Creeper: A Tool For Detecting Permission Creep In File System Access Controls

Ransomware admin_scs todayNovember 24, 2021 239 196 4

share close

The first computer virus was discovered in 1971 by Bob Thomas of BBN and is known as ‘creeper’. Although his message was disturbing, his intention was not harmful. His objective was to create a program to confirm, in practice, whether this could be moved between computers and he achieved that. Creeper was designed as a security test to see if self-replication is possible. Creeper was spread through ARPANET; one of the first computer networks that are used by the U.S Department of defense and copied into the systems, where it displayed ‘I’m a creeper catch me if you can’ then creeper would start to print a file but then stop, it finds another system, opens a connection there and picks itself up, transfers to another system and running on new machine rarely replicate itself, rather it moves from one system to another and removes itself from the previous system.


Access control is an important part of data security that contains data and access protections. By authorization and authentication access control policies, make sure the users are allowed to access and use company information and resources. Access control is important, failure to implement access control may expose all data, applications, and networks to risk and advantage for hackers. Hackers can also take access by guessing or cracking passwords for an administrative user. File systems are a fundamental part of computer operating systems, and from a user perspective, their primary use is to store files in an organized and accessible manner. Modern, multi-user computer systems contain a lot of data that require strong access control mechanisms to restrict data access to intended users. Different operating systems provide different implementations of access control. This is implemented through the use of both coarse and fine-grained permissions. Coarse-grained permissions are predefined levels (e.g. read, write, full control) and fine-grained permissions are customized permissions created from a set of predefined attributes to represent highly customized access control policies.

The gallery


Privilege creep is the increase of unnecessary permissions, access controls, and privileges by each user. Privilege creep is very common among IT companies where access to confidential data and account management is not properly controlled. Privilege creep happens when the IT support team may forget to remove old user access controls and the other user continues to use these privileges.

The problem with access creep is that it creates more than one kind of security issue or breach scenario. The problem with privilege creep may not appear at first, it may seem harmless error. But it is a major problem when it reaches hackers they can give themselves unauthorized access into an organization’s network. There are many ways to identify permission creep. For instance, enabling logging mechanisms that record when a user has been allocated permission. Another solution may be to take frequent snapshots of user permissions and compare them regularly to determine differences. There is a need to produce a machine capable of identifying instances of privileged creep without human interaction and prior knowledge or historical snapshots. 


IT companies should focus on building an access control policy and implementing it. The policy should contain security access for access authorization, access administration, and audit functions. Ensure there are fewer departments managing user privileges. This gives greater control for the company to better monitor the privileges being granted to users.

It can also be minimized by enforcing the principle of least privilege (PoLP).

It can also be minimized by conducting periodic access rights reviews. In this method, audits of existing permissions are performed and this is the only method to ensure someone has only permission of what they need and they stick to the principle of least privilege.

This method should be for all the company’s departments. Every employee in the department from higher to lower level should have their account permissions reviewed twice a year and existing permissions must be closely examined during reviews and employees should justify them. One should cancel excessive permissions to an employee and make a document of permissions that show how they were granted and why they were never taken away from them.


There are several methods to identify permission creep, some are as follows.


The first step is to develop permission information and then to establish the effective permission representation for each subject within the system. The next stage is to calculate x2 values based on the effective permission representation. Jenks natural breaks (optimization method) are then iteratively performed until the optimal classing is identified. The output of the software is the list of creep instances.


In this method, permissions are read by using native system functionality and then stored using the model. A generic model is provided detailing how non-mandatory access control mechanisms are structured and how they can be represented using an effective permission model.


A directory D, has a set of child directories where D={d1,d2….dn}. Each directory has a non-mandatory access control list (dACL) containing a series of access control entities, which dictates the level of access given to a subject.

Each ACE has many key parameters. A subject represents that ACE is assigned to, an access mask which contains information regarding the level of permissions and inheritance flags ACE={s,p, i} where s is the subject, p permission set and i is the inheritance flags. The permission p is a set of attributes from the predefined set of attributes.NTFS provides six levels of permissions that consist of a combination of predefined attributes. These attributes are drawn from the standard set of fourteen permission attributes, which detail that the subject can perform a small task; create files, create folders and read permissions. NTFS also allows the creation of special permissions consisting of any combination of fourteen individual attributes.


In dACL, there are two types of access control entity (ACE); explicit access control and inherited access control. Explicit entities are those that are applied directly to the object’s dACL, whereas inherited entities are those that are propagated from their parent object. The type of ACE allows whether the permission is assigned directly to the directory in explicit or if it was inherited from the directory that it resides within (inherited). For example, an explicit allocation would ensure that a parent, dp, and child directory dc have different ACLs, where p and c denote parent and child directories and ACLs, respectively.


A subject can be a user, group, or process within a system. The potential to assign group permission on a directory allows the possibility for all the group’s members to automatically acquire the same permission through group membership. There are several motivating factors as to why this is useful and widely used in real-world systems. The primary reason is that managing file system permissions on each user basis would be not manageable and would result in large ACLs and would introduce additional computation overheads during processing. The second reason is that using group memberships allows the users to implement and operate a role-based access control system, whereby clear separations of duty are made within organizations and users are allocated to roles depending on the requirements of their job role. A subject can either be a user or process or model. Alternatively, it can be a group containing a set of other groups, users, or processes, s={s1,s2,…sn}.


Accumulation is the possibility for the subject to receive effective permission acquired from multiple different policies. This feature is prominent within the NTFS resulting in the possibility for a subject to receive permissions from multiple different ACEs within the same dACL. Any subject that interacts with the NTFS can be assigned to any number of groups, which can be entered into the ACE. This means that the user does not have to be directly entered into the ACE, they could simply be a member of the group that is entered. This makes managing permissions easier for an administrator; however, it does introduce the potential for subjects to gain permission on any resource where the group is assigned.


This application is to identify permissions that are irregular and could indicate the presence of permission creep. By statistical analysis, we determine irregular permissions categorized irregular, but they are correctly assigned. This is because in large IT companies there are multi-user systems and that have many file system permissions which are personalized by few people, where all other remaining employees have collected permissions by group memberships. However, these permissions are still identified as irregular but it is useful as these permissions are monitored and removed when necessary. The access control group is also important when more than one user is assigned new permissions and also when requiring custom permission. Another method is the use of x2 analysis, by which we can identify inconsistencies in file system permissions.


X2 statistics are used to measure the lack of independence between a and sj, which can then be compared to x2 distribution with one degree of freedom to judge extremeness. Other techniques are also available for measuring independence; However, χ2 is not easy to compute. Using a two-way contingency table for attribute a and subject sj where: A is the number of times a and sj co-occur, B is the number of times a occurs without sj, C is the number of times sj occurs without a, D is the number of times neither sj o a occur, N is the total number of attributes to examine. Here sj is the subject in each effective permission entry, e = {d,sj, p}, and each a is an individual attribute from the set of permissions, p

From this, a lack of independence is measured between attribute a and object s by

X2(a,sj) = N(AD − CB)2 (A + B)(A + C)(B + D)(C + D) (1).

The X2 statistic has a natural value of zero if a and sj are independent. Therefore, it can be assumed that any permission attribute that has been assigned to subject sj with a X2 value close to zero is either an anomaly or an irregular permission attribute. Following the calculation of X2 scores, it is then useful to compute the mean χ2 for each permission using the following equation where l is the number of attributes specified for permission: X2 avg (p,sj) = 1 l l j=1 X2(a,sj) . Once the average for each permission allocation has been calculated (X2 avg (p,sj)), it is then necessary to calculate an average permissions allocation for each subject, sj. This requires calculating mean X2 values that relate to the same subject. The following equation is used to calculate X2 subject(sj) values where k is the number of X2 avg for the subject in question, sj: X2 subject(sj) = k j=1 X2 avg (p,sj).


The empirical analysis is performed to determine Creeper’s ability to detect instances of permission creep. The empirical analysis is performed in two phases. The first phase is the generation of synthetic datasets. The second phase is analysis on real-world datasets where comparison is performed from manual analysis and statistical analysis that identify irregular permissions.


The synthetical analysis is an iterative approach. In this approach, datasets are generated synthetically. Following are the input this approach uses.


It is used to define the number of roles within the directory structure. Basically, it is used to represent the number of organizational roles like management, human resources, etc.


It is used to represent the depth and breadth of the directory structure. The directory structure is created to a specified depth and each directory contains the same amount of subdirectories. For instance, a directory complexity is 4 then its subdirectories have a depth and breadth of 4. This exponential growth would create a directory size of 44 = 256.


The total number of users in the entire system is equally distributed among the number of roles. For instance, in a system with 100 users and 5 groups then the total number of 20 users.


A number of users with artificially induced permission creep represents those users where additional privileges (i.e. adding to additional roles) have been added to mimic an instance of permission creep.


This process has been created to automate the construction of synthetic directory structure that is utilized in empirical analysis. The process is implemented in the Microsoft PowerShell script. The script will also output the users that have been assigned permissions representative of a user experiencing permission creep. This provides knowledge to detect permission creep. Following is the process of creating a synthetic file system.


In the setup of file system structure in which directories, users, and groups are created within the system, necessary components will be created and there is no group and permission allocations are made.


In this phase, users are allocated to permissions groups which are used to represent user roles. Even distribution is also made in which the number of users is divided by the number of groups.


In this phase, file system permissions are assigned to each group. The permissions are the combination of individual attributes. For instance, the first group gets full control, which means the first group has a full set of attributes. Similarly, the second group gets less control or less combination of attributes. the number of permissions and the power they hold on the file system is decreasing, which ensures each group has a different permission level.


In this phase, a user is selected first along with a directory then selects a pseudo-random combination of attributes. For selected users and directories the allocation is applied to the file system. When analyzing the output from the creeper, this information is written in a text file that is used as group truth knowledge.


To assess performance in empirical analysis, the following measures are considered:

True Positive Rate (tpr): The fraction of creep permissions correctly identified as being part of an instance of permission creep.

False Positive Rate (fpr=1-tnr): The fraction of regular permissions incorrectly identified as being part of an instance of permission creep.

True Negative Rate (tnr): The fraction of regular permissions correctly identified as regular.

False Negative Rate (fnr=1-tpr): The fraction of creep permissions incorrectly classified as regular.

Accuracy:Accuracy is reported as the fraction of all samples correctly identified. More specifically, Accuracy = tpr+tnr/tpr+tnr+fpr+fnr.


Average accuracy of 96% has been established on synthetic datasets. Although these datasets are realistic and are generated to align with common access control implementations, it is still necessary to test the capabilities of Creeper on real-world systems. During this analysis, the following methodology is used:

A human expert with an experience more than ten years in performing security audits will analyze the file systems using only the traditional analysis method of examining access control rules using built-in operating system functionality.

NTFS-R  is used to identify irregular permissions, based on a previous implementation of x2 and Jenks analysis that utilizes effective permissions from users and groups explicitly in the ACL.

Creeper is used to extract and analyze permissions, which specifically aims to identify instances of permission creep.

Irregularities identified are evaluated by a separate human expert, and they are regarded as ground truth like correct identifications used to determine the accuracy of other techniques irrespective of which technique identified them as a valid instance of permission creep.


Human analysis is accurate in terms of not making incorrect classification; however, there are many instances where the expert has missed identifying valid instances of permission creep. This is most likely due to time constraints or other factors when performing manual analysis using standard operating system functionality. When analyzing permissions in Microsoft NT systems, the user has to inspect permissions on the individual object like a directory or at the file level. This is time-consuming and lacks the ability to retain and view a user’s permission across multiple objects. Creeper identifies more correct instances of permission creep than other techniques. After further analysis, it is identified that the technique has been too sensitive in this instance and the incorrectly identified effective permission is actually normal (a false positive), although it is statistically different and therefore could have represented a valid instance of permission creep. This demonstrates that creeper can incorrectly classify permissions in some instances and still requires human expertise to analyze the results. The reason for this incorrect identification is because the correct permission is statistically different from the normal distribution and thus is identified as an instance of permission creep. However, it should be noted that it was able to correctly classify permission with a higher degree of accuracy than all other techniques, and thus demonstrates creeper’s capabilities.


Different techniques are used to identify instances of permission creep in discretionary access control implementations. Statistical analysis is used on an extracted model of subject effective permissions. This analysis includes the use of x2 analysis alongside Jenks natural breaks for the unsupervised identification of permission creep instances. Then the empirical analysis is performed on NTFS permissions that results in good scalability and good accuracy on different characteristics. Creeper is introduced to identify permission creep, which gives 96% of average accuracy on synthetic datasets and 98% of average accuracy on real-world systems. The real-world analysis is also performed that gives an improvement in accuracy over human expert technique.


Written by: admin_scs

Tagged as: , , , , , .

Rate it
Previous post

Similar posts

Contact us anytime.
[email protected]

Get to Know Us

Follow us