OPMonitor: Continuously monitoring residual over-granted permissions in verified access control policies

Abstract

Over-permissive access control policies, which grant users permissions beyond sysadmins’ intended scope, are a primary cause of data breaches. Although policy verification serves as a critical defense mechanism by formalizing design intentions into verification goals and validating policies compliance with these goals, its effectiveness bounded by sysadmins’ expertise and the comprehensiveness of predefined intentions. Consequently, over-granted permissions which fall outside the scope of verification goals often remain undetected. This paper introduces OPMonitor, a continuous monitoring tool that enables early detection of residual over-granted permissions overlooked by policy verification methods. OPMonitor operates by inferring a granting baseline from access logs, which serves as a reference model for identifying access violations in real time. To mitigate over-permissive results while ensuring correctness, we develop a two-phase framework based on approximate optimization for baseline inference. To facilitate real-time evaluation and incremental updates of the inferred baseline, we develop the locally abstract baseline tree, a tree structure that consolidates implicit authorization conditions to reduce the scale of states. Our experimental evaluation across 25 datasets, comprising both real-world and synthetic data, demonstrates the effectiveness of our approach. OPMonitor achieves a 1.5x higher detection rate for over-granted permissions compared to state-of-the-art solutions, while keeping the inference time under 30 s. Additionally, our locally abstract baseline tree enables microsecond-level evaluation and incremental updates that are 7x and 2x faster, respectively, than existing approaches.