatements
ReferenceGroups
MisconfigCandidates
Sample Datasets
• A – H: Users• 1 – 13: Resources (shared folders, databases, etc)• W – Z: Groups (org. hierarchy, security groups, etc)
1 2 3 4 5 6 7 8 9 10 11 12 13A 1 1 1 1 1B 1 1 1 1 1C 1 1 1 1 1 1 1 1 1 1 1 1D 1 1 1 1 1 1 1 1 1 1 1 1E 1 1 1 1 1 1 1F 1 1 1 1 1 1 1G 1 1 1 1 1 1 1H 1 1 1 1 1
W X Y ZA 1 1B 1 1C 1 1 1 1D 1 1E 1F 1G 1H 1
SubjectRelation Matrix
ReferenceRelation Matrix
Matrix Reduction
Reference Groups
G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z}
1 2 3 4 5 6 7 8 9 10 11 12 13A 1 1 1 1 1B 1 1 1 1 1C 1 1 1 1 1 1 1 1 1 1 1 1D 1 1 1 1 1 1 1 1 1 1 1 1E 1 1 1 1 1 1 1F 1 1 1 1 1 1 1G 1 1 1 1 1 1 1H 1 1 1 1 1
W X Y ZA 1 1B 1 1C 1 1 1 1D 1 1E 1F 1G 1H 1
SubjectRelation Matrix
ReferenceRelation Matrix
Summary Statements
S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5}S2: {C,D,E,F,G} {6, 7}S3: {A,B,C,D} {9, 10, 11, 12}
Group MappingReference Groups
G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z}
Summary Statements
S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5}S2: {C,D,E,F,G} {6, 7}S3: {A,B,C,D} {9, 10, 11, 12}
Mapped Groups
S1: {C,D,E,F,G,H} = G1
Group MappingReference Groups
G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z}
Summary Statements
S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5}S2: {C,D,E,F,G} {6, 7}S3: {A,B,C,D} {9, 10, 11, 12}
Mapped Groups
S1: {C,D,E,F,G,H} = G1 S2: {C,D,E,F,G} = G1 – {H}
S2: {C,D,E,F,G} = G1 – {H}
G2 – {A,B} + {D,E,F,G}
G3 + {E,F,G}
Group MappingReference Groups
G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z}
Summary Statements
S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5}S2: {C,D,E,F,G} {6, 7}S3: {A,B,C,D} {9, 10, 11, 12}
Mapped Groups
S1: {C,D,E,F,G,H} = G1 S2: {C,D,E,F,G} = G1 – {H} S3: {A,B,C,D} = G2 + {D}
S3: {A,B,C,D} = G1 – {E,F,G,H} + {A,B}
G2 + {D}
G3 + {A,B}
• Can be generalized to multiple groups being mapped to a set of users
• ‘Set cover’ like algorithm to find the mapping– Allows for incomplete/approximate covers– Minimum Description Length for selecting best cover– Greedy version used for fast results– Details in the paper
Group Mapping
Team X Team Y
S3: {A,B,C,D} = G2 + {D}
S2: {C,D,E,F,G} = G1 – {H}
Group G2
A B C D
Misconfigurations
Security Misconfiguration Candidate
Group G1
Accessibility Misconfiguration Candidate
C D E F G H
• Baaz Stub– Converts raw data to relation matrix– Reports matrix and changes to server
Shared Files
Stub
LDAP Server(Email Grps. +Org. Hierarchy)
Stub
Baaz Server
Implementation
SharedWebpages
Stub
• Baaz Server – Collects matrices
from all the stubs– Runs the algorithms
on a pair of matrices as soon any change is detected
EvaluationSubject Reference Users Objs. Ref.
Grps.Total
Candidates
1 File Server Email Lists 119 105682 237 192 Shared Web Pages Email Lists 1794 1917 307 16
File Server Shared Webpages
Email Lists0
102030405060
Invalid (false positive)
Intentional Exceptions (good-to-know info)
Valid (needs to corrected)
Type Valid Misconfigs Directories affected Users affected
Security 10 1639 6Accessibility 8 163 7
Subject Reference Users Objs. Ref. Grps.
Total Candidates
1 File Server Email Lists 119 105682 237 19
• Some reasons why misconfigurations occur– Role change or new employee joining– Partial implementation of policy change– Misspellings of alias
Ground-truth comparison: Missed 3 misconfigurations in file server
Evaluation: Ground Truth Comparison• Manually examined the access permissions of
directories on the file server (dataset 1)– After eliminating directories having similar permissions,
276 directories examined– Took two days!
• Missed 3 misconfigurations (false negatives)– Relevant reference groups didn’t exist– Found 18 valid misconfigurations
Evaluation: Event-based Monitoring• 19th August 2009: Monitoring on file server started
• 20th September 2009: Employee adopts a new role– Email lists were updated– Permissions on files were not updated
• Baaz found the accessibility misconfiguration within 1 second of the email list reflecting the change
Evaluation: Runtime Performance• Most time-consuming step – Matrix Reduction– Scans each relation matrix once– O(size of the matrix)
114912
280224
487648
757680
1198512
1659728
2228576
2648800
0
50
100
150
200
250
300
# ref groups = 1296
# ref groups = 324
# ref groups = 81
Subject Matrix Size
Alg
orith
m R
untim
e (m
sec)
Related Work• Detecting and resolving policy misconfigurations in access-
control systems: Bauer, Gariss and Reiter (2008)– Uses Associative Rule Mining on access logs to figure out whether a new
user should be granted access to resources or not– Does not find security misconfigurations, no group mapping
• Role Mining algorithms – Discover common patterns in access permissions across users and
resources– Related to Matrix Reduction step, can be used as input to Group Mapping
• Several RBAC systems in academia and industry– Hard to implement in practice– No audit tool to search for misconfigs, Baaz should be useful
Summary• Baaz is a auditing tool that can find potential
misconfigurations– Can be applied on many types of resources– Well documented security policy not required– Fast and scalable
• We have deployed Baaz on 3 real systems and we have found the misconfigurations in high business value data
• We were able to find misconfigurations in a near real-time manner
Ongoing Work• Visualization of Access Control– Who has access to what?
• How do you solve the problem with more complex access control models?
THANK YOU!
Questions?
