principle of least privilege
play

Principle of Least Privilege Dawn Song Principle of least privilege - PowerPoint PPT Presentation

Feb 18, 2024 •39 likes •429 views

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

  1. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song

  2. Principle of least privilege • Privilege – Ability to access or modify a resource • Principle of least privilege – A system module should only have the minimal privileges needed for intended purposes • Privilege separation – Separate the system into independent modules – Each module follows the principle of least privilege – Limit interaction between modules Dawn Song

  3. Unix access control • File has access control list (ACL) File 1 File 2 … – Grants permission to user ids User 1 read write - – Owner, group, other User 2 write write - • Process has user id User 3 - - read – Inherit from creating process … – Process can change id • Restricted set of options User m Read write write – Special “root” id Dawn Song

  4. Unix fjle access control list • Each fjle has owner and group • Permissions set by owner rwx rwx rwx - – Read, write, execute ownr grp othr – Owner, group, other, setuid/setgid – Represented by vector of four octal values • Only owner or root can change permissions – This privilege cannot be delegated or shared Dawn Song

  5. Privileged Programs • Privilege management is coarse-grained in today ’ s OS – Root can do anything • Many programs run as root – Even though they only need to perform a small number of priviledged operations • What ’ s the problem? – Privileged programs are juicy targets for attackers – By fjnding a bug in parts of the program that do not need privilege, attacker can gain root Dawn Song

  6. What Can We Do? • Drop privilege as soon as possible • Ex: a network daemon only needs privilege to bind to low port # (<1024) at the beginning – Solution? – Drop privilege right after binding the port • What benefjt do we gain? – Even if attacker fjnds a bug in later part of the code, can ’ t gain privilege any more • How to drop privilege? – Setuid/setgid programming in UNIX Dawn Song

  7. Efgective user id (EUID) in UNIX • Each process has three Ids – Real user ID (RUID) • same as the user ID of parent (unless changed) • used to determine which user started the process – Efgective user ID (EUID) • from set user ID bit on the fjle being executed, or sys call • determines the permissions for process – fjle access and port binding – Saved user ID (SUID) • So previous EUID can be restored • Real group ID, efgective group ID, used similarly Dawn Song

  8. Operations on UIDs • Root – ID=0 for superuser root; can access any fjle • Fork and Exec – Inherit three IDs, except exec of fjle with setuid bit • Setuid system calls – seteuid(newid) can set EUID to • Real ID or saved ID, regardless of current EUID • Any ID, if EUID=0 • Details are actually more complicated – Several difgerent calls: setuid, seteuid, setreuid Dawn Song

  9. Setuid/setgid/sticky bits on executable Unix fjle • Setuid/setgid/sticky bits – Setuid – set EUID of process to ID of fjle owner – Setgid – set EGID of process to GID of fjle – Sticky • Ofg: if user has write permission on directory, can rename or remove fjles, even if not owner • On: only fjle owner, directory owner, and root can rename or remove fjle in the directory Dawn Song

  10. Setting UIDs - setresuid () sets the real user ID, the efgective user ID, and the saved set-user-ID of the calling process. - seteuid () sets the efgective user ID of the calling process. - setuid () sets the efgective user ID of the calling process. If the efgective UID of the caller is root, the real UID and saved set-user-ID are also set. Dawn Song

  11. Setting UIDs - What’s Allowed? Users choose any new UID to pass in to setuid(), but the OS checks them against certain rules and will raise an error, for example, if a normal user tries to call setuid(0). setresuid(newruid, neweuid, setuid(newuid) newsuid) (euid == 0) (euid == 0) || || (newuid in (ruid, suid)) (newruid in (ruid, euid, suid) && Cases neweuid in (ruid, euid, suid) && ⇒ (euid == 0) (ruid:=newuid, newsuid in (ruid, euid, suid)) euid:=newuid, suid:=newuid) seteuid(neweuid) ⇒ (anything else) (euid:=newuid) (euid == 0) || Note: all policies are for Linux, (neweuid in (ruid, euid, suid)) differs on FreeBSD Dawn Song

  12. Setting UIDs - What’s Allowed? Users choose any new UID to pass in to setuid(), but the OS checks them against certain rules and will raise an error, for example, if a normal user tries to call setuid(0). setresuid(newruid, neweuid, newsuid) setuid(newuid) (euid == 0) (euid == 0) || || (newruid in (ruid, euid, suid) && (newuid in (ruid, suid)) neweuid in (ruid, euid, suid) && Cases newsuid in (ruid, euid, suid)) ⇒ (euid == 0) (ruid:=newuid, seteuid(neweuid) euid:=newuid, suid:=newuid) (euid == 0) ⇒ (anything else) (euid:=newuid) || (neweuid in (ruid, euid, suid)) Note: all policies are for Linux, differs on FreeBSD Dawn Song

  13. Drop Privilege Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 -rw-r--r-- …; RUID 25 read/write fjle …; EUID 18 i=getruid() setuid(i); Owner 25 -rw-r--r-- …; RUID 25 read/write EUID 25 fjle …; Dawn Song

  14. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities & Attacks Slide credit: Anthony Joseph and John Mitchell Dawn Song

  15. Introduction Dawn Song

  16. Web & http (browser) HTTP REQUEST: HTTP REQUEST: GET /account.html HTTP/1.1 GET /account.html HTTP/1.1 SAFEBANK login Host: www.safebank.com Host: www.safebank.com password Accounts Bill Pay banking content Mail T ransfers HTTP RESPONSE: HTTP RESPONSE: HTTP/1.0 200 OK HTTP/1.0 200 OK <HTML> . . . </HTML> <HTML> . . . </HTML> SERVER CLIENT Dawn Song

  17. URLs • Global identifjers of network-retrievable documents • Example: http://safebank.com:81/account?id=10#statement Protocol Protocol Fragment Fragment Hostname Hostname Query Query Port Path Port Path • Special characters are encoded as hex: – %0A = newline Dawn Song

  18. HTTP Response HTTP Request HTTP version Status code Reason phrase Method File HTTP version Headers Headers GET /index.html HTTP/1.1 HTTP/1.0 200 OK GET /index.html HTTP/1.1 HTTP/1.0 200 OK Accept: image/gif, image/x-bitmap, Accept: image/gif, image/x-bitmap, Date: Sun, 12 Aug 2012 02:20:42 GMT Date: Sun, 12 Aug 2012 02:20:42 GMT image/jpeg, */* image/jpeg, */* Server: Microsoft-Internet-Information- Server: Microsoft-Internet-Information- Accept-Language: en Accept-Language: en Server/5.0 Server/5.0 Connection: Keep-Alive Connection: Keep-Alive Connection: keep-alive Connection: keep-alive User-Agent: Chrome/21.0.1180.75 (Macintosh; User-Agent: Chrome/21.0.1180.75 (Macintosh; Data Content-Type: text/html Content-Type: text/html Intel Mac OS X 10_7_4) Intel Mac OS X 10_7_4) Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT Host: www.safebank.com Host: www.safebank.com Referer: http://www.google.com?q=dingbats Set-Cookie: … Referer: http://www.google.com?q=dingbats Set-Cookie: … Content-Length: 2543 Content-Length: 2543 <HTML> This is web content formatted using <HTML> This is web content formatted using Blank line html </HTML> html </HTML> Data – none for GET GET : no side efgect Cookies POST : possible Dawn Song

  19. How browser renders a page uppose you are visiting http://safebank.com in a modern web browser. isCached(URI) = false display(UR ChromeBar ChromeBar Browser Browser Networ I) retrieveData(URI) Networ UI UI Engine Engine k Stack k Stack (Browser Process) enters http://safeba (Renderer Process) pageData /*HTML, CSS, nk.com etc*/ and presses renderBitmap(page go. Data) Renderer Renderer Renderer UI Renderer UI Engine Engine Dawn Song

  20. Rendering and events • Basic execution model – Each browser window or frame • Loads content • Renders – Processes HTML and scripts to display page – May involve images, subframes, etc. • Responds to events • Events can be – User actions: OnClick, OnMouseover – Rendering: OnLoad, OnBeforeUnload – Timing: setTimeout(), clearTimeout() Dawn Song

  21. Document Object Model (DOM) • Object-oriented interface used to read HTML DOM Tree and write rendered pages <html> – web page in HTML is structured |-> Document <body> data |-> Element <div> (<html>) – DOM provides representation of foo |-> Element <a>foo2</a> this hierarchy (<body>) </div> |-> Element <form> (<div>) <input • Examples |-> text node type="text” /> – Properties: document.alinkColor, |-> Anchor <input document.URL, document.forms[ ], |-> text node type=”radio” /> |-> Form document.links[ ], <input |-> T ext-box document.anchors[ ] type=”checkbox” /> |-> Radio </form> – Methods: Button </body> document.write(document.referrer) |-> Check Box </html> |-> Button Dawn Song

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&amp;A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
1 Calculate a firms weighted average cost of 4. capital. Discuss the pros and cons of using

1 Calculate a firms weighted average cost of 4. capital. Discuss the pros and cons of using

Chapter 14 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return Tradeoff. Principle 3: Cash Flows Are the Source of Value. Principle 4: Market Prices Reflect Information. Principle 5: Individuals Respond to

472 views • 23 slides
End-to-End principle End-to-end Principle Broad networking principle First implementation

End-to-End principle End-to-end Principle Broad networking principle First implementation

End-to-End principle End-to-end Principle Broad networking principle First implementation in French CYCLADES network (after ARPA) (1970) Articulated in its most recognizable form by Saltzer, Reed, Clark (1981) [paper] Guidance on

123 views • 9 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&amp;A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
1 The Typical Capital-Budgeting Process Phase I: The firms management identifies promising

1 The Typical Capital-Budgeting Process Phase I: The firms management identifies promising

Investment Decision Criteria Chapter 11 1 Principles Applied in This Chapter Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return Tradeoff. Principle 3: Cash Flows Are the Source of Value. Principle 5:

412 views • 24 slides
2/2/2015 FUNDAMENTAL LEGAL PRINCIPLES Principle of Indemnity Principle of Insurable

2/2/2015 FUNDAMENTAL LEGAL PRINCIPLES Principle of Indemnity Principle of Insurable

2/2/2015 FUNDAMENTAL LEGAL PRINCIPLES Principle of Indemnity Principle of Insurable Interest Principle of Subrogation Principle of Utmost Good Faith Requirements of an Insurance Contract Distinct Legal Characteristics of

277 views • 5 slides
Chapter 9 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return

Chapter 9 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return

Chapter 9 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return Tradeoff. Principle 3: Cash Flows Are the Source of Value There are two main sources of borrowing for a corporation: Loan from a financial institution

882 views • 70 slides
1 Chapter 9 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return

1 Chapter 9 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return

1 Chapter 9 Principle 1: Money Has a Time Value. Principle 2: There is a Risk-Return Tradeoff. Principle 3: Cash Flows Are the Source of Value 2 There are two main sources of borrowing for a corporation: Loan from a financial

1.08k views • 72 slides
The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle

The Principled Developer Gerardo Gonzalez | @fmizzell | The Principle The Principle | Definitions Principle: A rule or standard, especially of good behavior Software: (...) and symbolic languages that control the

600 views • 32 slides
and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the

and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the

Presenting a live 90-minute webinar with interactive Q&amp;A Attorney-Client Privilege in Insurance Disputes: Preserving Confidentiality and Meeting Legal Ethics Standards Addressing Waiver and Exceptions to the Privilege, the Tripartite

1.17k views • 78 slides
Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting

Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting

Presenting a live 90-minute webinar with interactive Q&amp;A Bank Examination Privilege in Litigation: Understanding the Nuances, Best Practices for Asserting the Privilege TUESDAY, JUNE 13, 2017 1pm Eastern | 12pm Central | 11am

894 views • 45 slides
C Extensions for Python Were all here because we like Python, the programming language. Today

C Extensions for Python Were all here because we like Python, the programming language. Today

C Extensions for Python Were all here because we like Python, the programming language. Today Im going to talk a little about Python, the C program underlying that programming language, by walking through how I learned the basics of making a

937 views • 93 slides
Knocking out the Supply and Sorting in Decentralized Job Markets Guillaume Haeringer

Knocking out the Supply and Sorting in Decentralized Job Markets Guillaume Haeringer

Knocking out the Supply and Sorting in Decentralized Job Markets Guillaume Haeringer Universitat Aut` onoma de Barcelona Vincent Iehl e Universit e Paris Dauphine N uria Rodriguez-Planas Universitat Aut` onoma de Barcelona

523 views • 33 slides
Ordonnancement optimal des pages propos ees par un moteur de recherche Pierre LEcuyer

Ordonnancement optimal des pages propos ees par un moteur de recherche Pierre LEcuyer

1 Ordonnancement optimal des pages propos ees par un moteur de recherche Pierre LEcuyer Patrick Maill e, Nicol as Stier-Moses, Bruno Tuffin 2 Search engines Major role in the Internet economy most popular way to reach web

859 views • 58 slides
Fourth Quarter 2016 Earnings Teleconference February 10, 2017 One of North Americas largest

Fourth Quarter 2016 Earnings Teleconference February 10, 2017 One of North Americas largest

Fourth Quarter 2016 Earnings Teleconference February 10, 2017 One of North Americas largest electric utilities TSX: H Hydro One Limited Fourth Quarter Financial Summary Fourth Quarter Full Year ($ millions) 2016 2015 % Change 2016

269 views • 7 slides
The Road Ahead Design Philosophy Application protocol examples ftp http

The Road Ahead Design Philosophy Application protocol examples ftp http

CS640: Introduction to Computer Networks Aditya Akella Lecture 4 - Design Philosophy, Application Protocols and Performance The Road Ahead Design Philosophy Application protocol examples ftp http Performance Delay

344 views • 13 slides
Joining in Lucene Martijn van Groningen martijn.vangroningen@searchworkings.com Lucene Committer

Joining in Lucene Martijn van Groningen martijn.vangroningen@searchworkings.com Lucene Committer

Joining in Lucene Martijn van Groningen martijn.vangroningen@searchworkings.com Lucene Committer &amp; PMC Member Monday, June 4, 2012 Joining Introduction Data is often relational, but Lucenes document model is not. Support for

223 views • 19 slides
Digital Publishing and the Open Web Pla3orm Bill McCoy

Digital Publishing and the Open Web Pla3orm Bill McCoy

Digital Publishing and the Open Web Pla3orm Bill McCoy &lt;bmccoy@idpf.org&gt; 1 1 1 0 1 1 0 0 Ebooks are now available on all kinds of devices 1 0 1 1 0 1 1 0 0 0 0 0 1 1 1 0 1 1 0

463 views • 30 slides
Normal Random Variable X is a Normal Random Variable : X ~ N( , 2 ) Probability

Normal Random Variable X is a Normal Random Variable : X ~ N( , 2 ) Probability

Normal Random Variable X is a Normal Random Variable : X ~ N( , 2 ) Probability Density Function (PDF): 1 2 2 2 ( x ) / f ( x ) e where x 2 E [ X ]

361 views • 18 slides

More recommend