So You Think You Can CHMOD

okay we're gonna go head and get started everybody good afternoon welcome to besides Las Vegas proving ground this talk is so you think you can CH my reasoning about file permissions and our speaker is Jared Chandler a couple of announcements before we get started we want to thank our sponsors especially our inner circle sponsors critical stackin bela male and our stellar sponsors secure code lawyer paranoid and amazon if their support along with our other sponsors and donors and volunteers that make b-sides possible so thank you these talks are being streamed live as a courtesy to our speakers to our speaker and our audience please make sure your cell phones are set to the silent position at the end if you have a

question just raise your hand we'll call on you one at a time we'll get Jared to repeat the question back so the YouTube audience can hear it and with that said let's get everything started here please welcome here at Chandler well thank you for coming I know file permissions may not be the most glamorous thing but sometimes it seems pretty important so I'm sure Chandler today I'm going to present something called x-ray it's an open source tool I've developed to help lay users reason about UNIX style file permissions lets you ask human friendly questions about the security of your file system and get concrete answers back in return so in terms of what I'm going to do today I want to talk about

the motivation why did I develop this tool I'm going to talk about the approach I took to like actually solve this problem and give you a demonstration and show you what x-ray can do I put it up on github it's research software so please be kind to me but you're welcome to I'll show that URL again India okay so a little bit about me I started out as a full-stack developer a long time ago I've got probably a decade plus experience out in industry I've done a lot of different things and a lot of different roles I've done database stuff nobody's done yeah sorry you name it but these days I'm at Tufts University working with dr. Kathleen Fisher my

research areas of interest are things at the intersection of human reasoning and formal methods some of the other research projects I work on automatic protocol reverse engineering from Network samples I'm working on clandestine botnet infiltration so you know like Ocean's eleven you've got a botnet and I'm gonna steal it no one's gonna realize it's been stolen until it's already too late I work on cognitive attacks on end users so that's figuring out ways to deceive the user sort of in a biological or perceptual level so it's really hard to defend against that and I work on file permissions and that's what I'm gonna talk about here today so every good security story starts with a crime I was a teaching assistant for a

computer science class and one of my duties was to find out when the students were doing bad things we teach them to use github and you know use version control and you teach them that and suddenly they're using it to share answers collaborate and appropriately cheat etc so I've learned to go out on github and look for people up to no good and one day when I was out there I found some scanned copies of our exams this was stuff that only the staff and the instructor should have access to it should never have been in the hands of a student and I kind of jumped to the conclusion clearly we got hacked you know some some student created some

malware and uploaded as a homework assignment and then we ran their submission on sandboxed and it it took copies of these files out and that's how they got the data out and you know the languages we use to teach are like kind of stupid simple languages except for like standard ml which is you know compiler language that's kind of wacky so if somebody like wrote malware and standard ml like you know I tipped my hat to that person but there are a couple things that didn't make any sense like if you're that badass why are you posting this stuff on get up why also didn't you post other solutions why didn't you post grades why didn't

you post you know our infrastructure that you clearly would have had access to and then it kind of dawns on us somebody on our side had made the exams world readable we went back and looked somebody was in a rush they were trying to do something about grading they couldn't get the file permissions right and they were just like Jamaa seven seven seven like everyone gets all the permissions and you know what that works because probably the job got done and no one looked back nobody nobody realized anything was wrong and later a student goes to like make a copy of the course material as they as they're allowed to and they probably didn't realize there

was anything in the copy they took that they weren't they weren't supposed to have so we felt pretty dumb like how many PhDs does it take to get file permissions right clearly more than we had and we had a few working on it we realized if this had happened here it could happen again and it may have happened at other places that we were responsible for and we weren't aware of it and when we dug a little deeper we realized we didn't even understand like with a lot of clarity how file permissions work that like we had some misconceptions about like what should be secured what shouldn't so probably not everyone here is totally familiar with

UNIX and Linux style file permissions we certainly weren't I'd like to do a little bit of a level set and just talk about some of the things that I thought were relevant about UNIX file permissions I'm going to talk about what they are how are they evaluated now you set them and this is just kind of to give you a sense of what we're up against when you're trying to get them right so there's three parts to UNIX file permissions there's the user the group and everyone else the permissions themselves are read write and execute and execute either run it as a program or enumerate the files in it and when they get evaluated there's this algorithm that

like is applied and you never see this and unless you like go back to some seriously old 1970s Greybeard like written on a typewriter like paper you probably would have a hard time finding it um and it breaks down into three cases where if you're the user you get the user permissions if you're not the user in the group and you're in the group you get the group permissions and if you're not the user and you're not being the group then you get the other permissions how about how you set those permissions Tremont's 755 mod equals RW + x which mod u equals RW x comma geo equals u minus w did that make things

more secure or less I mean I can't really tell sometimes you need to know what the permissions were before you issue the command sometimes you need to know the context in which it is like what are the permissions of the directory above it that's containing this so with all that stuff going on it's no wonder it's really hard to reason about if your file permissions are correct and then after that we were like okay well we have a better idea of how file permissions are how they're supposed to work let's try checking some of them manually because we have to secure this directory we have to make sure this mistake doesn't happen again though we were quickly over our head

like the directory we were working on it's a multi-user system we have like 200,000 live directories and files so doing it brute force you know in our heads clearly wasn't going to work but we had a couple of insights our first insight was that how people think about file permissions is different than how they're implemented there's sort of the idea you have of security which is you know this type of users should have access to this type of file and then there's all the group and SH mods that you type in to actually try and implement that that policy and it's great if those things exactly overlap but that's not always the case sometimes there's things that are you know in your

your head is thoughts that don't get implemented as permissions and then there's other things that are permissions that you've never really thought about in terms of in terms of thoughts both of those things are kind of kind of dangerous our second key insight was that when a human is reasoning about whether or not the actual permissions implement their idea of security they're running that algorithm again and again in their head they're they're running it recursively for every single file every location in the file system and that's really really hard for a human to do I mean you can do it for maybe two directories deep and about four files but beyond that it just kind of exhausts

you're exhausted to your mental resources so we study formal methods of my school and when you study formal methods everything looks like a nail and when you have a problem you break out your formal methods hammer and take a whack at it the approach we used is something called symbolic execution so symbolic execution is is one technique that allows you to reason about what a computer program will do or how it will behave without actually running it our key insight here was that we treat the entire file system and the permissions together as a program symbolic execution wants us reason about which parts of that program will execute for a certain set of conditions sort of like you know

what are the conditions for a branch or for an if statement that will cause this program to go into this particular and through this location and satisfy this condition so we do is we take the permissions and the algorithm that's used to calculate whether or not the permissions are satisfied and we convert that over to constraints so those three cases I showed you earlier we convert them into cases of plus user which means that you are the user minus user which means you're not the user plus group which means you're in the group and minus group which means you are not a member of the group then does anyone recognize this guy are there are there

any fans for the from the of the TV show of the office here okay we take this guy he's got some properties Jim the user and we have a set of constraints that allow permission at a particular location we look to see do the properties of Jim the user satisfy one of the sets of constraints on on this particular file if one of those sets of constraints is satisfied that jim has permission to do this particular action so that's great file permissions are excuse me that's great boolean formula is like let us calculate things very precisely using constraints you know you can have lots of ands and ORS and nots and if you're like a math

person you're super into that because it's exact but it's not exactly user-friendly so we build x-ray we wanted something that was fast easy and safe for everyday users to use you give it as input human federally security questions like what can everyone access it uses symbolic execution to turn away to calculate those constraints and it gives you concrete answers like vial 1 2 & 3 and here's why x-ray has a simple pipeline you basically give it the output of running the fine command you pipe that into a text file and you give it another text file that talks about users and groups on your system it's a Python script you can bring the tool to

your data you don't have to bring the data to your tool because hey I I do security - I I wouldn't I wouldn't trust something that asked me to have like root access you know I've been up on the cloud here's an example of some of what we asked for data if you've ever run the command LS on a UNIX system you're pretty familiar so we're not asking for too much x-rays a little different than how we regularly think of permissions on a UNIX system we use something called semantic permissions maybe a good way to describe these is like if you know exactly the path to get to a file you can just jump to it okay that's what we

call traverse but how about you're a user who doesn't know what they're looking for and you need to enumerate the files in each directory at each level to find the thing you want to actually actually get to we call that discover and it an execute work that works similarly we think these map better on to sort of how humans think about security than simply talking about like the actual concrete permissions on the file system I'm putting it together you can have simple questions of x-ray like Dwight can discover in the DM PC filesystem there's three parts of who a lot of where so it's a like a user or a group a permission and then a location which is a path with

some regular expressions in it we wanted how you write the query expressions to be as similar as possible to how people actually talk talk about them in everyday language we also want an x-ray to use what you know so like you're familiar with this x-ray basically just adds a little bit of extra data you write a query in x-ray and it adds two columns that has a column here which indicates all the files that satisfy this query and it has this column here which indicates all the files that violate violate the query if you're looking at the counts the counts the counts sum up the number of child elements in the tree that actually adhere to or violate the property let's

say you're only interested in like things that actually violate are things that actually like actually adhere to we have some modifiers of example and counter example that basically say show me only the things where it works or show me only the things where it doesn't work and if you're looking for the Y like here's a query Tobey can read in DMP CHR dot JPEG x-ray supports what we call x-ray mode turn on x-ray mode and remember those constraints we talked about earlier you can see all the constraints that a user or an agent satisfies so right here we can see this agent Tobey satisfies this set of constraints right here he satisfies this set of constraints right here and he

doesn't satisfy any at the leaf level this allows you to reason about why the permissions are working or why they aren't for for anywhere in your file system okay so I've hit you with some screenshots I'd like to also convince you that it's easy use so I'm gonna you know try it out live okay so here we have the x-ray permission query environment so remember the office like what's imagine we work at Dunder Mifflin paper company and Michael Scott's the CEO or the boss he's got a big heart he's a nice guy but maybe he's not the guy we want in charge of editing files so why don't we ask x-ray where can Michael edit files so we type Michael

you can't edit in DMV see okay x-ray tells us it gives us counts where Michael can edit a file and where Michael can't this is kind of showing us an overview first and then if we want to drill in on smaller stuff we can do that let's do that so we're gonna write an example we only want to see things where Michael actually can edit it whoops okay now we only see the files that Michael can edit do you see anything in there that's interesting oh let's see well we've got this file right here lame Toby JPEG in the HR directory and next to it is the salaries data I guess that's reasonable that you

should be able to edit the salaries I don't know if I want Michael to be able to edit some sort of marketing jingle that seems like that could be a little dangerous and it looks like Jim's got some sort of list of clients I'm not sure Michael should be able to edit that okay how about Dwight Dwight is an interesting guy he's got lots of lots of you know curiosity let's find out what Dwight can discover example white can discover do you see all the things do I can discover hmm Oh looks like Dwight can actually discover the salaries right there that doesn't seem right that's probably some sort of file permission error that we need to fix and it looks

like Michael's probably got the file permissions wrong when do you like edited the file so already originally I talked about exams right some files that were out there in the real world that you know shouldn't have been let's write a query like that example everyone can discover in DM PC let's do the HR directory let's just see what's inside the HR directory whew looks like the salaries are discoverable by everyone that's probably not the way it should be and if we wanted to find out more about why that's the way or why that's the case we can turn on x-ray mode like this rerun that query and we can see exactly which set of constraints is satisfied by the user

[Music] okay so we imagine x-ray would be used differently by different teams we imagine a red team might use it to figure out what's accessible and exploit it the blue team would probably try to defend the same stuff maybe you're in DevOps you want to figure out what's changed maybe you want to figure out if the things that are accessible still are if you're a developer before you use a container the M maybe you want that maybe you want to check out look and see what or you're like me you know you just want some help with your file permissions we took this tool when we ran it on three different academic file systems ranging for 50,000 to

quarter-million files of directories we found file permission errors and all three they ranged from like hey this guy who owns this directory can't see some of these files in here to some issues where I'm picking up the phone and calling people on the weekend because my research project found something that was that important that they should actually secure right away okay so to recap I've talked about the motivation why I thought this engine was interesting and what motivated us to develop this tool I've talked a little bit about the approach by which we use symbolic execution to actually perform this and hopefully I've given you a good demonstration of lot of what x-ray can do and hopefully encourage you that it's

not too hard to actually use that something like with a little training you could probably you know get some real use out of it we're very interested in doing more research into the area of file permissions and figuring out what kind of file permissions are common and why so we wanted to get this tool out into your hands we're hopeful if you use this tool you'll give us some good feedback and you'll tell us more about the types of file permission errors you discover as a way of you know sort of paying and paying it back to us and we're hopeful that this and other techniques like it will hopefully reduce file permissions in the future I'd like

to say thank you as an audience thank you to my mentor Emily and I'm happy to take your questions I the question was have I ever thought about extending this to cloud systems like s3 buckets yes I think anywhere where there is a sort of a concrete an execution model of the permissions we can use some of these these symbolic execution and formal method techniques to actually assist the human to actually reason about it we think that's a that's a promising venue for further research

the question was it works with basic permissions does it work with fancier permissions right now it doesn't but we're hopeful to do that and a whole lot of other stuff in the future

the question was from an infrastructure side when you have lots of different layered roles how do you how to use something like this to determine the effective permissions again we think sort of this constraint based approach where we're able to sort of create a formal model of what the effective permissions are and use some of our actual research magic to calculate those things in an efficient and tractable manner I think those would probably allow us to do it and I'd be interested in any particular use cases you guys think you know are pressing I would one more question

the question was does this tool take into account SELinux so like there are methods of securing Linux file systems using like ackles it didn't we didn't do that we just basically picked the thing that from harp and this is kind of an interesting side you know we looked at file permissions we said these things really haven't changed for 20 years like you know the way people used to secure these on a Linux or UNIX system or pretty much the way we still do we should kind of advance the state of the art and if it was going to be supplanted by something better we would have expected it but that doesn't that doesn't mean that we can't defend the

stuff that's exposed today and that's why we felt it was important to build this tool

the question was does this tool actually assist with setting him right now it just assists with with analyze analyzing them because the question of how do you want the file permission set is a really interesting one from a human perspective because I probably shouldn't move files around on your file system to make the permissions correct because that might confuse the user and in this problem it's all back to the user like it's the the the judgment of like a human which says hey this is what it should be and this is what it shouldn't be is kind of the gold standard so we want to make sure we have actual human knowledge in the loop but my adviser did ask me to

work on exactly that can we synthesize and repair file permissions if they get out of the question was there's lots of good here how do we defend against evil yes you can you can actually write quite complicated scripts inside this about the file permissions and it will run them and you you can use them to basically diff your file permissions and figure out when something has gotten out of whack I think there's also a lot of potential for where something like this could could be developed and sort of act as like a like a firewall between oh you're about to change the file permission it violates this sort of abstract human thought based security concept

we're not going to allow you to do it because you know it's probably it's probably the bad thing to do

[Applause]