You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 49 Next »

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation (see SEC50-JG. Avoid granting excess privileges), but also by ensuring that privileged code contains only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; increasing the attack surface.

Noncompliant Code Example

This noncompliant code example contains a changePassword() method that attempts to open a password file within a doPrivileged block and performs operations on that file. The doPrivileged block also contains a superfluous System.loadLibrary() call.

public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
        // Operate on the file ...
        System.loadLibrary("LibName");
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  }); // end of doPrivileged()
}

This example violates the principle of least privilege because an unprivileged caller will also cause the specified library to be loaded.

Compliant Solution

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block.

public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile); 
        // Operate on the file ...                                                    
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  });  // end of doPrivileged()

  System.loadLibrary("LibName");
}

The open FileInputStream f[0] must not be allowed to escape out of the privileged block (see SEC00-J. Do not allow privileged blocks to leak sensitive information across a trust boundary).

Applicability

Minimizing privileged code reduces the attack surface of an application and simplifies the task of auditing privileged code. 

Related Guidelines

ISO/IEC TR 24772:2010

"Privilege Sandbox Issues [XYO]"

MITRE CWE

CWE ID 272, "Least Privilege Violation"

Bibliography

  • No labels