USENIX Security '23 - Improving Logging to Reduce Permission Over-Granting Mistakes

USENIX Security '23 - Improving Logging to Reduce Permission Over-Granting Mistakes

Bingyu Shen, Tianyi Shan, and Yuanyuan Zhou, University of California, San Diego

Access control configurations are gatekeepers to block unwelcome access to sensitive data. Unfortunately, system administrators (sysadmins) sometimes over-grant permissions when resolving unintended access-deny issues reported by legitimate users, which may open up security vulnerabilities for attackers. One of the primary reasons is that modern software does not provide informative logging to guide sysadmins to understand the reported …

access access control administrators block california control data grant logging permission permissions san san diego security sensitive sensitive data system system administrators university university of california usenix usenix security