Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation, but also by ensuring that privileged blocks contain only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; this increases the potential attack surface exposed to an attacker. Consequently, privileged blocks must not contain superfluous code.
Noncompliant Code Example
This noncompliant code example shows a changePassword()
method that attempts to open a password file using a doPrivileged
block. The doPrivileged
block also contains logic that operates on the file and a superfluous System.loadLibrary()
call.
public void changePassword() { final FileInputStream f[] = { null }; AccessController.doPrivileged(new PrivilegedAction() { public Object run() { try { String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName"; f[0] = new FileInputStream(passwordFile); // Operate on the file ... System.loadLibrary("LibName"); } catch (FileNotFoundException cnf) { // Forward to handler } return null; } }); // end of doPrivileged() }
This is a violation of the principle of least privilege because a caller who may not have the required privileges can also load the specified library provided the security policy allows doing so. This transfers the burden of ensuring security to the administrator who implements the security policy.
Compliant Solution
This compliant solution moves the call to System.loadLibrary()
outside the doPrivileged()
block. Any operations on the file descriptor f[0]
should occur outside the privileged block to make it easier to audit privileged code. However, f[0]
must not leak out to untrusted code (see [SEC00-J. Do not allow doPrivileged() blocks to leak sensitive information outside a trust boundary]). As a result, the "operations on the file" must not allow f[0]
to escape out of changePassword()
.
public void changePassword() { final FileInputStream f[] = { null }; AccessController.doPrivileged(new PrivilegedAction() { public Object run() { try { String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName"; f[0] = new FileInputStream(passwordFile); } catch (FileNotFoundException cnf) { // Forward to handler } return null; } }); // end of doPrivileged() // Operations on the file using handle f[0] // while ensuring that the f[0] reference // remains contained within changePassword() System.loadLibrary("LibName"); }
Minimizing the amount of code that requires elevated privileges eases the necessary task of auditing privileged code.
Risk Assessment
Failure to follow the principle of least privilege can lead to privilege escalation.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC02-J |
high |
probable |
high |
P6 |
L2 |
Automated Detection
Automated checking is not possible in the general case. Escape analysis might be used to check that privileged data is not leaked provided that privileged data is indicated by the user.
Related Guidelines
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5429c191-76b6-4d37-8124-582ad4e240a5"><ac:plain-text-body><![CDATA[ |
[ISO/IEC TR 24772:2010 |
http://www.aitcnet.org/isai/] |
"Privilege Sandbox Issues [XYO]" |
]]></ac:plain-text-body></ac:structured-macro> |
CWE ID 272, "Least Privilege Violation" |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d0f5f8cf-b903-42c9-ab44-4025caf77abd"><ac:plain-text-body><![CDATA[ |
[[API 2006 |
AA. Bibliography#API 06]] |
Class |
]]></ac:plain-text-body></ac:structured-macro> |
SEC01-J. Do not allow tainted variables in doPrivileged blocks 14. Platform Security (SEC) SEC03-J. Protect sensitive operations with security manager checks