My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Wednesday, May 26, 2004
« Threat Modeling Tool | Main | IEEE Security & Privacy: Building Securi... »

Ken on the SC-L list posted a pointer to an excellent article on the principle of least privilege. The article is by David Wheeler and can be found at:

The examples in the article are *nix/Linux focused but the concepts are relevant whatever OS you are running.

A section that struck a chord with me is:

"One of the most important ways to secure programs, in spite of these bugs, is to minimize privileges. A privilege is simply permission to do something that not everyone is allowed to do. On a UNIX-like system, having the privileges of the "root" user, of another user, or being a member of a group are some of the most common kinds of privileges. Some systems let you give privileges to read or write a specific file. But no matter what, to minimize privileges:

  • Give a privilege to only the parts of the program needing it
  • Grant only the specific privileges that part absolutely requires
  • Limit the time those privileges are active or can be activated to the absolute minimum
These are really goals, not hard absolutes. Your infrastructure (such as your operating system or virtual machine) may not make this easy to do precisely, or the effort to do it precisely may be so complicated that you'll introduce more bugs trying to do it precisely. But the closer you get to these goals, the less likely it will be that bugs will cause a security problem. Even if a bug causes a security problem, the problems it causes are likely to be less severe. And if you can ensure that only a tiny part of the program has special privileges, you can spend a lot of extra time making sure that one part resists attacks."
Another interesting bit that the article made a reference to is the history of the SELinux implementation by the NSA. 
"The NSA found that most operating systems' security mechanisms, including Windows and most UNIX and Linux systems, only implement "discretionary access control" (DAC) mechanisms. DAC mechanisms determine what a program can do based only on the identity of the user running the program and ownership of objects like files. The NSA considered this to be a serious problem, because by itself DAC is a poor defense against vulnerable or malicious programs. Instead, NSA has long wanted operating systems to also support "mandatory access control" (MAC) mechanisms.

MAC mechanisms make it possible for a system administrator to define a system-wide security policy, which could limit what programs can do based on other factors like the role of the user, the trustworthiness and expected use of the program, and the kind of data the program will use. A trivial example is that with MAC, users can't easily turn "Secret" into "Unclassified" data. However, MAC can actually do much more than that.

... So, NSA hit upon an idea that seems obvious in retrospect: take an open source operating system that's not a toy, and implement their security ideas to show that (1) it can work and (2) exactly how it can work (by revealing the source code for all). They picked the market-leading open source kernel (Linux) and implemented their ideas in it as "security-enhanced Linux" (SELinux)."

Hmm.. I wonder what the NSA's take would be on the Code Access Security capabilities of the .NET Framework as it would appear to implement a lot of the goals that they were looking for.
The article in turn also referenced a 1975 paper by Saltzer and Schroeder called "The Protection of Information in Computer Systems" which looks like another great read.  That paper can be found @
BTW, David Wheeler's article is part of a series of articles called the "Secure Programmer" on the Linux Technical library section of the IBM developerWorks site. The home page of the series can be found here.
Just wish the site would implement either a RSS feed or a newsletter subscription....
Tags:: Security
5/26/2004 8:58 PM Eastern Daylight Time  |  Comments [2]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:45 AM (Eastern Daylight Time, UTC-04:00)
Robert Hurlbut's .Net Blog
Sunday, May 8, 2005 12:06:45 AM (Eastern Daylight Time, UTC-04:00)
Robert Hurlbut's .Net Blog
Comments are closed.