330 likes | 500 Views
Baaz Finding Misconfigurations in Access Control. Tathagata Das , Ranjita Bhagwan, Prasad Naldurg. Access Control in the Enterprise. IT Support. Human Resources. File Shares. Facilities. Finance. Insider Threats: A motivating scenario.
E N D
BaazFinding Misconfigurations in Access Control Tathagata Das, Ranjita Bhagwan, Prasad Naldurg
Access Control in the Enterprise IT Support Human Resources File Shares Facilities Finance
Insider Threats: A motivating scenario • For any security incident, 69% chance that the culprit was an insider The Global State of Information Security - PricewaterhouseCoopers survey in 2007 • In many organizations, up to 90% of the employees have permissions more than what they were entitled to Information Risk in the Professional - Dartmouth College and Tuck School of Business in Dartmouth • How do employees have so much extra permissions? Is managing access permissions so hard?
Managing Access Permissions Ideally… In practice… Exists for every role Do not exist for every role Security Group (SG) Using SGs only May not be with SGs, exceptions present Shared Resource Permissions Security Policy Well documented Usually not well documented
Access Control in the Enterprise Baaz IT Support Human Resources File Shares Facilities Finance
Design Goals for Baaz • Prevention rather than forensics • Baaz is an auditing tool that periodically scans access control permissions for finding potential misconfigurations • No assumption of documented security policy • Rather than checking for “incorrect” access control, Baaz checks for “inconsistent” access permissions • High performance • Baaz uses fast algorithms that are scalable to thousands of users and millions of resources
Outline • Motivation and Goals • Insider Threats: A motivating scenario • Managing Access Permissions • Design Goals • Design & Algorithms • Matrix Reduction • Group Mapping • Implementation & Results • Summary
Misconfigurations Bob Bob has access to data he should not Bob does not have access to data he should B A Security Misconfiguration Accessibility Misconfiguration
Baaz: Design Subject Reference Baaz Baaz Shared Files Matrix Reduction Misconfiguration Candidates in Subject Dataset Group Mapping Databases Object Clustering Organizational Groups • Subject & Reference Datasets • Subject Dataset: the dataset where we want to find misconfigs • Reference Dataset: the dataset that is used as proxy for security policy for checking consistency of the Subject Dataset • Relation Matrix • Binary matrix defining a relation between users and objects • Shared Files: Users X Files, relation = permissions • Org. Groups: Users X Groups, relation = group memberships • Subject & Reference Datasets • Any data source than can be represented as binary matrix can be used as a Subject/Reference Dataset
Baaz: Algorithm Focus of this presentation • Matrix Reduction • Group Mapping Subject Relation Matrix Summary Statements Matrix Reduction Object Clustering Misconfig Candidates Group Mapping Reference Groups Reference Relation Matrix
Sample Datasets • A – H: Users • 1 – 13: Resources (shared folders, databases, etc) • W – Z: Groups (org. hierarchy, security groups, etc) Subject Relation Matrix Reference Relation Matrix
Matrix Reduction Reference Groups G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5} S2: {C,D,E,F,G} {6, 7} S3: {A,B,C,D} {9, 10, 11, 12} Subject Relation Matrix Reference Relation Matrix
Group Mapping Mapped Groups S1:{C,D,E,F,G,H} =G1 Reference Groups G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5} S2: {C,D,E,F,G} {6, 7} S3: {A,B,C,D} {9, 10, 11, 12}
Group Mapping S2: {C,D,E,F,G} = G1 – {H} G2 – {A,B} + {D,E,F,G} G3 + {E,F,G} Mapped Groups S1:{C,D,E,F,G,H} =G1 • S2:{C,D,E,F,G} =G1 – {H} Reference Groups G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5} S2: {C,D,E,F,G} {6, 7} S3: {A,B,C,D} {9, 10, 11, 12}
Group Mapping S3: {A,B,C,D} = G1 – {E,F,G,H} + {A,B} G2 + {D} G3 + {A,B} Mapped Groups S1:{C,D,E,F,G,H} =G1 • S2:{C,D,E,F,G} =G1 – {H} S3: {A,B,C,D} = G2 + {D} Reference Groups G1: {C,D,E,F,G,H} {X} G2: {A,B,C} {W,Y} G3: {C,D} {Z} Summary Statements S1: {C,D,E,F,G,H} {1, 2, 3, 4, 5} S2: {C,D,E,F,G} {6, 7} S3: {A,B,C,D} {9, 10, 11, 12}
Group Mapping • Can be generalized to multiple groups being mapped to a set of users • ‘Set cover’ like algorithm to find the mapping • Allows for incomplete/approximate covers • Minimum Description Length for selecting best cover • Greedy version used for fast results • Details in the paper Team Y Team X
Misconfigurations C S3: {A,B,C,D} = G2 + {D} S2: {C,D,E,F,G} =G1 – {H} A B D Group G2 Security Misconfiguration Candidate E G C D F H Group G1 Accessibility Misconfiguration Candidate
Implementation • Baaz Stub • Converts raw data to relation matrix • Reports matrix and changes to server Stub Shared Files Shared Webpages • Baaz Server • Collects matrices from all the stubs • Runs the algorithms on a pair of matrices as soon any change is detected Stub Stub LDAP Server (Email Grps. +Org. Hierarchy) Baaz Server
Evaluation • Some reasons why misconfigurations occur • Role change or new employee joining • Partial implementation of policy change • Misspellings of alias Ground-truth comparison: Missed 3 misconfigurations in file server
Evaluation: Ground Truth Comparison • Manually examined the access permissions of directories on the file server (dataset 1) • After eliminating directories having similar permissions, 276 directories examined • Took two days! • Missed 3 misconfigurations (false negatives) • Relevant reference groups didn’t exist • Found 18 valid misconfigurations
Evaluation: Event-based Monitoring • 19th August 2009: Monitoring on file server started • 20th September 2009: Employee adopts a new role • Email lists were updated • Permissions on files were not updated • Baaz found the accessibility misconfiguration within 1 second of the email list reflecting the change
Evaluation: Runtime Performance • Most time-consuming step – Matrix Reduction • Scans each relation matrix once • O(size of the matrix)
Related Work • Detecting and resolving policy misconfigurations in access-control systems: Bauer, Gariss and Reiter (2008) • Uses Associative Rule Mining on access logs to figure out whether a new user should be granted access to resources or not • Does not find security misconfigurations, no group mapping • Role Mining algorithms • Discover common patterns in access permissions across users and resources • Related to Matrix Reduction step, can be used as input to Group Mapping • Several RBAC systems in academia and industry • Hard to implement in practice • No audit tool to search for misconfigs, Baaz should be useful
Summary • Baaz is a auditing tool that can find potential misconfigurations • Can be applied on many types of resources • Well documented security policy not required • Fast and scalable • We have deployed Baaz on 3 real systems and we have found the misconfigurations in high business value data • We were able to find misconfigurations in a near real-time manner
Ongoing Work • Visualization of Access Control • Who has access to what? • How do you solve the problem with more complex access control models?
Questions? Thank you!