Least Privilege and More 1



Similar documents
Least Privilege and More 1

A methodology for secure software design

Oracle Identity and Access Management 10g Release running on Red Hat Enterprise Linux AS Release 4 Update 5

Computability Classes for Enforcement Mechanisms*

THE IMPACT OF INHERITANCE ON SECURITY IN OBJECT-ORIENTED DATABASE SYSTEMS

An Analysis of Data Security Threats and Solutions in Cloud Computing Environment

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

A Reputation Replica Propagation Strategy for Mobile Users in Mobile Distributed Database System

The Advantages of a Firewall Over an Interafer

Designing a Cloud Storage System

Why VPN Alone Will not Secure your Wireless Network

PANEL SESSION: INFORMATION SECURITY RESEARCH AND DEVELOPMENT IN ACADEMIA

ISO COMPLIANCE WITH OBSERVEIT

3 Extending the Refinement Calculus

Fulfilling HIPAA Compliance by Eliminating

How To Set Up A Net Integration Firewall

Meeting the Challenges of Virtualization Security

VMware Security Briefing. Rob Randell, CISSP Senior Security Specialist SE

Frontiers in Cyber Security: Beyond the OS

Component visualization methods for large legacy software in C/C++

SPACK FIREWALL RESTRICTION WITH SECURITY IN CLOUD OVER THE VIRTUAL ENVIRONMENT

Software Development around a Millisecond

Oracle Business Intelligence Enterprise Edition (OBIEE) Version with Quick Fix running on Oracle Enterprise Linux 4 update 5 x86_64

Integrating Security and Usability at Requirement Specification Process

IT ASSET MANAGEMENT. IT Asset Management

Quotes from Object-Oriented Software Construction

PATRIOTWATCHTM PATRIOTSHIELDTM PATRIOTSWORDTM

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Windows Server Performance Monitoring

Building A Secure Microsoft Exchange Continuity Appliance

White Paper. Information Security -- Network Assessment

Victor Shoup Avi Rubin. Abstract

CSE598k / CSE545 Advanced Network Security

IS YOUR DATA WAREHOUSE SUCCESSFUL? Developing a Data Warehouse Process that responds to the needs of the Enterprise.

The Integration Between EAI and SOA - Part I

Guide to Vulnerability Management for Small Companies

Retrofitting Security into a Web-Based Information System

Moving from ISO9000 to the Higher Levels of the Capability Maturity Model (CMM)

Safeguarding the cloud with IBM Dynamic Cloud Security

How To Compare Real Time Scheduling To A Scheduled Scheduler On Linux On A Computer System With A Visualization System

Design Principles for Protection Mechanisms. Security Principles. Economy of Mechanism. Least Privilege. Complete Mediation. Economy of Mechanism (2)

Why Counting Software Installations is a Waste of Time

EVALUATION BY PARTS OF TRUSTED. Ravi S. Sandhu. George Mason University, Fairfax, VA

Project 2: Firewall Design (Phase I)

Bypassing Firewalls: Tools and Techniques

Virtualization System Security


3. Mathematical Induction

A General Framework for Tracking Objects in a Multi-Camera Environment

Requirements for Software Deployment Languages and Schema

A Closer Look Financial Services Regulation

The foundations of a provably secure operating system (PSOS)

Information Rights Management Solution: Securing Information Exchange in Outsourcing Arrangements

Certification Report

Confinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:

The Architectural Design of FRUIT: A Family of Retargetable User Interface Tools

Electronic Log-keeping - using Microsoft Office WORD & EXCEL

A PRACTICAL APPROACH TO INCLUDE SECURITY IN SOFTWARE DEVELOPMENT

Wireless Network Security

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

Business Case. for an. Information Security Awareness Program

DISCOVERY OF NETWORK ELEMENTS AND RECONCILIATION (DNER)

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Types of cyber-attacks. And how to prevent them

A very short history of networking

Access Control. 1 Overview of Access Control. Lecture Notes (Syracuse University) Access Control: 1. What is Access Control?

Fabio Massacci Ida Siahaan

Attack Graph Techniques

Practical Internet Steganography: Data Hiding in IP

SECURITY FOR ENTERPRISE TELEWORK AND REMOTE ACCESS SOLUTIONS

FIREWALL CLEANUP WHITE PAPER

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

Cloud Computing: The Next Computing Paradigm

SocioPath: In Whom You Trust?

WHITE PAPER. Data Center Fabrics. Why the Right Choice is so Important to Your Business

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

How To Secure Your Store Data With Fortinet

The Phases of an Object-Oriented Application

Writing a Protection Profile for a Security Service Package

SECURITY METRICS: MEASUREMENTS TO SUPPORT THE CONTINUED DEVELOPMENT OF INFORMATION SECURITY TECHNOLOGY

The Business Case for Security Information Management

Secure Software Update Service (SSUS ) White Paper

AN ENHANCED ATTRIBUTE BASED ENCRYPTION WITH MULTI PARTIES ACCESS IN CLOUD AREA

Integrating Pattern Mining in Relational Databases

Enforcing Security Policies. Rahul Gera

Chapter 1 Introduction to Enterprise Software

RIGOROUS PUBLIC AUDITING SUPPORT ON SHARED DATA STORED IN THE CLOUD BY PRIVACY-PRESERVING MECHANISM

OPEN DATA: ADOPTING A SECURITY-MINDED APPROACH

Cloud Security with Stackato

Hardware, Languages, and Architectures for Defense Against Hostile Operating Systems (DHOSA)

THE RIGHT LEVEL OF IT EXPENSE

Peer-to-Peer Authentication with a Distributed Single Sign-On Service

Security Considerations for Public Mobile Cloud Computing

The introduction covers the recent changes is security threats and the effect those changes have on how we protect systems.

Certification Report

Why The Security You Bought Yesterday, Won t Save You Today

Index Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System

International Journal of Applied Science and Technology Vol. 2 No. 3; March Green WSUS

FDIC Division of Supervision and Consumer Protection

How to Make Microsoft Security Patch Testing More Efficient

Transcription:

Least Privilege and More 1 Fred B. Schneider Cornell University, Ithaca, New York, USA Introduction What today is known as the Principle of Least Privilege was described as a design principle in a paper by Jerry Saltzer and Mike Schroeder [4] first submitted for publication roughly 30 years ago: f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide firewalls, the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of need-to-know is an example of this principle. The power of this principle comes from leaving unspecified how frequently privileges might change and their granularity. Back in 1972, Roger Needham certainly understood the value of support for dynamic assignments of privileges, writing [3]: Protection regimes are not constant during the life of a process. They may change as the work proceeds, and in a fully general discussion they should be allowed to change arbitrarily. Statements would be allowed, for example, to the effect that certain segments were only accessible if the value standing in a system microsecond clock were prime. In practice one departs from full generality, and limits those circumstances which may give rise to a change of protection regime. My own interest in the Principle of Least Privilege developed in connection with devising security enforcement mechanisms for systems structured in terms of a base and a set of extensions which augment the functionality of that base. Such extensible systems are prevalent today in mass-market PC software, where we see new hardware being accommodated in Microsoft Windows platforms through plug and play and we see web 1 Supported in part by AFOSR grant F49620-00-1-0198, Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory Air Force Material Command USAF under Agreement number F30602-99-1-0533, National Science Foundation Grant 9703470, and ONR Grant N00014-01-1-0968. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of these organizations or the U.S. Government. 209

browsers hence, the web itself supporting new data formats by use of downloaded helper apps that extend a browser s functionality. A misbehaving extension Ext has the potential to compromise the base system B it extends. Examples abound: email containing executable attachments, Microsoft Word documents bearing hostile macros, and new browser helper apps that are a far cry from being helpful. This situation could be improved if we posit some sort of reference monitor that intercepts all program actions and, based on privileges held by the issuer of the action, blocks those that would be disruptive. However, to make this vision a reality, two technical questions must be solved: (1) Implementing the reference monitor. (2) Determining a policy for it to enforce. Regarding (1), my collaborators and I have elsewhere reported success with program rewriters to modify an object program before execution, adding tests that effectively inline a fine-grained reference monitor [2]. This paper sketches my current thinking on (2). What policy to enforce? Least privilege. Policies consistent with the Principle of Least Privilege depend not only on the code to be executed but also on what job that code is intended to do. For an extension Ext and some specification Σ Ext of a job to be done, we define µpriv(ext,σ Ext ) to be the policy that grants the minimum privileges needed for execution of Ext to satisfy Σ Ext. (A policy here is a mapping from system histories to sets of privileges.) As an example, specification Σ Ext of a spell-checker extension Ext for a word processor might specify that misspelled words be flagged in the word processor s open file F; we would then expect µpriv(ext,σ Ext ) to be a policy that permits the spell-checker read (but not write) access to F, read (but not write) access to a file containing a spelling dictionary, and read/write access to a file containing user-added spellings for local jargon terms. It is clear how the base system comes to get an extension Ext, but how does it get µpriv(ext, Σ Ext ) for use by its reference monitor? Here are two possible approaches. (1) The base system could itself compute µpriv(ext, Σ Ext ). (2) The base system could fetch µpriv(ext, Σ Ext ) from some site S. Approach (1) presumes that µpriv(ext, Σ Ext ) can be computed a questionable supposition. Implicit in computing µpriv(ext, Σ Ext ) is establishing that extension Ext satisfies specification Σ Ext, and we know that question cannot be decided for generalpurpose programming and specification languages. There might exist specialized languages, however, for which µpriv(ext, Σ Ext ) could be computed; this is a research question that bears closer scrutiny. One might start by restricting consideration to specifications Σ Ext that are safety properties, because the language of specifications now can be restricted to state predicates that hold throughout system execution. The weakest precondition (wp) predicate transformer might then provide a starting point for defining µpriv by structural induction on Ext. Approach (1) also presumes that Σ Ext is known. This, too, is a supposition of dubious practicality. Since extensions are generally downloaded with some expectation of the job they are intended to do, one might suspect that a high-level, task-oriented specification 210

Σ Ext would be known to the initiator and serve as the impetus for the Ext download. But employing such a high-level task-oriented specification does not suffice if Ext involves implementation details that are not obvious for the task and thus have been omitted from Σ Ext. For example, recall the spell-checker extension introduced above, which is specified in terms of a single file F. This spell-checker actually also involves accessing two other files (a spelling dictionary and a jargon dictionary) and might in addition even access a backing-store file perhaps over a local network. Such knowledge of implementation details is not going to be available to the initiator of an Ext download and, therefore, would not be included in high-level task-oriented specification Σ Ext, though clearly µpriv(ext, Σ Ext ) would need to include privileges for accessing the spelling dictionary, the jargon dictionary, and the backing-store. If Ext cannot be deduced locally, then perhaps it could be downloaded and checked? Unfortunately, this architecture also has problems. The local checking is really a form of policy review, and policy review is a hard problem whenever the policy being checked is complicated. A specification Σ Ext that involves internal details is going to be complicated and thus difficult for a human to understand. The alternative to policy review is simply to trust the source of Σ Ext. But, then, why not simply trust the source of Ext to provide a safe extension and dispense with reference monitoring altogether? For approach (2) to be workable, either S must be trusted or the base system must itself have some means to check whether what it has fetched equals µpriv(ext, Σ Ext ). The latter is unworkable for the reasons argued above. Regarding the former, an obvious question is whether trusting S to provide µpriv(ext, Σ Ext ) could be materially different from trusting S to provide a safe implementation of Ext. And more. At least for the time being, then, it seems as though obtaining µpriv(ext, Σ Ext ) for use by a reference monitor associated with the base of an extensible system is infeasible, and an alternative must be sought. So the policies we are now investigating seek to prevent extensions from subverting a base system or, equivalently, seek to prevent any extension from violating the assumptions underlying the design and implementation of that base. Such assumptions include: Characteristics of the programming model employed for building the base, such as properties of underlying system abstractions and language-level abstractions. For example, the separate address spaces usually accorded to process abstractions bring guarantees about integrity of storage; and type systems in modern programming languages, like Java and C#, bring guarantees about how certain variables can be used. Invariants that the base maintains about state. For example, a complicated linkedlist data structure might be characterized by an invariant stating which nodes are reachable from each other; each routine to manipulate the data structure is then designed to (i) work correctly if that invariant holds prior to execution and (ii) upon termination, leave the data structure in a state satisfying the invariant. Provided these assumptions can be expressed as safety properties and most can then they can be enforced by use of in-lined reference monitoring. Prior to execution, each extension is rewritten by adding checks that ensure no action the extension performs will violate any assumption required by the base system. 211

Notice that in this alternative to µpriv(ext, Σ Ext ), a single policy is being employed, independent of extension Ext. The problems of deciding what specification Σ Ext to use with a given extension Ext is thus eliminated. But the use of a single policy for all extensions implies that the policy being enforced might not be as restrictive as it could be (thereby admitting attacks) or might be too restrictive (thereby ruling-out execution of certain extensions). And there is thus some flexibility in formulating a policy for a given base. Some final comments The articulation of abstractions and principles is an important facet of doing research in computing systems. An implementation is certainly one way to demonstrate the utility of a new systems abstraction or principle, with system performance a sensible figure of merit. However, some abstractions are useful even though they cannot be implemented. Belady s optimal page replacement policy [1], which involves predicting future memory references and therefore is unrealizable in practice, is one example. The Principle of Least Privilege might be another, offering value primarily as a benchmark against which to compare policies that are being enforced when compared with µpriv(ext, Σ Ext ), a deployed policy would be considered inferior if it either admits additional attacks or it excludes certain classes of extensions. The classical approach to computer security address space isolation associated with processes would seem a good place to start in a comparison of security policies for extensible systems. It isn t. The context switches required on modern processors for communication and synchronization between separate processes make it impractical to have fine-grained interaction between a base implemented as one process and an extension as another. Without the possibility of such fine-grained interaction, the set of functions that can be implemented as extensions becomes quite limited. But with in-lined reference monitors, different programs can be isolated from each other without incurring the high cost of context switches. In fact, many forms of fine-grained access control that are not practical with traditional reference monitors become practical with in-lined reference monitors. Another concern now confronts us, though: How best to exploit the flexibility. To make progress here, not only must we learn the art of writing policies but we must also develop the mathematical tools for analyzing them. Collections of weak policies are likely to provide workable defenses for broad sets of extensions, for example. Weak policies might well be easier for humans to understand, too. Exactly how these advantages trade with the security µpriv(ext, Σ Ext ) provides is the ultimate question. For the present, however, it seems that practical protection for extensible systems is most easily obtained using policies that grant more privileges than would µpriv(ext, Σ Ext ) the least privilege and more. Acknowledgments. Helpful comments on a preliminary draft of this paper were provided by Lorenzo Alvisi, Butler Lampson, Greg Morrisett, Andrew Myers, and Mike Schroeder. References 1. BELADY, L.A., A study of replacement algorithms in a virtual storage computer, IBM Systems Journal vol. 5, no. 2,1966, pp. 78-101. 212

2. ERLINGSSON, U. AND SCHNEIDER, F.B., SASI enforcement of security policies: a retrospective, Proceedings of the New Security Paradigms Workshop, Caledon Hills, Ontario, Canada, September 1999, ACM, pp. 87-95. 3. NEEDHAM, R.M., Protection systems and protection implementations, Proc. 1972 Fall Joint Computer Conference, AFIPS Conf. Proc., vol. 41, pt. 1, pp. 571-578. 4. SALTZER, J.H. AND SCHROEDER, M.D., The Protection of information in computer systems, Proceedings of the IEEE, vol. 63, no. 9 (Sept 1975), pp. 1278-1308. 213

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information