In
information securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.The terms information security, computer security and information assurance are...
,
computer scienceComputer science is the study of the theoretical foundations of information and computation, and of practical techniques for their implementation and application in computer systems. It is frequently described as the systematic study of algorithmic processes that create, describe and transform...
, and other fields, the
principle of least privilege, also known as the
principle of minimal privilege or just
least privilege, requires that in a particular
abstraction layerAn abstraction layer is a way of hiding the implementation details of a particular set of functionality. Software models that use layers of abstraction include the OSI 7 Layer model for computer network protocols, the OpenGL graphics drawing library, and the byte stream input/output model...
of a computing environment, every module (such as a
processIn computing, a process is an instance of a computer program, consisting of one or more threads, that is being sequentially executed by a computer system that has the ability to run several computer programs concurrently....
, a
userIn computing, a user is a person who uses a computer or Internet service. A user may have a user account that identifies the user by a username , screenname , or "handle", which is derived from the identical Citizen's Band radio term...
or a
programComputer programs are instructions for a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute the instructions...
on the basis of the layer we are considering) must be able to access only such
informationInformation as a concept has many meanings, from everyday usage to technical settings. The concept of information is closely related to notions of constraint, communication, control, data, form, instruction, knowledge, meaning, mental stimulus, pattern, perception, and representation.The English...
and
resourcesA resource, or system resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource...
that are necessary to its legitimate purpose.
When applied to
usersIn computing, a user is a person who uses a computer or Internet service. A user may have a user account that identifies the user by a username , screenname , or "handle", which is derived from the identical Citizen's Band radio term...
, the terms
least user access or
least-privileged user account (
LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch
applicationsApplication software is a computer program that functions and is operated by means of a computer, with the purpose of supporting or improving the software user's work. In other words, it is the subclass of computer software that employs the capabilities of a computer directly and thoroughly to a...
with as few privileges as possible.
The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (
computer securityComputer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain...
).
The principle of least privilege is also known as the
principle of least authority (POLA).
The
kernelIn computing, the 'kernel' is the central component of most computer operating systems. Its responsibilities include managing the system's resources...
always runs with maximum privileges since it is the
operating systemAn operating system is an interface between hardware and user which is responsible for the management and coordination of activities and the sharing of the resources of the computer that acts as a host for computing applications run on the machine. As a host, one of the purposes of an operating...
core and has hardware access.
In
information securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction.The terms information security, computer security and information assurance are...
,
computer scienceComputer science is the study of the theoretical foundations of information and computation, and of practical techniques for their implementation and application in computer systems. It is frequently described as the systematic study of algorithmic processes that create, describe and transform...
, and other fields, the
principle of least privilege, also known as the
principle of minimal privilege or just
least privilege, requires that in a particular
abstraction layerAn abstraction layer is a way of hiding the implementation details of a particular set of functionality. Software models that use layers of abstraction include the OSI 7 Layer model for computer network protocols, the OpenGL graphics drawing library, and the byte stream input/output model...
of a computing environment, every module (such as a
processIn computing, a process is an instance of a computer program, consisting of one or more threads, that is being sequentially executed by a computer system that has the ability to run several computer programs concurrently....
, a
userIn computing, a user is a person who uses a computer or Internet service. A user may have a user account that identifies the user by a username , screenname , or "handle", which is derived from the identical Citizen's Band radio term...
or a
programComputer programs are instructions for a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute the instructions...
on the basis of the layer we are considering) must be able to access only such
informationInformation as a concept has many meanings, from everyday usage to technical settings. The concept of information is closely related to notions of constraint, communication, control, data, form, instruction, knowledge, meaning, mental stimulus, pattern, perception, and representation.The English...
and
resourcesA resource, or system resource, is any physical or virtual component of limited availability within a computer system. Every device connected to a computer system is a resource. Every internal system component is a resource...
that are necessary to its legitimate purpose.
When applied to
usersIn computing, a user is a person who uses a computer or Internet service. A user may have a user account that identifies the user by a username , screenname , or "handle", which is derived from the identical Citizen's Band radio term...
, the terms
least user access or
least-privileged user account (
LUA) are also used, referring to the concept that all users at all times should run with as few privileges as possible, and also launch
applicationsApplication software is a computer program that functions and is operated by means of a computer, with the purpose of supporting or improving the software user's work. In other words, it is the subclass of computer software that employs the capabilities of a computer directly and thoroughly to a...
with as few privileges as possible.
Usage
The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behavior (
computer securityComputer security is a branch of technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to remain...
).
The principle of least privilege is also known as the
principle of least authority (POLA).
The
kernelIn computing, the 'kernel' is the central component of most computer operating systems. Its responsibilities include managing the system's resources...
always runs with maximum privileges since it is the
operating systemAn operating system is an interface between hardware and user which is responsible for the management and coordination of activities and the sharing of the resources of the computer that acts as a host for computing applications run on the machine. As a host, one of the purposes of an operating...
core and has hardware access. One of the principal responsibilities of an operating system, particularly in multi-user operating system, is management of the hardware's availability and requests to access it from running processes. When the kernel crashes, the mechanisms by which it maintains state also fail. Even if there is a way for the
CPUThe Central Processing Unit or processor is the portion of a computer system that carries out the instructions of a computer program, and is the primary element carrying out the computer's functions. This term has been in use in the computer industry at least since the early 1960s...
to recover without a hard reset, the code that resumes execution is not always what it should be. Security continues to be enforced, but the operating system can't respond to the failure properly because detection of the failure wasn't possible. This is because kernel execution either halted or the
program counterThe program counter, or PC is a processor register that indicates where the computer is in its instruction sequence...
resumed execution from somewhere in endless, and — usually — non-functional loop.
If execution picks up, after the crash, by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible so that, in the event this occurs — or even if execution picks up from an unexpected location — what resumes execution does not have the ability to do bad things. One method used to accomplish this can be implemented in the microprocessor hardware. In x86 architecture, the manufacturer designed two running "modes". (This term can be confusing because the term "mode" is used in certain OS variants to refer cumulatively, to the state of the set of bits associated with a given resource).
Least privilege is widely misunderstood and, in particular, is almost always confused with the
Trusted Computer System Evaluation CriteriaTrusted Computer System Evaluation Criteria is a United States Government Department of Defense standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system...
(TCSEC) concept of
trusted computing baseThe trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs occurring inside the TCB might jeopardize the security properties of the entire system...
(TCB) minimization. Minimization is a far more stringent requirement that is only applicable to the functionally strongest assurance classes,
viz., B3 and A1 (which are
evidentiarily different but
functionally identical).
Least privilege is often associated with privilege bracketing, that is, assuming necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly avoiding fallout from erroneous code that unintentionally exploits more privilege than is merited. Least privilege has also been interpreted in the context of distribution of
discretionary access controlIn computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria as "a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
(DAC) permissions, for example asserting that giving user U read/write access to file F violates least privilege if U can complete his authorized tasks with only read permission.
As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set. Such privilege sets are inherited from the parent as determined by the semantics of
forkIn computing, when a process forks, it creates a copy of itself. More generally, a fork in a multithreading environment means that a thread of execution is duplicated, creating a child thread from the parent thread....
. An executable file that performs a privileged function—thereby technically constituting a component of the
TCBThe trusted computing base of a computer system is the set of all hardware, firmware, and/or software components that are critical to its security, in the sense that bugs occurring inside the TCB might jeopardize the security properties of the entire system...
, and concomitantly termed a trusted program or trusted process—may also be marked with a set of privileges, a logical extension of the notions of
set user IDsetuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group...
and set group ID. The inheritance of file privileges by a process are determined by the semantics of the
exec family of system calls. The precise manner in which potential process privileges, actual process privileges, and file privileges interact can become complex. In practice, least privilege is practiced by forcing a process to run with only those privileges required by the task. Adherence to this model is quite complex as well as error-prone.
Historically, the oldest instance of least privilege is probably the source code of
login.c, which begins execution with super-user permissions and—the instant they are no longer necessary—dismisses them via
setuid with a non-zero argument.
Benefits
- Better system stability. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system.
- Better system security. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states “Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses”.
- Ease of deployment. In general, the fewer privileges an application requires the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have additional steps involved in their deployment, for example on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges.
Limitations
According to James Whittaker, in real practice, true least privilege is neither definable nor possible to enforce. We have no method to evaluate a process to define the least amount of privileges it will ever need to perform its functions. That is because it is not possible to know all the values of variables it may process, all the addresses it will need, the precise time it needs etc. The best we can do in practice is restrict its privileges to eliminate some we casually predict that it will never need. This turns out to be far from the minimal set of privileges. This limitation substantially reduces the effectiveness of least privilege enforcement.
According to Barnum and Gegick, another limitation is the granularity of control that the operating environment (secure operating system) over privileges for an individual processes. In real practice, it is almost never possible to control a process's access to memory, or processing time, or I/O device addresses or modes with the precision needed to eliminate the precise set privileges we can be sure a process will not need. This reduces its usefulness of this principle even more.
History
The
original formulation is from Saltzer and Schroeder:
- Every program and every user of the system should operate using the least set of privileges necessary to complete the job. (The protection of information in computer systems, 1974)
Peter J. DenningPeter J. Denning is an American computer scientist, and prolific writer. He is best known for inventing the working-set model for program behavior, which defeated thrashing in operating systems and became the reference standard for all memory management policies...
, in his paper "Fault Tolerant Operating Systems" set it in a broader perspective among four fundamental principles of fault tolerance.
Dynamic assignments of privileges was earlier discussed by
Roger NeedhamRoger Michael Needham, CBE, FRS, FREng was a British computer scientist.Needham began his undergraduate studies at the University of Cambridge in 1953, graduating with a B.A. in 1956 in mathematics and philosophy. His Ph.D. thesis was on applications of digital computers to the automatic...
in 1972.
See also
- Privilege escalation
Privilege escalation is the act of exploiting a bug or design flaw in a software application to gain access to resources which normally would have been protected from an application or user...
- Capability
Capability-based security is a concept in the design of secure computing systems. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must...
and Capabilities vs. ACLs
- Confused deputy problem
A confused deputy is a computer program that is innocently fooled by some other party into misusing its authority. It is a specific type of privilege escalation...
- Privilege separation
In computer programming and computer security, privilege separation is a technique in which a program is divided into parts which are limited to the specific privileges they require in order to perform a specific task...
(or bracketing)
- Privilege revocation
Privilege revocation is the act of an entity giving up some, or all of, the privileges they possess, or some authority taking those rights away.- Information theory :...
- Rule of least privilege
The rule of least privilege -- When we allow access to something, we should allow access to only those people who need it and under the context that they need it. Take exactly what access needs to happen and limit it directly to that. Assume that any other access is going to have an exploit around...
- Need to know
The term "need to know", when used by government and other organizations , describes the restriction of data which is considered very sensitive...
- Compartmentalization (intelligence)
In matters concerning intelligence, whether public or private sector, compartmentalization of information means to limit access to information to persons who directly need to know such information in order to perform certain tasks....
External links