DOCSLIB.ORG

A Security Model for Full-Text File System Search in Multi-User Environments

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Security Model for Full-Text File System Search in Multi-User Environments A Security Model for Full-Text File System Search in Multi-User Environments Stefan B¨uttcher and Charles L. A. Clarke School of Computer Science University of Waterloo Waterloo, Ontario, Canada Abstract able. Therefore, it is important to keep the disk space consumption of the indexing system as low as possible. Most desktop search systems maintain per-user indices In particular, for a computer system with many users, it to keep track of file contents. In a multi-user environ- is infeasible to have an individual index for every user in ment, this is not a viable solution, because the same file the system. In a typical UNIX environment, for example, has to be indexed many times, once for every user that it is not unusual that about half of the file system is read- may access the file, causing both space and performance able by all users in the system. In such a situation, even problems. Having a single system-wide index for all a single chmod operation – making a previously private users, on the other hand, allows for efficient indexing but file readable by everybody – would trigger a large num- requires special security mechanisms to guarantee that ber of index update operations if per-user indices were the search results do not violate any file permissions. used. Similarly, due to the lack of information sharing We present a security model for full-text file system among the individual per-user indices, multiple copies of search, based on the UNIX security model, and discuss the index information about the same file would need to two possible implementations of the model. We show be stored on disk, leading to a disk space consumption that the first implementation, based on a postprocess- that could easily exceed that of the original file. ing approach, allows an arbitrary user to obtain infor- We investigated different desktop search tools, by mation about the content of files for which he does not Google1, Microsoft2, Apple3, Yahoo4, and Copernic5, have read permission. The second implementation does and found that all but Apple’s Spotlight maintain a sep- not share this problem. We give an experimental perfor- arate index for every user (Google’s search tool uses a mance evaluation for both implementations and point out system-wide index, but this index may only be accessed query optimization opportunities for the second one. by users with administrator rights, which makes the soft- ware unusable in multi-user environments). While this is 1 Introduction and Overview an unsatisfactory solution because of the increased disk space consumption, it is very secure because all file ac- With the advent of desktop and file system search tools cess permissions are automatically respected. Since the by Google, Microsoft, Apple, and others, efficient file indexing process has the same privileges as the user that system search is becoming an integral component of fu- it belongs to, security restrictions cannot be violated, and ture operating systems. These search systems are able to the index accurately resembles the user’s view of the file deliver the response to a search query within a fraction of system. a second because they index the file system ahead of time If a single system-wide index is used instead, this in- and keep an index that, for every term that appears in the dex contains information about all files in the file system. file system, contains a list of all files in which the term Thus, whenever the search system processes a search occurs and the exact positions within those files (called query, care has to be taken that the results are consistent the term’s posting list). with the user’s view of the file system. A search result While indexing the file system has the obvious advan- is obviously inconsistent with the user’s view of the file tage that queries can be answered much faster from the system if it contains files for which the user does not have index than by an exhaustive disk scan, it also has the read permission. However, there are more subtle cases obvious disadvantage that a full-text index requires sig- of inconsistency. In general, we say that the result to a nificant disk space, sometimes more than what is avail- search query is inconsistent with the user’s view of the USENIX Association FAST ’05: 4th USENIX Conference on File and Storage Technologies 169 file system if some aspect of it (e.g., the order in which plementation of the security model are based. matching files are returned) depends on the content of In section 4, we present a general file system search files that cannot be read by the user. Examples of such security model and define what it means for a file to be inconsistencies are discussed in section 5. searchable by a user. Section 5 discusses the first im- An obvious way to address the consistency problem plementation of the security model, based on the post- is the postprocessing approach: The same, system-wide processing approach described above. We show how this index is used for all users, and every query is processed implementation can be exploited in order to obtain the to- in the same way, regardless of which user submitted the tal number of files in the file system containing a certain query; after the query processor has computed the list of term. This is done by systematically creating and delet- files matching the query, all file permissions are checked, ing files, submitting search queries to the search system, and files that may not be searched by the user are re- and looking at either the relevance scores or the relative moved from the final result. This approach, which is ranks of the files returned by the search engine. used by Apple’s Spotlight search system (see the Apple In section 6, we present a second implementation of Spotlight technology brief 6 for details), works well for the security model. This implementation is immune Boolean queries. However, pure Boolean queries are not against the attacks described in section 5. Its perfor- always appropriate. If the number of files in a file sys- mance is evaluated experimentally in section 7 and com- tem is large, the search system has to do some sort of pared to the performance of the postprocessing approach. relevance ranking in order to present the most likely rel- Opportunities for query optimization are discussed in evant files first and help the user find the information he section 8, where we show that making an almost non- is looking for faster. Usually, a TF/IDF-based (term fre- restrictive assumption about the independence of differ- quency / inverse document frequency) algorithm is used ent files allows us to virtually nullify the overhead of the to perform this relevance ranking. security mechanisms in the search system. In this paper, we present a full-text search security model. We show that, if a TF/IDF-style ranking algo- rithm is used by the search system, an implementation 2 Related Work of the security model must not follow the postprocessing approach. If it does, it produces search results that are While some research has been done in the area of high- inconsistent with the user’s view of the file system. The performance dynamic indexing [BCC94] [LZW04], inconsistencies can be exploited by the user in a system- which is also very important for file system search, the atical way and allow him to obtain information about the security problems associated with full-text search in a content of files which he is not allowed to search. While multi-user environment have not yet been studied. we do not know the exact ranking algorithm employed In his report on the major decisions in the design of by Apple’s Spotlight, we conjecture that it is at least in Microsoft’s Tripoli search engine, Peltonen [Pel97] de- parts based on the TF/IDF paradigm (as TF/IDF-based mands that “full text indexing must never compromise algorithms are the most popular ranking techniques in operating or file system security”. However, after this information retrieval systems) and therefore amenable to initial claim, the topic is not mentioned again in his pa- the attacks described in this paper. per. Turtle and Flood [TF95] touch the topic of text re- After discussing possible attacks on the postprocess- trieval in multi-user environments, but only mention the ing approach, we present a second approach to the in- special memory requirements, not the security require- consistency problem which guarantees that all search re- ments. sults are consistent with the user’s view of the file system Griffiths and Wade [GW76] and Fagin [Fag78] were and which therefore does not allow a user to infer any- among the first who investigated security mechanisms thing about the content of files which he may not search. and access control in relational database systems (Sys- This safe implementation of the file system search se- tem R). Both papers study discretionary access con- curity model is part of the Wumpus7 file system search trol with ownership-based administration, in some sense engine. The system is freely available under the terms of similar to the UNIX file system security model [RT74] the GNU General Public License. [Rit78]. However, their work goes far beyond UNIX in In the next two sections, we give a brief overview of some aspects. For example, in their model it is possi- previous work on security issues in multi-user environ- ble that a user grants the right to grant rights for file (ta- ments (section 2) and an introduction to basic informa- ble) access to other users, which is impossible in UNIX.
Load more

Recommended publications
  • Java Read Text File from Resources
    Java Read Text File From Resources Self-distrust Paddy piffling, his hidalgo frisk refiles mobs. Sometimes crescent Fabian nicker her penitence pianissimo, but superfluous Ricki bootstraps officially or garbling impotently. Contrabass and pell-mell Patel often sandblast some courtesan wonderfully or reframing coequally. For your research paper on your user following form of this base package your file packages creating a single device may have a folder. An effect on java file was saved within the enumeration can read by supporting all the enumeration should not least, then mapping the project domain experts? These cookies will be stored in your browser only with different consent. Are you sure you want to cancel this follow? The text files in properties file system is all your data source and read text file from resources java, we just like. You show me many ways to read a File using Kotlin. The text data from a template of read text using textreader as long time and look at. It references your JAR file with an exclamation mark at the end, Cassandra as well as GCP and AWS cloud providers. Opinions expressed by DZone contributors are their own. Since they work on device boundaries, text files that make this question about deleting files in properties file in a content in google chrome has read text file from java resources folder. Whenever possible use routines that spotlight on file descriptors rather than pathnames. Join the social network of Tech Nerds, to grease a resource from the classpath, a receive string to not adequate to impede them.
    [Show full text]
  • Computational Intelligence to Aid Text File Format Identification
    Computational Intelligence to aid Text File Format Identification Santhilata Kuppili Venkata, Alex Green The National Archives Abstract One of the challenges faced in digital preservation is to identify the file types when the files can be opened with simple text editors and their extensions are unknown. The problem gets complicated when the file passes through the test of human readability, but would not make sense how to put to use! The Text File Format Identification (TFFI) project was initiated at The National Archives to identify file types from plain text file contents with the help of computing intelligence models. A methodology that takes help of AI and machine learning to automate the process was successfully tested and implemented on the test data. The prototype developed as a proof of concept has achieved up to 98.58% of accuracy in detecting five file formats. 1 Motivation As an official publisher and guardian for the UK Government and England and Wales, The National Archives1(TNA) collates iconic documents from various government departments. In this born-digital documentation era, TNA needs to process a huge number of files daily. So it is necessary to research for sophisticated methods to handle various tasks in the process. File format identification of plain text files is one such example. 1.1 How a simple plain text file can create confusion? Figure 1: A sample text file with no file extension In this digital era, files are often generated in an integrated development environment. Each document is supported by multiple files. They include programming source code, data descrip- tion files (such as XML), configuration files etc.
    [Show full text]
  • Alias Manager 4
    CHAPTER 4 Alias Manager 4 This chapter describes how your application can use the Alias Manager to establish and resolve alias records, which are data structures that describe file system objects (that is, files, directories, and volumes). You create an alias record to take a “fingerprint” of a file system object, usually a file, that you might need to locate again later. You can store the alias record, instead of a file system specification, and then let the Alias Manager find the file again when it’s needed. The Alias Manager contains algorithms for locating files that have been moved, renamed, copied, or restored from backup. Note The Alias Manager lets you manage alias records. It does not directly manipulate Finder aliases, which the user creates and manages through the Finder. The chapter “Finder Interface” in Inside Macintosh: Macintosh Toolbox Essentials describes Finder aliases and ways to accommodate them in your application. ◆ The Alias Manager is available only in system software version 7.0 or later. Use the Gestalt function, described in the chapter “Gestalt Manager” of Inside Macintosh: Operating System Utilities, to determine whether the Alias Manager is present. Read this chapter if you want your application to create and resolve alias records. You might store an alias record, for example, to identify a customized dictionary from within a word-processing document. When the user runs a spelling checker on the document, your application can ask the Alias Manager to resolve the record to find the correct dictionary. 4 To use this chapter, you should be familiar with the File Manager’s conventions for Alias Manager identifying files, directories, and volumes, as described in the chapter “Introduction to File Management” in this book.
    [Show full text]
  • Writing a Text File
    Writing a text file Class java.io.BufferedWriter provides methods for creating and writing a file of characters, like a .txt file. One can create a BufferedWriter for a Path object p using: BufferedWriter bf= Files.BufferedWriter(p); The class has three methods of importance here: p.write(s, k, len); // Here, s is a String; write the substring s[k..k+len-1] to the file. p.newLine(); // Write a line separator —whatever your OS uses as a separator. p.close(); // Close the file. Should be called when no more is to be written on the file. The class is called a buffered writer because it “buffers” the text. When a call on p.write is being executed, the call does not have to wait until the string of characters is actually written to the file on the hard drive —that would take too long. Instead, the characters are added to a buffer, and the call on p.write then terminates. The buffer will be written to the file at an appropriate time, when it is (almost) full —or, at the latest, when p.close is called. Upon creating the BufferedWriter for Path p: If the file described by p does not exist, it is created, with size 0; if it already exists, it is truncated to size 0. PrintWriter: a solution to two problems with BufferedWriter There are two problems with class BufferedWriter. First, only String values can be written using procedure write. A value of any other type to be written to the file has to be explicitly changed by your code into a String.
    [Show full text]
  • Lossless Text Compression Technique Based on Static Dictionary for Unicode Tamil Document
    International Journal of Pure and Applied Mathematics Volume 118 No. 9 2018, 669-675 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu Lossless Text Compression Technique Based on Static Dictionary for Unicode Tamil Document B.Vijayalakshmi Dr.N.Sasirekha Associate Professor Ph.D. Research Scholar Department of Computer Science Department of Computer Science Vidyasagar College of Arts and Science Vidyasagar College of Arts and Science Udumalpet, Tamilnadu, India Udumalpet, Tamilnadu, India [email protected] [email protected] There are many compression techniques available, Abstract- Text compression is an effective technique that reduces one of the popular compression technique is dictionary based the data storage and also increases the data transfer rate during compression. The dictionary contains a list of strings of communication. This paper explains a new method of lossless text possible symbols stored in a table like structure. It uses the compression technique for Tamil documents made of Unicode index of entries to represent larger and repeated dictionary Tamil characters. The method of compression and decompression process using static dictionary compression word or character by a smaller one [1]. The dictionary scheme is presented. This compression technique reduces the compression can be a static or dynamic scheme type. In this Tamil document an average of 50% of its storage capacity. The paper, the compression technique is based on a static original document is retained in the decompression process. dictionary which is easy and a permanent one. This static dictionary contains the subset of all the common pattern of Keywords-Text compression, decompression, Unicode and Unicode Tamil characters indexed by ASCII characters.
    [Show full text]
  • Text File Text File Example Text Reading Overview
    CS106A, Stanford Handout #53 Fall, 2003-04 Nick Parlante Files Text File The simple "text file" is one of the oldest and simplest types of file. For that reason, text files are one of the most universally standard ways to store information. A text file is something you could type up in a word processor, and save with the "plain text" option. A text file is made of a sequence of characters, organized as a series of horizontal lines of text. There is no notion of bold or italic or color applied to the characters; they are just plain text characters, as we would store in a String. Historically, text files have been made of the familiar roman keyboard alphabet – abcdef..xyz012..89!@#$.. – with the extremely standard ASCII encoding (American Standard Code for Information Interchange). More recently, text has grown to include the idea of unicode characters like ø and !, but the encodings for those are not yet as standard as ASCII. The .java files where we write our Java code are examples of text files. The text file is such a simple, flexible way to store information, it will be with us for a long time to come. If you want to store information in a simple, non-proprietary way, the text file is a great choice. XML files, which are a very modern way to store information, are a type of text file. Text File Example This is the first line of my 4 line text file, and this here is the 2nd. The above line is blank! The above example text file is 4 lines long.
    [Show full text]
  • Troubleshooting Text File Uploads
    Troubleshooting Text File Uploads In the HPMS, in the DIR module, there are a number of places that Sponsors are required to upload a tab-delimited text file. The files are validated against a set of rules, and if successful the data are unloaded into the HPMS database. Sometimes creating a valid tab-delimited text file can be a challenge. This document provides some tips for troubleshooting some common issues. Common ways errors are introduced Before beginning, be aware of the methods that commonly introduce errors. 1. Using an incorrect template is a common issue. Users should always download a current template from the HPMS before they begin. Templates change from year to year and are unique for each year. Creating a template rather than downloading the official template can introduce unknown issues. For Response Tables, entering data into the blank template instead of using the partially pre- populated version (available from Download Response Table Templates) introduces more risk. 2. Using word editors (e.g., Microsoft Word) to build a data file that is then copied into the excel template, or directly into a text file. Word editors use imbedded formatting and they can introduce characters or other formatting that is not supported. If possible, data should be entered directly into template rather than via copy and paste. 3. Saving as an incorrect type of text file. Only tab-delimited, PC format, ANSI encoded files are supported. Other types of text files are NOT supported (e.g., Unicode, MAC, binary, etc.) a. You can check the type and format by opening your file in your text editor (e.g., TextPad, Notepad,etc.) the select File > Save As.
    [Show full text]
  • Plain Text & Character Encoding
    Journal of eScience Librarianship Volume 10 Issue 3 Data Curation in Practice Article 12 2021-08-11 Plain Text & Character Encoding: A Primer for Data Curators Seth Erickson Pennsylvania State University Let us know how access to this document benefits ou.y Follow this and additional works at: https://escholarship.umassmed.edu/jeslib Part of the Scholarly Communication Commons, and the Scholarly Publishing Commons Repository Citation Erickson S. Plain Text & Character Encoding: A Primer for Data Curators. Journal of eScience Librarianship 2021;10(3): e1211. https://doi.org/10.7191/jeslib.2021.1211. Retrieved from https://escholarship.umassmed.edu/jeslib/vol10/iss3/12 Creative Commons License This work is licensed under a Creative Commons Attribution 4.0 License. This material is brought to you by eScholarship@UMMS. It has been accepted for inclusion in Journal of eScience Librarianship by an authorized administrator of eScholarship@UMMS. For more information, please contact [email protected]. ISSN 2161-3974 JeSLIB 2021; 10(3): e1211 https://doi.org/10.7191/jeslib.2021.1211 Full-Length Paper Plain Text & Character Encoding: A Primer for Data Curators Seth Erickson The Pennsylvania State University, University Park, PA, USA Abstract Plain text data consists of a sequence of encoded characters or “code points” from a given standard such as the Unicode Standard. Some of the most common file formats for digital data used in eScience (CSV, XML, and JSON, for example) are built atop plain text standards. Plain text representations of digital data are often preferred because plain text formats are relatively stable, and they facilitate reuse and interoperability.
    [Show full text]
  • Javascript Write to Text File
    Javascript Write To Text File Obadias unhooks feloniously while demiurgeous Charles garden lots or outgush fleeringly. Unlabouring Henrie sometimes rainproofs any chargeableness stockade facultatively. Noncontagious and extremest Richie blows achingly and uprise his threshers bombastically and erectly. Working on php controller errors, or more content, then it is that deno is used with javascript to write text file system Hide any error messages previously rendered. Youtube Channel for other interesting tutorials or game the comment below list you violate any questions or feedback. How simple javascript or writing log console logs, write position in node is no need. After long reading operation is finished, copy and paste this URL into your RSS reader. You may only want part of the window to be a drop surface, you probably need to open fine before writing to it. The encoding to be used when writing to the file. Insults are not welcome. If the file already has something in it, tutorials, as the link element can have an onclick attribute. This file is for testing purposes. Accept input from the command line in Node. Read a specified number of characters from a file. This code works only on Internet Explorer. If you will learn rust? Please can not write position in. So if i was to populate it inside a Lisbox. Sorry control the delay. Conditional Statement in Python perform different. It will write logs, just added data. Use writable streams instead. It means the page were already refreshed once but lia. PHP, a string specifying the command to execute. Scripting Engine, the browser would otherwise navigate far from your herd and mop the files the user dropped into the browser window.
    [Show full text]
  • File Open Handle Using filename ,  Read | Write | Read Write
    Title stata.com file — Read and write ASCII text and binary files Syntax Description Options Remarks and examples Stored results Reference Also see Syntax Open file file open handle using filename , read j write j read write text j binary replace j append all Read file file read handle specs Write to file file write handle specs Change current location in file file seek handle query j tof j eof j # Set byte order of binary file file set handle byteorder hilo j lohi j 1 j 2 Close file file close handle j all List file type, status, and name of handle file query where specs for ASCII text output is "string" or `"string"' (exp) (parentheses are required) % fmt(exp) (see[ D] format about % fmt) skip(#) column(#) newline(#) char(#) (0 ≤ # ≤ 255) tab(#) page(#) dup(#) 1 2 file — Read and write ASCII text and binary files specs for ASCII text input is localmacroname, specs for binary output is %f8j4gz (exp) %f4j2j1gbsju (exp) %#s "text" (1 ≤ # ≤ max macrolen) %#s `"text"' %#s (exp) and specs for binary input is %f8j4gz scalarname %f4j2j1gbsju scalarname %#s localmacroname (1 ≤ # ≤ max macrolen) Description file is a programmer’s command and should not be confused with import delimited (see [D] import delimited), infile (see[ D] infile (free format) or[ D] infile (fixed format)), and infix (see[ D] infix (fixed format)), which are the usual ways that data are brought into Stata. file allows programmers to read and write both ASCII text and binary files, so file could be used to write a program to input data in some complicated situation, but that would be an arduous undertaking.
    [Show full text]
  • Mac Essentials Organizing SAS Software
    Host Systems Getting Organized in Mac OS Rick Asler If you work on just one simple project with SAS MAE is emulation software to run Mac on some software, it may not matter very much how you UNIX systems. It is not the best way to run SAS organize your files. But if you work on a complex software. project or on several projects, your productivity and SAS software requires at least version 7.5 of peace of mind depend on organizing your projects Mac OS. System 7.5 shipped on new computers in effectively. 1994-1995 and can be purchased separately for This paper presents a system for organizing the older computers. A new system version is due in files of SAS projects, taking advantage of the 1996. special features of Mac OS. Then it demonstrates A computer system for running SAS software techniques for automating SAS projects. should also have at least an average-size hard disk and at least 16 megabytes of physical RAM. The Finder is the main application that is always Mac essentials running in Mac OS. It displays disks and files as icons and subdirectories as folders. First, these are some Mac terms and features The system folder is the folder containing the you may need to be aware of to operate SAS System file, Finder, and other Mac OS files. software under Mac OS. The Trash Is a Finder container where deleted Mac, Mac OS, Mac operating system, or Macin­ files go. You can retrieve them Hyou don't wait too tosh operating system is the distinctive graphical long.
    [Show full text]
  • COMP1730/COMP6730 I/O and Files
    COMP1730/COMP6730 Programming for Scientists I/O and files Announcements * Homework 5 due Monday, 9:00am * Homework 5 being marked in labs next week * Major assignment will be released on Monday next week. * Read the Wattle Forum Outline * Input and output * Files and directories * Reading and writing text files I/O: Input and Output * A (common) way for a programs to interact with the world. - Reading data (keyboard, files, cameras, etc). - Writing data (screen, network, speakers, etc). * Scientific computing often means processing or generating large volumes of data. 2016, 07, 01, 2.0, 1, Y 2016, 07, 02, 0.0, 1, Y 2016, 07, 03, 0.0, 1, Y 2016, 07, 04, 0.0, , Y 2016, 07, 05, 4.4, 1, Y 2016, 07, 06, 15.4, 1, Y ) 2016, 07, 07, 1.0, 1, Y 2016, 07, 08, 0.0, 1, Y 2016, 07, 09, 4.2, 1, Y 2016, 07, 10, 0.0, 1, Y 2016, 07, 11, 10.4, 1, Y Terminal I/O * print(...) generates output to the terminal (typically, screen). * input(...) prints a prompt and reads input from the terminal (typically, keyboard). - input always returns a string. input_str = input("Enter a number: ") input_int = int(input_str) ... Image from Punch & Enbody Files and directories What is a file? * A file is a collection of data on secondary storage (hard drive, USB key, network file server). * A program can open a file to read/write data. * Data in a file is a sequence of bytes (integer 0 ≤ b ≤ 255). - The program reading a file must interpret the data (as text, image, sound, etc).
    [Show full text]