Principle of least privilege

Last updated March 13, 2024

In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.^[1]

Details

The principle means giving any users account or processes only those privileges which are essentially vital to perform its intended functions. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. The principle applies also to a personal computer user who usually does work in a normal user account, and opens a privileged, password protected account only when the situation absolutely demands it.

When applied to users, the terms least user access or least-privileged user account (LUA) are also used, referring to the concept that all user accounts should run with as few privileges as possible, and also launch applications with as few privileges as possible.

The principle (of least privilege) is widely recognized as an important design consideration towards enhancing and giving a much needed 'Boost' to the protection of data and functionality from faults (fault tolerance) and malicious behavior.

Benefits of the principle include:

Intellectual Security. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other security targeted applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system.
Better system security. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states “Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses”.^[2]
Ease of deployment. In general, the fewer privileges an application requires, the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have additional steps involved in their deployment. For example, on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges.^[3]

In practice, there exist multiple competing definitions of true (least privilege). As program complexity increases rapidly, so do the number of potential issues, rendering a predictive approach impractical. Examples include the values of variables it may process, addresses it will need, or the precise time such things will be required. Object capability systems allow, for instance, deferring granting a single-use privilege until the time when it will be used. Currently, the closest practical approach is to eliminate privileges that can be manually evaluated as unnecessary or one option worth mentioning and giving the utmost security based reasoning, ponder this, in a potential malicious environment the violators, (hackers) need as much access to your infrastructure as possible. So, it stands to reason that in a harmful instance if we stay off of our devices then at the risk of 'stating the obvious' the less you use your device the more at risk the user will be.. The resulting set of privileges typically exceeds the true minimum required privileges for the process.

Another limitation is the granularity of control that the operating environment has over privileges for an individual process.^[4] In practice, it is rarely possible to control a process's access to memory, processing time, I/O device addresses or modes with the precision needed to facilitate only the precise set of privileges a process will require.

The original formulation is from Jerome Saltzer:^[5]

Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.
— Jerome Saltzer, Communications of the ACM

Peter J. Denning, His paper "Fault Tolerant Operating Systems", set it in a broader perspective among "The four fundamental principles of fault tolerance".

"Dynamic assignments of privileges" was earlier discussed by Roger Needham in 1972.^[6]^[7]

Historically, the oldest instance of (least privilege) is probably the source code of login.c, which begins execution with super-user permissions and—the instant they are no longer necessary—dismisses them via setuid() with a non-zero argument as demonstrated in the Version 6 Unix source code.

Implementation

The kernel always runs with maximum privileges since it is the operating system core and has hardware access. One of the principal responsibilities of an operating system, particularly a multi-user operating system, is management of the hardware's availability and requests to access it from running processes. When the kernel crashes, the mechanisms by which it maintains state also fail. Therefore, even if there is a way for the CPU to recover without a hard reset, security continues to be enforced, but the operating system cannot properly respond to the failure because it was not possible to detect the failure. This is because kernel execution either halted or the program counter resumed execution from somewhere in an endless, and—usually—non-functional loop.^{[ citation needed ]} This would be akin to either experiencing amnesia (kernel execution failure) or being trapped in a closed maze that always returns to the starting point (closed loops).

If execution picks up after the crash by loading and running trojan code, the author of the trojan code can usurp control of all processes. The principle of least privilege forces code to run with the lowest privilege/permission level possible. This means that the code that resumes the code execution-whether trojan or simply code execution picking up from an unexpected location—would not have the ability to perform malicious or undesirable processes. One method used to accomplish this can be implemented in the microprocessor hardware. For example, in the Intel x86 architecture the manufacturer designed four (ring 0 through ring 3) running "modes" with graduated degrees of access-much like security clearance systems in defence and intelligence agencies.^{[ citation needed ]}

As implemented in some operating systems, processes execute with a potential privilege set and an active privilege set.^{[ citation needed ]} Such privilege sets are inherited from the parent as determined by the semantics of fork(). An executable file that performs a privileged function—thereby technically constituting a component of the TCB, and concomitantly termed a trusted program or trusted process—may also be marked with a set of privileges. This is a logical extension of the notions of set user ID and set group ID.^{[ citation needed ]} The inheritance of file privileges by a process are determined by the semantics of the exec() family of system calls. The precise manner in which potential process privileges, actual process privileges, and file privileges interact can become complex. In practice, least privilege is practiced by forcing a process to run with only those privileges required by the task. Adherence to this model is quite complex as well as error-prone.

Similar principles

The Trusted Computer System Evaluation Criteria (TCSEC) concept of trusted computing base (TCB) minimization is a far more stringent requirement that is only applicable to the functionally strongest assurance classes, viz., B3 and A1 (which are evidentiarily different but functionally identical).

Least privilege is often associated with privilege bracketing: that is, assuming necessary privileges at the last possible moment and dismissing them as soon as no longer strictly necessary, therefore ostensibly reducing fallout from erroneous code that unintentionally exploits more privilege than is merited. Least privilege has also been interpreted in the context of distribution of discretionary access control (DAC) permissions, for example asserting that giving user U read/write access to file F violates least privilege if U can complete his authorized tasks with only read permission.

Related Research Articles

In computing, a device driver is a computer program that operates or controls a particular type of device that is attached to a computer or automaton. A driver provides a software interface to hardware devices, enabling operating systems and other computer programs to access hardware functions without needing to know precise details about the hardware being used.

<span class="mw-page-title-main">Microkernel</span> Kernel that provides fewer services than a traditional kernel

In computer science, a microkernel is the near-minimum amount of software that can provide the mechanisms needed to implement an operating system (OS). These mechanisms include low-level address space management, thread management, and inter-process communication (IPC).

An operating system (OS) is system software that manages computer hardware and software resources, and provides common services for computer programs.

A modern computer operating system usually uses virtual memory to provide separate address spaces called user space and kernel space. Primarily, this separation serves to provide memory protection and hardware protection from malicious or errant software behaviour.

In computing, a system call is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services, creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Memory protection is a way to control memory access rights on a computer, and is a part of most modern instruction set architectures and operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug or malware within a process from affecting other processes, or the operating system itself. Protection may encompass all accesses to a specified area of memory, write accesses, or attempts to execute the contents of the area. An attempt to access unauthorized memory results in a hardware fault, e.g., a segmentation fault, storage violation exception, generally causing abnormal termination of the offending process. Memory protection for computer security includes additional techniques such as address space layout randomization and executable space protection.

A general protection fault (GPF) in the x86 instruction set architectures (ISAs) is a fault initiated by ISA-defined protection mechanisms in response to an access violation caused by some running code, either in the kernel or a user program. The mechanism is first described in Intel manuals and datasheets for the Intel 80286 CPU, which was introduced in 1983; it is also described in section 9.8.13 in the Intel 80386 programmer's reference manual from 1986. A general protection fault is implemented as an interrupt. Some operating systems may also classify some exceptions not related to access violations, such as illegal opcode exceptions, as general protection faults, even though they have nothing to do with memory protection. If a CPU detects a protection violation, it stops executing the code and sends a GPF interrupt. In most cases, the operating system removes the failing process from the execution queue, signals the user, and continues executing other processes. If, however, the operating system fails to catch the general protection fault, i.e. another protection violation occurs before the operating system returns from the previous GPF interrupt, the CPU signals a double fault, stopping the operating system. If yet another failure occurs, the CPU is unable to recover; since 80286, the CPU enters a special halt state called "Shutdown", which can only be exited through a hardware reset. The IBM PC AT, the first PC-compatible system to contain an 80286, has hardware that detects the Shutdown state and automatically resets the CPU when it occurs. All descendants of the PC AT do the same, so in a PC, a triple fault causes an immediate system reset.

Privilege escalation is the act of exploiting a bug, a design flaw, or a configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

In computing, privilege is defined as the delegation of authority to perform security-relevant functions on a computer system. A privilege allows a user to perform an action with security consequences. Examples of various privileges include the ability to create a new user, install software, or change kernel functions.

The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.

In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults and malicious behavior.

CPU modes are operating modes for the central processing unit of most computer architectures that place restrictions on the type and scope of operations that can be performed by instructions being executed by the CPU. For example, this design allows an operating system to run with more privileges than application software by running the operating systems and applications in different modes.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

A number of computer operating systems employ security features to help prevent malicious software from gaining sufficient privileges to compromise the computer system. Operating systems lacking such features, such as DOS, Windows implementations prior to Windows NT, CP/M-80, and all Mac operating systems prior to Mac OS X, had only one category of user who was allowed to do anything. With separate execution contexts it is possible for multiple users to store private files, for multiple users to use a computer at the same time, to protect the system against malicious users, and to protect the system against malicious programs. The first multi-user secure system was Multics, which began development in the 1960s; it wasn't until UNIX, BSD, Linux, and NT in the late 80s and early 90s that multi-tasking security contexts were brought to x86 consumer machines.

A process is a program in execution, and an integral part of any modern-day operating system (OS). The OS must allocate resources to processes, enable processes to share and exchange information, protect the resources of each process from other processes and enable synchronization among processes. To meet these requirements, the OS must maintain a data structure for each process, which describes the state and resource ownership of that process, and which enables the OS to exert control over each process.

The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

A unikernel is a computer program statically linked with the operating system code on which it depends. Unikernels are built with a specialized compiler that identifies the operating system services that a program uses and links it with one or more library operating systems that provide them. Such a program requires no separate operating system and can run instead as the guest of a hypervisor.

Meltdown is one of the two original transient execution CPU vulnerabilities. Meltdown affects Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors. It allows a rogue process to read all memory, even when it is not authorized to do so.

References

↑ Saltzer, Jerome H.; Schroeder, Michael D. (1975). "The protection of information in computer systems". Proceedings of the IEEE. Institute of Electrical and Electronics Engineers (IEEE). 63 (9): 1278–1308. doi:10.1109/proc.1975.9939. ISSN 0018-9219. OCLC 5871551104. S2CID 269166.
↑ Jonathan, Clark; DABCC Inc. "Virtualization Guru Writes "User-mode is a Good Thing - Deployment to Locked-down Accounts without Security Elevation"". Archived from the original on 10 February 2013. Retrieved 15 Mar 2013.
↑ Aaron Margosis (August 2006). "Problems of Privilege: Find and Fix LUA Bugs". Microsoft.
↑ "Matt Bishop, Computer Security: Art and Science, Boston, MA: Addison-Wesley, 2003. pp. 343-344 cited Barnum & Gegick 2005". Archived from the original on 2007-10-20. Retrieved 2007-11-17.
↑ Saltzer, Jerome H. (1974). "Protection and the control of information sharing in multics". Communications of the ACM . 17 (7): 388–402. CiteSeerX 10.1.1.226.3939 . doi:10.1145/361011.361067. ISSN 0001-0782. S2CID 326132.
↑ Needham, R. M. (1972). "Protection systems and protection implementations". Proceedings of the AFIPS '72 Fall Joint Computer Conference, December 5-7, 1972, Part I. pp. 571–578. doi:10.1145/1479992.1480073. S2CID 7371342.
↑ Fred B. Schneider. "Least Privilege and More" (PDF).

Bibliography

Ben Mankin, The Formalisation of Protection Systems, Ph.D. thesis, University of Bath, 2004
P. J. Denning (December 1976). "Fault tolerant operating systems". ACM Computing Surveys . 8 (4): 359–389. doi:10.1145/356678.356680. S2CID 207736773.
Jerry H. Saltzer, Mike D. Schroeder (September 1975). "The protection of information in computer systems". Proceedings of the IEEE. 63 (9): 1278–1308. CiteSeerX 10.1.1.126.9257 . doi:10.1109/PROC.1975.9939. S2CID 269166.
Deitel, Harvey M. (1990). An introduction to operating systems (revisited first ed.). Addison-Wesley. p. 673. ISBN 978-0-201-14502-1. page 31.
Sean Martin (April 2012). "Are security basics getting lost under the cover of cloud and mobile?". SC Magazine.
SANS Institute (May 2013). "20 Critical Security Controls" (PDF). SANS Institute. Archived from the original (PDF) on 2013-11-01.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Saltzer_Schroeder_1975_pp._1278–1308-1] Saltzer, Jerome H.; Schroeder, Michael D. (1975). "The protection of information in computer systems". Proceedings of the IEEE. Institute of Electrical and Electronics Engineers (IEEE). 63 (9): 1278–1308. doi:10.1109/proc.1975.9939. ISSN 0018-9219. OCLC 5871551104. S2CID 269166.

[2] Jonathan, Clark; DABCC Inc. "Virtualization Guru Writes "User-mode is a Good Thing - Deployment to Locked-down Accounts without Security Elevation"". Archived from the original on 10 February 2013. Retrieved 15 Mar 2013.

[3] Aaron Margosis (August 2006). "Problems of Privilege: Find and Fix LUA Bugs". Microsoft.

[4] "Matt Bishop, Computer Security: Art and Science, Boston, MA: Addison-Wesley, 2003. pp. 343-344 cited Barnum & Gegick 2005". Archived from the original on 2007-10-20. Retrieved 2007-11-17.

[5] Saltzer, Jerome H. (1974). "Protection and the control of information sharing in multics". Communications of the ACM . 17 (7): 388–402. CiteSeerX 10.1.1.226.3939 . doi:10.1145/361011.361067. ISSN 0001-0782. S2CID 326132.

[6] Needham, R. M. (1972). "Protection systems and protection implementations". Proceedings of the AFIPS '72 Fall Joint Computer Conference, December 5-7, 1972, Part I. pp. 571–578. doi:10.1145/1479992.1480073. S2CID 7371342.

[7] Fred B. Schneider. "Least Privilege and More" (PDF).

[1]

[2]

[3]

[4]

[5]

[6]

[7]

v t e Object-capability security
Concepts	Principle of least privilege (PoLP) Confused deputy problem Ambient authority File descriptor C-list Object-capability model Capability-based security Capability-based addressing Zooko's triangle Petnames
Operating systems, kernels	Capsicum Fuchsia Genode GNOSIS → KeyKOS → EROS → CapROS Hydra iMAX 432 Midori NLTSS seL4 HarmonyOS (HarmonyOS NEXT) Phantom OS
Programming languages	Cajita E Joe-E Joule
File systems	Tahoe-LAFS
Specialised hardware	BiiN Cambridge CAP Flex IBM System/38 Intel iAPX 432 Plessey System 250