fbpx
Wikipedia

Principle of least privilege

February 16, 2024

Not to be confused with Rule of least power.

In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.[1]

Details edit

The principle means giving any users account or processes only those privileges which are essentially vital to perform its intended functions. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account only when the situation absolutely demands it.

When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept, that all user accounts should run with as few privileges as possible, and also launch applications with as few privileges as possible.

The principle of (least privilege) is widely recognized as an important design consideration towards enhancing and giving a much needed 'Boost' to the protection of data and functionality from faults (fault tolerance) and malicious behavior.

Benefits of the principle include:

  • Intellectual Security. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other security targeted applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system.
  • Better system security. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states “Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses”.[2]
  • Ease of deployment. In general, the fewer privileges an application requires, the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have additional steps involved in their deployment. For example, on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges.[3]

In practice, there exist multiple competing definitions of true (least privilege). As program complexity increases rapidly, so do the number of potential issues, rendering a predictive approach impractical. Examples include the values of variables it may process, addresses it will need, or the precise time such things will be required. Object capability systems allow, for instance, deferring granting a single-use privilege until the time when it will be used. Currently, the closest practical approach is to eliminate privileges that can be manually evaluated as unnecessary or one option worth mentioning and giving the utmost security based reasoning, ponder this, in a potential malicious environment the violators, (hackers) need as much access to your infrastructure as possible. So, it stands to reason that in a harmful instance if we stay off of our devices then at the risk of 'stating the obvious' the less you use your device the more at risk the user will be.. The resulting set of privileges typically exceeds the true minimum required privileges for the process.

Another limitation is the granularity of control that the operating environment has over privileges for an individual process.[4] In practice, it is rarely possible to control a process's access to memory, processing time, I/O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require.

The original formulation is from Jerome Saltzer:[5]

Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.

— Jerome Saltzer, Communications of the ACM

Peter J. Denning, His paper "Fault Tolerant Operating Systems", set it in a broader perspective among "The four fundamental principles of fault tolerance".

"Dynamic assignments of privileges" was earlier discussed by Roger Needham in 1972.[6][7]

Historically, the oldest instance of (least privilege) is probably the source code of login.c, which begins execution with super-user permissions and—the instant they are no longer necessary—dismisses them via setuid() with a non-zero argument as demonstrated in the Version 6 Unix source code.

Implementation edit

The kernel always runs with maximum privileges since it is the operating system core and has hardware access. One of the principal responsibilities of an operating system, particularly a multi-user operating system, is management of the hardware's availability and requests to access it from running processes. When the kernel crashes, the mechanisms by which it maintains state also fail. Therefore, even if there is a way for the CPU to recover without a hard reset, security continues to be enforced, but the operating system cannot properly respond to the failure because it was not possible to detect the failure. This is because kernel execution either halted or the program counter resumed execution from somewhere in an endless, and—usually—non-functional loop.[citation needed] This would be akin to either experiencing amnesia (kernel execution failure) or being trapped in a closed maze that always returns to the starting point (closed loops).

 
The principle of least privilege demonstrated by privilege rings for the Intel x86

If execution picks up after the crash by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible. This means that the code that resumes the code execution-whether trojan or simply code execution picking up from an unexpected location—would not have the ability to perform malicious or undesirable processes. One method used to accomplish this can be implemented in the microprocessor hardware. For example, in the Intel x86 architecture the manufacturer designed four (ring 0 through ring 3) running "modes" with graduated degrees of access-much like security clearance systems in defence and intelligence agencies.[citation needed]

As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set.[citation needed] Such privilege sets are inherited from the parent as determined by the semantics of fork(). An executable file that performs a privileged function—thereby technically constituting a component of the TCB, and concomitantly termed a trusted program or trusted process—may also be marked with a set of privileges. This is a logical extension of the notions of set user ID and set group ID.[citation needed] The inheritance of file privileges by a process are determined by the semantics of the exec() family of system calls. The precise manner in which potential process privileges, actual process privileges, and file privileges interact can become complex. In practice, least privilege is practiced by forcing a process to run with only those privileges required by the task. Adherence to this model is quite complex as well as error-prone.

Similar principles edit

The Trusted Computer System Evaluation Criteria (TCSEC) concept of trusted computing base (TCB) minimization is a far more stringent requirement that is only applicable to the functionally strongest assurance classes, viz., B3 and A1 (which are evidentiarily different but functionally identical).

Least privilege is often associated with privilege bracketing: that is, assuming necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly reducing fallout from erroneous code that unintentionally exploits more privilege than is merited. Least privilege has also been interpreted in the context of distribution of discretionary access control (DAC) permissions, for example asserting that giving user U read/write access to file F violates least privilege if U can complete his authorized tasks with only read permission.

See also edit

References edit

  1. ^ Saltzer, Jerome H.; Schroeder, Michael D. (1975). "The protection of information in computer systems". Proceedings of the IEEE. Institute of Electrical and Electronics Engineers (IEEE). 63 (9): 1278–1308. doi:10.1109/proc.1975.9939. ISSN 0018-9219. OCLC 5871551104. S2CID 269166.
  2. ^ Jonathan, Clark; DABCC Inc. . Archived from the original on 10 February 2013. Retrieved 15 Mar 2013.
  3. ^ Aaron Margosis (August 2006). "Problems of Privilege: Find and Fix LUA Bugs". Microsoft.
  4. ^ . Archived from the original on 2007-10-20. Retrieved 2007-11-17.
  5. ^ Saltzer, Jerome H. (1974). "Protection and the control of information sharing in multics". Communications of the ACM. 17 (7): 388–402. CiteSeerX 10.1.1.226.3939. doi:10.1145/361011.361067. ISSN 0001-0782. S2CID 326132.
  6. ^ Needham, R. M. (1972). "Protection systems and protection implementations". Proceedings of the AFIPS '72 Fall Joint Computer Conference, December 5-7, 1972, Part I. pp. 571–578. doi:10.1145/1479992.1480073. S2CID 7371342.
  7. ^ Fred B. Schneider. "Least Privilege and More" (PDF).

Bibliography edit

  • Ben Mankin, The Formalisation of Protection Systems, Ph.D. thesis, University of Bath, 2004
  • P. J. Denning (December 1976). "Fault tolerant operating systems". ACM Computing Surveys. 8 (4): 359–389. doi:10.1145/356678.356680. S2CID 207736773.
  • Jerry H. Saltzer, Mike D. Schroeder (September 1975). "The protection of information in computer systems". Proceedings of the IEEE. 63 (9): 1278–1308. CiteSeerX 10.1.1.126.9257. doi:10.1109/PROC.1975.9939. S2CID 269166.
  • Deitel, Harvey M. (1990). An introduction to operating systems (revisited first ed.). Addison-Wesley. p. 673. ISBN 978-0-201-14502-1. page 31.
  • Sean Martin (April 2012). "Are security basics getting lost under the cover of cloud and mobile?". SC Magazine.
  • SANS Institute (May 2013). (PDF). SANS Institute. Archived from the original (PDF) on 2013-11-01.

External links edit

  • Managing least privileges from the cloud by Monique Sendze
  • The Saltzer and Schroeder paper cited in the references.
  • A discussion of the implementation of the principle of least privilege in Solaris
  • Tom's IT Pro: Most Organizations Unaware of Employees With Admin Rights
  • "Proof that LUA makes you safer" by Dana Epp 2010-05-23 at the Wayback Machine
  • Applying the Principle of Least Privilege to User Accounts on Windows XP, by Microsoft
  • "Commercial enterprises are putting our critical infrastructure at risk" CSO
  • How to successfully implement the principle of least privilege

February 16, 2024
principle, least, privilege, confused, with, rule, least, power, this, article, needs, additional, citations, verification, please, help, improve, this, article, adding, citations, reliable, sources, unsourced, material, challenged, removed, find, sources, new. Not to be confused with Rule of least power This article needs additional citations for verification Please help improve this article by adding citations to reliable sources Unsourced material may be challenged and removed Find sources Principle of least privilege news newspapers books scholar JSTOR April 2019 Learn how and when to remove this template message In information security computer science and other fields the principle of least privilege PoLP also known as the principle of minimal privilege PoMP or the principle of least authority PoLA requires that in a particular abstraction layer of a computing environment every module such as a process a user or a program depending on the subject must be able to access only the information and resources that are necessary for its legitimate purpose 1 Contents 1 Details 2 Implementation 3 Similar principles 4 See also 5 References 6 Bibliography 7 External linksDetails editThe principle means giving any users account or processes only those privileges which are essentially vital to perform its intended functions For example a user account for the sole purpose of creating backups does not need to install software hence it has rights only to run backup and backup related applications Any other privileges such as installing new software are blocked The principle applies also to a personal computer user who usually does work in a normal user account and opens a privileged password protected account only when the situation absolutely demands it When applied to users the terms least user access or least privileged user account LUA are also used referring to the concept that all user accounts should run with as few privileges as possible and also launch applications with as few privileges as possible The principle of least privilege is widely recognized as an important design consideration towards enhancing and giving a much needed Boost to the protection of data and functionality from faults fault tolerance and malicious behavior Benefits of the principle include Intellectual Security When code is limited in the scope of changes it can make to a system it is easier to test its possible actions and interactions with other security targeted applications In practice for example applications running with restricted rights will not have access to perform operations that could crash a machine or adversely affect other applications running on the same system Better system security When code is limited in the system wide actions it may perform vulnerabilities in one application cannot be used to exploit the rest of the machine For example Microsoft states Running in standard user mode gives customers increased protection against inadvertent system level damage caused by shatter attacks and malware such as root kits spyware and undetectable viruses 2 Ease of deployment In general the fewer privileges an application requires the easier it is to deploy within a larger environment This usually results from the first two benefits applications that install device drivers or require elevated security privileges typically have additional steps involved in their deployment For example on Windows a solution with no device drivers can be run directly with no installation while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges 3 In practice there exist multiple competing definitions of true least privilege As program complexity increases rapidly so do the number of potential issues rendering a predictive approach impractical Examples include the values of variables it may process addresses it will need or the precise time such things will be required Object capability systems allow for instance deferring granting a single use privilege until the time when it will be used Currently the closest practical approach is to eliminate privileges that can be manually evaluated as unnecessary or one option worth mentioning and giving the utmost security based reasoning ponder this in a potential malicious environment the violators hackers need as much access to your infrastructure as possible So it stands to reason that in a harmful instance if we stay off of our devices then at the risk of stating the obvious the less you use your device the more at risk the user will be The resulting set of privileges typically exceeds the true minimum required privileges for the process Another limitation is the granularity of control that the operating environment has over privileges for an individual process 4 In practice it is rarely possible to control a process s access to memory processing time I O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require The original formulation is from Jerome Saltzer 5 Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job Jerome Saltzer Communications of the ACM Peter J Denning His paper Fault Tolerant Operating Systems set it in a broader perspective among The four fundamental principles of fault tolerance Dynamic assignments of privileges was earlier discussed by Roger Needham in 1972 6 7 Historically the oldest instance of least privilege is probably the source code of login c which begins execution with super user permissions and the instant they are no longer necessary dismisses them via setuid with a non zero argument as demonstrated in the Version 6 Unix source code Implementation editThe kernel always runs with maximum privileges since it is the operating system core and has hardware access One of the principal responsibilities of an operating system particularly a multi user operating system is management of the hardware s availability and requests to access it from running processes When the kernel crashes the mechanisms by which it maintains state also fail Therefore even if there is a way for the CPU to recover without a hard reset security continues to be enforced but the operating system cannot properly respond to the failure because it was not possible to detect the failure This is because kernel execution either halted or the program counter resumed execution from somewhere in an endless and usually non functional loop citation needed This would be akin to either experiencing amnesia kernel execution failure or being trapped in a closed maze that always returns to the starting point closed loops nbsp The principle of least privilege demonstrated by privilege rings for the Intel x86If execution picks up after the crash by loading and running trojan code the author of the trojan code can usurp control of all processes The principle of least privilege forces code to run with the lowest privilege permission level possible This means that the code that resumes the code execution whether trojan or simply code execution picking up from an unexpected location would not have the ability to perform malicious or undesirable processes One method used to accomplish this can be implemented in the microprocessor hardware For example in the Intel x86 architecture the manufacturer designed four ring 0 through ring 3 running modes with graduated degrees of access much like security clearance systems in defence and intelligence agencies citation needed As implemented in some operating systems processes execute with a potential privilege set and an active privilege set citation needed Such privilege sets are inherited from the parent as determined by the semantics of fork An executable file that performs a privileged function thereby technically constituting a component of the TCB and concomitantly termed a trusted program or trusted process may also be marked with a set of privileges This is a logical extension of the notions of set user ID and set group ID citation needed The inheritance of file privileges by a process are determined by the semantics of the exec family of system calls The precise manner in which potential process privileges actual process privileges and file privileges interact can become complex In practice least privilege is practiced by forcing a process to run with only those privileges required by the task Adherence to this model is quite complex as well as error prone Similar principles editThe Trusted Computer System Evaluation Criteria TCSEC concept of trusted computing base TCB minimization is a far more stringent requirement that is only applicable to the functionally strongest assurance classes viz B3 and A1 which are evidentiarily different but functionally identical Least privilege is often associated with privilege bracketing that is assuming necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary therefore ostensibly reducing fallout from erroneous code that unintentionally exploits more privilege than is merited Least privilege has also been interpreted in the context of distribution of discretionary access control DAC permissions for example asserting that giving user U read write access to file F violates least privilege if U can complete his authorized tasks with only read permission See also editUser Account Control Capability based security Compartmentalization intelligence Confused deputy problem Encapsulation object oriented programming Need to know Privilege bracketing Privilege escalation Privilege revocation computing Privilege separation Protection ring setuid sudoReferences edit Saltzer Jerome H Schroeder Michael D 1975 The protection of information in computer systems Proceedings of the IEEE Institute of Electrical and Electronics Engineers IEEE 63 9 1278 1308 doi 10 1109 proc 1975 9939 ISSN 0018 9219 OCLC 5871551104 S2CID 269166 Jonathan Clark DABCC Inc Virtualization Guru Writes User mode is a Good Thing Deployment to Locked down Accounts without Security Elevation Archived from the original on 10 February 2013 Retrieved 15 Mar 2013 Aaron Margosis August 2006 Problems of Privilege Find and Fix LUA Bugs Microsoft Matt Bishop Computer Security Art and Science Boston MA Addison Wesley 2003 pp 343 344 cited Barnum amp Gegick 2005 Archived from the original on 2007 10 20 Retrieved 2007 11 17 Saltzer Jerome H 1974 Protection and the control of information sharing in multics Communications of the ACM 17 7 388 402 CiteSeerX 10 1 1 226 3939 doi 10 1145 361011 361067 ISSN 0001 0782 S2CID 326132 Needham R M 1972 Protection systems and protection implementations Proceedings of the AFIPS 72 Fall Joint Computer Conference December 5 7 1972 Part I pp 571 578 doi 10 1145 1479992 1480073 S2CID 7371342 Fred B Schneider Least Privilege and More PDF Bibliography editBen Mankin The Formalisation of Protection Systems Ph D thesis University of Bath 2004 P J Denning December 1976 Fault tolerant operating systems ACM Computing Surveys 8 4 359 389 doi 10 1145 356678 356680 S2CID 207736773 Jerry H Saltzer Mike D Schroeder September 1975 The protection of information in computer systems Proceedings of the IEEE 63 9 1278 1308 CiteSeerX 10 1 1 126 9257 doi 10 1109 PROC 1975 9939 S2CID 269166 Deitel Harvey M 1990 An introduction to operating systems revisited first ed Addison Wesley p 673 ISBN 978 0 201 14502 1 page 31 Sean Martin April 2012 Are security basics getting lost under the cover of cloud and mobile SC Magazine SANS Institute May 2013 20 Critical Security Controls PDF SANS Institute Archived from the original PDF on 2013 11 01 External links editManaging least privileges from the cloud by Monique Sendze The Saltzer and Schroeder paper cited in the references NSA the one that implemented SELinux talks about the principle of least privilege A discussion of the implementation of the principle of least privilege in Solaris Tom s IT Pro Most Organizations Unaware of Employees With Admin Rights Proof that LUA makes you safer by Dana Epp Archived 2010 05 23 at the Wayback Machine Applying the Principle of Least Privilege to User Accounts on Windows XP by Microsoft Commercial enterprises are putting our critical infrastructure at risk CSO How to successfully implement the principle of least privilege Retrieved from https en wikipedia org w index php title Principle of least privilege amp oldid 1200062594, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.