Principle of least privilege
Encyclopedia
In information security
, computer science
, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer
of a computing environment, every module (such as a process
, a user
or a program
depending on the subject) must be able to access only the information
and resources
that are necessary for its legitimate purpose.
In other words, this means giving a user only those privileges which are essential to do his/her work. For example, a backup user does not need to install software, hence the backup user has rights only to run backup and backup-related applications. Any other privileges like installing software etc. are blocked. The principle applies also to a single home PC user who usually does work in a normal user account, and opens their privileged, password protected account (that is, a superuser
) only when the situation absolutely demands it.
When applied to users
, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications
with as few privileges as possible. LUA bugs
occur when applications do not work correctly without elevated privileges.
).
The principle of least privilege is also known as the principle of least authority (POLA).
The kernel
always runs with maximum privileges since it is the operating system
core and has hardware access. One of the principal responsibilities of an operating system, particularly a multi-user operating system, is management of the hardware's availability and requests to access it from running processes. When the kernel crashes, the mechanisms by which it maintains state also fail. Even if there is a way for the CPU
to recover without a hard reset, the code that resumes execution is not always what it should be. Security continues to be enforced, but the operating system can't respond to the failure properly because detection of the failure wasn't possible. This is because kernel execution either halted or the program counter
resumed execution from somewhere in endless, and — usually — non-functional loop.
If execution picks up, after the crash, by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible so that, in the event this occurs — or even if execution picks up from an unexpected location — what resumes execution does not have the ability to do bad things. One method used to accomplish this can be implemented in the microprocessor hardware. In x86 architecture, the manufacturer designed four (ring 0 - ring 3) running "modes". (This term can be confusing because the term "mode" is used in certain OS variants to refer cumulatively, to the state of the set of bits associated with a given resource).
Least privilege is widely misunderstood and, in particular, is almost always confused with the Trusted Computer System Evaluation Criteria
(TCSEC) concept of trusted computing base
(TCB) minimization. Minimization is a far more stringent requirement that is only applicable to the functionally strongest assurance classes, viz., B3 and A1 (which are evidentiarily different but functionally identical).
Least privilege is often associated with privilege bracketing, that is, assuming necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly avoiding fallout from erroneous code that unintentionally exploits more privilege than is merited. Least privilege has also been interpreted in the context of distribution of discretionary access control
(DAC) permissions, for example asserting that giving user U read/write access to file F violates least privilege if U can complete his authorized tasks with only read permission.
As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set. Such privilege sets are inherited from the parent as determined by the semantics of fork
. An executable file that performs a privileged function—thereby technically constituting a component of the TCB
, and concomitantly termed a trusted program or trusted process—may also be marked with a set of privileges, a logical extension of the notions of set user ID
and set group ID. The inheritance of file privileges by a process are determined by the semantics of the exec family of system calls. The precise manner in which potential process privileges, actual process privileges, and file privileges interact can become complex. In practice, least privilege is practiced by forcing a process to run with only those privileges required by the task. Adherence to this model is quite complex as well as error-prone.
Historically, the oldest instance of least privilege is probably the source code of login.c, which begins execution with super-user permissions and—the instant they are no longer necessary—dismisses them via setuid with a non-zero argument.
Another limitation is the granularity of control that the operating environment has over privileges for an individual process. In practice, it is rarely possible to control a process' access to memory, processing time, I/O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require.
:
Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. (Protection and the Control of Information Sharing in Multics, CACM 1974, volume 17, issue 7, page 389)
Peter J. Denning
, in his paper "Fault Tolerant Operating Systems" set it in a broader perspective among four fundamental principles of fault tolerance.
Dynamic assignments of privileges was earlier discussed by Roger Needham
in 1972.
Information security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
, computer science
Computer science
Computer science or computing science is the study of the theoretical foundations of information and computation and of practical techniques for their implementation and application in computer systems...
, and other fields, the principle of least privilege, also known as the principle of minimal privilege or just least privilege, requires that in a particular abstraction layer
Abstraction layer
An abstraction layer is a way of hiding the implementation details of a particular set of functionality...
of a computing environment, every module (such as a process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
, a user
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
or a program
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
depending on the subject) must be able to access only the information
Information
Information in its most restricted technical sense is a message or collection of messages that consists of an ordered sequence of symbols, or it is the meaning that can be interpreted from such a message or collection of messages. Information can be recorded or transmitted. It can be recorded as...
and resources
Resource (computer science)
A resource, or system resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource...
that are necessary for its legitimate purpose.
In other words, this means giving a user only those privileges which are essential to do his/her work. For example, a backup user does not need to install software, hence the backup user has rights only to run backup and backup-related applications. Any other privileges like installing software etc. are blocked. The principle applies also to a single home PC user who usually does work in a normal user account, and opens their privileged, password protected account (that is, a superuser
Superuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
) only when the situation absolutely demands it.
When applied to users
User (computing)
A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch applications
Application software
Application software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
with as few privileges as possible. LUA bugs
Software bug
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's...
occur when applications do not work correctly without elevated privileges.
Usage
The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (computer securityComputer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
).
The principle of least privilege is also known as the principle of least authority (POLA).
The kernel
Kernel (computing)
In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...
always runs with maximum privileges since it is the operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
core and has hardware access. One of the principal responsibilities of an operating system, particularly a multi-user operating system, is management of the hardware's availability and requests to access it from running processes. When the kernel crashes, the mechanisms by which it maintains state also fail. Even if there is a way for the CPU
Central processing unit
The central processing unit is the portion of a computer system that carries out the instructions of a computer program, to perform the basic arithmetical, logical, and input/output operations of the system. The CPU plays a role somewhat analogous to the brain in the computer. The term has been in...
to recover without a hard reset, the code that resumes execution is not always what it should be. Security continues to be enforced, but the operating system can't respond to the failure properly because detection of the failure wasn't possible. This is because kernel execution either halted or the program counter
Program counter
The program counter , commonly called the instruction pointer in Intel x86 microprocessors, and sometimes called the instruction address register, or just part of the instruction sequencer in some computers, is a processor register that indicates where the computer is in its instruction sequence...
resumed execution from somewhere in endless, and — usually — non-functional loop.
If execution picks up, after the crash, by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible so that, in the event this occurs — or even if execution picks up from an unexpected location — what resumes execution does not have the ability to do bad things. One method used to accomplish this can be implemented in the microprocessor hardware. In x86 architecture, the manufacturer designed four (ring 0 - ring 3) running "modes". (This term can be confusing because the term "mode" is used in certain OS variants to refer cumulatively, to the state of the set of bits associated with a given resource).
Least privilege is widely misunderstood and, in particular, is almost always confused with the Trusted Computer System Evaluation Criteria
Trusted Computer System Evaluation Criteria
Trusted Computer System Evaluation Criteria is a United States Government Department of Defense standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system...
(TCSEC) concept of trusted computing base
Trusted computing base
The trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system...
(TCB) minimization. Minimization is a far more stringent requirement that is only applicable to the functionally strongest assurance classes, viz., B3 and A1 (which are evidentiarily different but functionally identical).
Least privilege is often associated with privilege bracketing, that is, assuming necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly avoiding fallout from erroneous code that unintentionally exploits more privilege than is merited. Least privilege has also been interpreted in the context of distribution of discretionary access control
Discretionary access control
In computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
(DAC) permissions, for example asserting that giving user U read/write access to file F violates least privilege if U can complete his authorized tasks with only read permission.
As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set. Such privilege sets are inherited from the parent as determined by the semantics of fork
Fork (operating system)
In computing, when a process forks, it creates a copy of itself. More generally, a fork in a multithreading environment means that a thread of execution is duplicated, creating a child thread from the parent thread....
. An executable file that performs a privileged function—thereby technically constituting a component of the TCB
Trusted computing base
The trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs or vulnerabilities occurring inside the TCB might jeopardize the security properties of the entire system...
, and concomitantly termed a trusted program or trusted process—may also be marked with a set of privileges, a logical extension of the notions of set user ID
Setuid
setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
and set group ID. The inheritance of file privileges by a process are determined by the semantics of the exec family of system calls. The precise manner in which potential process privileges, actual process privileges, and file privileges interact can become complex. In practice, least privilege is practiced by forcing a process to run with only those privileges required by the task. Adherence to this model is quite complex as well as error-prone.
Historically, the oldest instance of least privilege is probably the source code of login.c, which begins execution with super-user permissions and—the instant they are no longer necessary—dismisses them via setuid with a non-zero argument.
Benefits
- Better system stability. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system.
- Better system security. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states “Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attackShatter attackIn computing, a shatter attack is a programming technique employed by crackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes in a session...
s" and malware, such as root kits, spyware, and undetectable viruses”.
- Ease of deployment. In general, the fewer privileges an application requires the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have additional steps involved in their deployment, for example on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges.
Limitations
In practice, true least privilege is neither definable nor possible to enforce. Currently, there is no method that allows evaluation of a process to define the least amount of privileges it will need to perform its function. This is because it is not possible to know all the values of variables it may process, addresses it will need, or the precise time such things will be required. Currently, the closest practical approach is to eliminate privileges that can be manually evaluated as unnecessary. The resulting set of privileges still exceeds the true minimum required privileges for the process.Another limitation is the granularity of control that the operating environment has over privileges for an individual process. In practice, it is rarely possible to control a process' access to memory, processing time, I/O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require.
History
The original formulation is from Jerome SaltzerJerome H. Saltzer
Jerome H. Saltzer is a computer scientist who has made many notable contributions.-Career:He received an Sc. D in Electrical Engineering from MIT in 1966...
:
Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job. (Protection and the Control of Information Sharing in Multics, CACM 1974, volume 17, issue 7, page 389)
Peter J. Denning
Peter J. Denning
Peter J. Denning is an American computer scientist, and prolific writer. He is best known for pioneering work in virtual memory, especially for inventing the working-set model for program behavior, which defeated thrashing in operating systems and became the reference standard for all memory...
, in his paper "Fault Tolerant Operating Systems" set it in a broader perspective among four fundamental principles of fault tolerance.
Dynamic assignments of privileges was earlier discussed by Roger Needham
Roger Needham
Roger Michael Needham, CBE, FRS, FREng was a British computer scientist.-Early life:He attended Doncaster Grammar School for Boys in Doncaster ....
in 1972.
See also
- CapabilityCapability-based securityCapability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights...
and Capabilities vs. ACLs - Compartmentalization (intelligence)Compartmentalization (intelligence)In matters concerning information security, whether public or private sector, compartmentalization is the limiting of access to information to persons or other entities who have a need to know it in order to perform certain tasks....
- Confused deputy problemConfused deputy problemA confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
- Need to knowNeed to knowThe term "need to know", when used by government and other organizations , describes the restriction of data which is considered very sensitive...
- Privilege escalationPrivilege escalationPrivilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user...
- Privilege revocationPrivilege revocationPrivilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those rights away.- Information theory :...
- Privilege separationPrivilege separationIn computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
(or bracketing) - setuidSetuidsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
- sudoSudosudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user...
External links
- The Saltzer and Schroeder paper cited in the references.
- NSA (the one that implemented SELinux) talks about the principle of least privilege
- A discussion of the implementation of the principle of least privilege in Solaris
- "Proof that LUA makes you safer" by Dana Epp
- Applying the Principle of Least Privilege to User Accounts on Windows XP, by Microsoft
- Privilege Bracketing in the Solaris 10 Operating System, Sun Microsystems