The principle of least privilege for the security

  • Detail

The basic goal of system security is the security of data, which is accessed and maintained by its users. The traditional data access and maintenance is to overwrite the old data with the new data. A manager cannot effectively find out the clues to the unintentional errors or intentional changes of the data. Therefore, data access control is an important aspect of system security. For this reason, Sandhu and other scholars have put forward a set of role-based access control (RBAC) theory. Its basic components include users (U China's plastic extruder market also has a great progress and breakthrough Ser), roles, authorizations and sessions. How to assign corresponding power (i.e. authorization) to each user will be an important principle to be analyzed in this article -- least privilege principle

2. Introduction to the principle of minimum privilege

the principle of minimum privilege is one of the most basic principles in system security. The so-called least privilege refers to "the essential privilege given to each subject (user or process) in the network when completing a certain operation". The principle of minimum privilege means that "the minimum privilege necessary for each subject in the network shall be limited to ensure the minimum loss caused by possible accidents, errors, tampering of network components, etc."

on the one hand, the principle of minimum privilege gives the subject "essential" privileges, which ensures that all subjects can complete the tasks or operations they need to complete under the privileges given; On the other hand, it only gives the principal "essential" privileges, which limits the operations that each principal can perform

the principle of minimum privilege requires that each user and program should use as few privileges as possible during operation, and the role allows the principal to sign in to the system with the minimum privilege required to participate in a specific work. Subjects who are authorized to have powerful roles do not need to use all their privileges at any time. Subjects only use those privileges when they have actual needs. In this way, the damage caused by careless mistakes or intruders pretending to be legal subjects will be reduced, and the harm caused by accidents, mistakes or attacks will be limited. It also reduces the potential interaction between privileged programs, making it unlikely that unintentional, unnecessary, or inappropriate use of privileges will occur. This idea can also be extended to programs: only the smallest part of the program that needs those privileges has privileges

3. Application of the principle of minimum privilege

3.1 secure operating system

operating system for system security is like the structure of the spring testing machine and the foundation of the building. Without it, the building would be impossible to talk about. At all levels of computer system, hardware, operating system, network software, database management system software and application software all shoulder important responsibilities in computer security. In the category of software, the operating system is at the bottom, which is the foundation of all other software. It also plays a fundamental and critical role in solving security. Without the security support of the operating system, the security of the computer software system will lack a foundation. The research on secure operating system began with the adept-50 project in 1967, and then the development of secure operating system experienced the foundation period, the recipe period, the multi policy period and the dynamic policy period. The development of security operating systems in China is mostly in the cookbook period, that is, the development is based on the TCSEC (also known as the Orange Book) of the U.S. Department of defense or the security protection classification criteria of China's computer information systems

minimum privilege occupies a very important position in the secure operating system. It adapts to the inherent characteristics of UNIX operating system and super user/root directory architecture, so as to understand how any user who reaches the root directory provides overall system control - and almost all programmers working in UNIX Environment understand this

the role management mechanism divides the privileges of the system administrator according to the "minimum privilege" principle. Each user can only have the minimum privilege just enough to complete the work. Then, roles are set up according to system management tasks, and permissions are divided according to roles. Each role has its own responsibilities and permissions are separated. One management role does not have the privileges of another management role. For example, when an intruder wants to access a file with a high security level after obtaining the permission of the system administrator, it is likely to be denied. Because the default security level of users (including system administrators) is the lowest after logging in, they cannot access high-level files, and the adjustment of security level can only be completed through the security administrator. Therefore, as long as the security administrator configures a reasonable security mark for sensitive files, the system administrator cannot access these files. It can be seen that the security administrator has effectively restricted the privileges of the system administrator

some vulnerabilities of the Windows NT operating system are also related to the application of the minimum privilege. For example, the rights and capabilities of the default group cannot be deleted. They include the administrator group, the server operator group, the print operator group, and the account operator group. This is because when a default group is deleted, on the surface, the new material development plan guide drafted by the Ministry of industry and information technology of the system will be published and has accepted the deletion. However, when rechecked, these groups were not really deleted. Sometimes, when the server restarts, these default groups are given default rights and capabilities back. In order to reduce the risk, system administrators can create their own customized groups and customize the rights and capabilities of these groups according to the principle of minimum privilege to meet the needs of business. If possible, create a new administrator group with special designated rights and capabilities

the following describes several current security operating systems and the application of minimum privileges:

HP praesidium/virtual vault

it divides the root function into 42 independent privileges by using the minimum privilege mechanism, and only gives each application the minimum privileges required for normal operation. Therefore, even if a hacker installs the Trojan horse program on the web server of a financial institution, the intruder cannot change the network configuration or install the file system. Minimum privilege is a basic feature of the HP trusted operating system virtual vault

red flag security operating system (rfsos)

rfsos has outstanding characteristics in the authority, access control and virus protection of system administrators. For example, in terms of system privilege differentiation, red flag security operating system divides the privileges of system administrators according to the principle of "minimum privilege", sets roles according to system management tasks, and divides privileges according to roles. Typical system management roles include system administrator, security administrator, audit administrator, etc. The system administrator is responsible for the installation, management and daily maintenance of the system, such as installing software, adding user accounts, data backup, etc. The security administrator is responsible for setting and managing security attributes. The audit administrator is responsible for configuring the audit behavior of the system and managing the audit information of the system. One administrative role does not have the privileges of the other administrative role. When an attacker breaks the password of a management role, he will not get full control of the system

Zhongke Anson security operating system

Anson security operating system is a self-developed high-level security operating system, i.e. Anson security operating system (SecLinux), which is based on the level B2 security requirements of the evaluation criteria for trusted computer systems issued by the U.S. Department of defense and the newly issued security protection classification criteria for computer information systems, and in combination with China's national conditions and actual requirements, It has passed the certification of the national information security evaluation and certification center and obtained the sales license from the Ministry of public security

minimum privilege management is a feature of SecLinux. It makes the system no longer have super users. Instead, it decomposes all privileges into a group of fine-grained privilege subsets, defines them as different "roles", and assigns them to different users. Each user only has the minimum privileges necessary to complete his work, avoiding the security risks caused by the misoperation of super users or their identity being counterfeited

3.2 Internet Security

internet has developed rapidly, but the requirements for Internet security have developed faster than that of inerternet itself. At present, many security problems on the Internet are caused by the wrong assignment of role rights by network administrators. Therefore, the principle of least privilege is also very useful in Internet security

in daily life, there are many examples of minimum privilege. Some automobile manufacturers manufacture automobile locks. One key is used to open the door and igniter, while another key is used to open the glove box and clothes box; The attendant of the parking lot has the right to arrange parking, but has no right to take things from the car's suitcase; It is also the least privilege, which can give a person the key to the car instead of the key to the gate

on the Internet, there are many examples that require minimum privileges. For example, not every user needs to use all network services; Not every user needs to modify (or even read) all the files in the system; Not every user needs to know the root password of the system; Not every system administrator must know the root password of the system; Not every system needs to apply for the files of every other system

some security problems on the Internet can be regarded as the failure of the least privilege principle. For example, sendmail, the most commonly used Mail Transfer Protocol on UNIX, is a huge and complex program. Such a program will certainly have many hidden dangers. It often runs the setuid root directory, which is very beneficial to many attackers. The program running on the system should be as simple as possible. If it is a more complex program, we should find a way to separate or isolate the privileged modules from the complex parts

some measures taken to protect the site also use the principle of minimum privilege. For example, the packet filtering system is designed to only allow access to required services and filter out unnecessary services. The principle of least privilege is also used in the fortress host

the principle of least privilege also helps to establish a strict identity authentication mechanism. For all personnel who are in contact with the system, the minimum permission to access the system shall be set according to their responsibilities; In addition, according to the principle of hierarchical management, the internal user account and password shall be strictly managed. Entering the system must be through strict identity confirmation to prevent illegal occupation and fraudulent use of legal user account and password. The user identity authentication can be realized through the combination of server CA certificate and IC card. CA certificate is used to authenticate the identity of the server, IC card is used to authenticate the identity of enterprise users, and so on

4. Conclusion

the principle of minimum privilege effectively restricts and divides the user's authority to access data, reduces the possible losses to the system and data caused by illegal users or illegal operations, and plays a vital role in system security. However, most system administrators do not have a deep understanding of the principle of minimum privilege. Especially for UNIX, windows series

Copyright © 2011 JIN SHI