Page History

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation, but also by ensuring that privileged blocks contain only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; this increases the potential attack surface exposed to an attacker. Consequently, privileged blocks must not contain superfluous code.

Noncompliant Code Example

This noncompliant code example shows a changePassword() method that attempts to open a password file using a doPrivileged block. The doPrivileged block also contains logic that operates on the file and a superfluous System.loadLibrary() call.

...

This violates the principle of least privilege because a caller who does not have the required privileges may also be able to load the specified library.

Compliant Solution

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block.

...

Minimizing the amount of code that requires elevated privileges eases the necessary task of auditing privileged code.

Risk Assessment

Failure to follow the principle of least privilege can lead to privilege escalation.

Automated Detection

Automated checking is not possible in the general case. Escape analysis might be used to check that privileged data is not leaked provided that privileged data is indicated by the user.

Related Guidelines

Bibliography

...