Have you ever wondered if the file permissions on a directory were correct? Have you worried that you were allowing too much access or too little? You’re not alone. File permissions are both difficult for humans to reason about and important to cybersecurity practitioners.
File permission errors can reveal sensitive information, including private education, medical and defense data. We present XRAY, a system to find errors in systems with Unix style file permissions.
XRAY uses a constraint based approach coupled with an expressive domain specific language to find file permission errors. XRAY represents permissions as a set of constraints allowing an action at a location in the file system. This representation allows efficient answers to questions about who can perform an action and where they can do so across an entire file system. XRAY provides the user with an expressive domain specific language for stating security properties a file system in part or as a whole. XRAY finds examples where properties hold and counterexamples showing violations on real world scale datasets. We present the results of three case studies employing XRAY for finding file permission errors and detail the future work for this system.