Principle of least privilege

From Wikipedia, the free encyclopedia

In computer science and other fields the principle of minimal privilege, also known as the principle of least privilege or just least privilege, requires that in a particular abstraction layer of a computing environment every module (such as a process, a user or a program on the basis of the layer we are considering) must be able to access only such information and resources that are necessary to its legitimate purpose.

The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and functionality from faults (fault tolerance) and malicious behaviour (computer security).

The principle of least privilege is also known as the principle of least authority (POLA), an alternative term coined by those who consider authority be a more precise term than privilege to represent "ability to access" in the true spirit of this concept. Specifically, authority represents all effects that a subject can directly or indirectly cause in a system, as opposed to permission which represents the effects that can be directly caused in a single operation.

In modern operating systems like Windows there is no security enforcement for code running in kernel mode and therefore such code always runs with maximum privileges. The principle of least privilege therefore demands the use of a user mode solutions when given the choice between a kernel mode and user mode solution if the two solutions provide the same results.

A few benefits for using least privilege include:

Better system stability. When code is limited in the scope of changes it can make to a system, it is easier to test its possible actions and interactions with other applications. In practice for example, applications running with restricted rights will not have access to perform operations that could crash a machine, or adversely affect other applications running on the same system.

Better system security. When code is limited in the system-wide actions it may perform, vulnerabilities in one application cannot be used to exploit the rest of the machine. For example, Microsoft states “Running in standard user mode gives customers increased protection against inadvertent system-level damage caused by "shatter attacks" and malware, such as root kits, spyware, and undetectable viruses.” [1]

Ease of deployment. In general, the fewer privileges an application requires the easier it is to deploy within a larger environment. This usually results from the first two benefits, applications that install device drivers or require elevated security privileges typically have addition steps involved in their deployment, for example on Windows a solution with no device drivers can be run directly with no installation, while device drivers must be installed separately using the Windows installer service in order to grant the driver elevated privileges.

1 History
2 See also
3 References
4 External links

[edit] History

The principle came up around mid-1970s, and generally the book "Fault Tolerant Operating Systems" by Peter J. Denning is referred as the original source, even though it was described under different names by many contemporary papers, like The protection of information in computer systems, by Saltzer and Schroeder.

The original formulation from Saltzer and Schroeder:

Every program and every user of the system should operate using the least set of privileges necessary to complete the job.

[edit] See also

[edit] References

Ben Mankin, The Formalisation of Protection Systems, Ph.D thesis, University of Bath, 2004
P. J. Denning (December 1976). "Fault tolerant operating systems". ACM Computing Surveys (CSUR) 8 (4): 359 - 389. ISSN 0360-0300.
Jerry H. Saltzer, Mike D. Schroeder (Sept 1975). "The protection of information in computer systems". Proceedings of the IEEE 63 (9): 1278 - 1308.
Deitel, Harvey M. [1982] (1984). An introduction to operating systems, revisited first edition, Addison-Wesley, 673. ISBN 0-201-14502-2. page 31.