Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
least privilege and privilege separation

Least privilege and privilege separation Deian Stefan Slides - PowerPoint PPT Presentation

Sep 21, 2022 •108 likes •580 views

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

  1. CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage

  2. This week… • How to build secure systems ➤ Least privilege and privilege separation ➤ Sandboxing and isolation • Key is underlying principles not mechanisms ➤ We’re going to look at systems techniques ➤ Other ways to achieve similar goals: language-based

  3. Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple

  4. Principles of secure design • Principle of least privilege • Privilege separation • Defense in depth ➤ Use more than one security mechanism ➤ Fail securely/closed • Keep it simple

  5. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  6. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  7. Principle of Least Privilege Defn: A system should only have the minimal 
 privileges needed for its intended purposes • What’s a privilege? ➤ Ability to access (e.g., read or write) a resource

  8. 
 
 
 
 What’s the problem with this defn? • Talking about a huge, monolith system is not really useful • Why? 
 Network Network User input User device File system File system

  9. 
 
 
 Breaking a system into components • Compartmentalization and isolation ➤ Separate the system into isolated compartments ➤ Limit interaction between compartments • Why is this more meaningful? 
 Network Network User input User device File system File system

  10. How dow we break things apart?

  11. Map compartment to user ids! • Recall: permissions in UNIX granted according to UID ➤ A process may access files, network sockets, …. • Each process has UID • Each file has ACL ➤ Grants permissions to users according to UIDs and 
 roles (owner, group, other) ➤ Everything is a file!

  12. How many UIDs does a process have? • A: one • B: two • C: three • D: four

  13. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  14. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  15. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  16. Process UIDs • Real user ID (RUID) ➤ same as the user ID of parent (unless changed) ➤ used to determine which user started the process • Effective user ID (EUID) ➤ from setuid bit on the file being executed, or syscall ➤ determines the permissions for process • Saved user ID (SUID) ➤ Used to save and restore EUID

  17. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  18. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  19. SetUID demystified (a bit) • Root ➤ ID=0 for superuser root; can access any file • fork and exec system calls ➤ Inherit three IDs, except exec of file with setuid bit • setuid system call ➤ seteuid(newid) can set EUID to ➤ Real ID or saved ID, regardless of current EUID ➤ Any ID, if EUID is root

  20. SetUID demystified (a bit) • There are actually 3 bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EGID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  21. SetUID demystified (a bit) • There are actually 3 bits: ➤ setuid - set EUID of process to ID of file owner ➤ setgid - set EGID of process to GID of file ➤ sticky bit ➤ on: only file owner, directory owner, and root can 
 rename or remove file in the directory ➤ off: if user has write permission on directory, can 
 rename or remove files, even if not owner

  22. Where have you seen this? -rwsr-xr-x 1 root root 55440 Jul 28 2018 /usr/bin/passwd drwxrwxrwt 16 root root 700 Feb 6 17:38 /tmp/

  23. Why are EUIDs even a thing? We can drop and elevate privileges! Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 …; -rw-r--r-- …; RUID 25 file read/write EUID 18 i=getruid() Owner 25 setuid(i); -rw-r--r-- RUID 25 read/write …; EUID 25 file …;

  24. Why are EUIDs even a thing? We can drop and elevate privileges! Owner 18 RUID 25 SetUID …; program …; exec( ); Owner 18 …; -rw-r--r-- …; RUID 25 file read/write EUID 18 i=getruid() Owner 25 setuid(i); -rw-r--r-- RUID 25 read/write …; EUID 25 file …;

  25. Example 1: Mail agent • Requirements ➤ Receive and send email over external network ➤ Place incoming email into local user inbox files • Sendmail ➤ Monolithic design ➤ Historical source of many vulnerabilities • Qmail ➤ Compartmentalized design

  26. qmail design • Isolation based on OS isolation ➤ Separate modules run as separate “users” ➤ Each user only has access to specific resources • Least privilege ➤ Minimal privileges for each UID ➤ Only one “setuid” program ➤ Only one “root” program

  27. structure of qmail qmail-smtpd qmail-inject qmail-queue Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

  28. structure of qmail qmail-smtpd qmail-inject qmail-queue setuid Incoming internal mail Incoming external mail qmail-send qmail-rspawn qmail-lspawn qmail-remote qmail-local

  29. structure of qmail qmail-smtpd qmail-inject qmail-queue setuid Incoming internal mail Incoming external mail qmail-send root qmail-rspawn qmail-lspawn qmail-remote qmail-local

  30. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  31. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue Reads incoming mail directories Splits message into header, body Signals qmail-send qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  32. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send signals • qmail-lspawn if local qmail-send • qmail-remote if remote root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local

  33. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-lspawn • Spawns qmail-local • qmail-local runs with ID of user receiving local mail

  34. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-local • Handles alias expansion • Delivers local mail • Calls qmail-queue if needed

  35. structure of qmail qmaild user qmail-smtpd qmail-inject qmailq qmail-queue qmail-send root qmailr qmails qmail-rspawn qmail-lspawn setuid user qmailr user qmail-remote qmail-local qmail-remote • Delivers message to remote MTA

  36. Android design • Isolation: Each app runs with own UID (own VM) ➤ Provides memory protection ➤ Communication limited to using UNIX domain sockets + reference monitor checks permissions ➤ Only ping and zygote run as root • Least Privilege: Applications announces permission ➤ User grants access at install time + runtime

  37. okws design • Isolation: each service runs with own UID ➤ Each service run in a chroot jail, restricted to ➤ Communication limited to structured RPC between service and DB • Least privilege ➤ Each UID is unique non privileged user ➤ Only okld (launcher daemon) runs as root

  38. okws design

  39. okws design

Recommend

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
Authority Analysis for Least Privilege Environments Toby Murray and Gavin Lowe Oxford

Authority Analysis for Least Privilege Environments Toby Murray and Gavin Lowe Oxford

Authority Analysis for Least Privilege Environments 01 Authority Analysis for Least Privilege Environments Toby Murray and Gavin Lowe Oxford University Computing Laboratory Authority Analysis for Least Privilege Environments 02 The Rise of

798 views • 22 slides
Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation

Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation

Separation energies A = 21 isobaric chain one-nucleon separation energies two-nucleon separation energies Using http://www.nndc.bnl.gov/chart/ find one- and two-nucleon separation energies of 8 He, 11 Li, 45 Fe, 141 Ho, and 208 Pb. Discuss the

241 views • 5 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

488 views • 22 slides
Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe

Chapter 13: Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological

789 views • 43 slides
Inter-domain Role Mapping and Least Privilege Liang Chen Jason Crampton Information Security

Inter-domain Role Mapping and Least Privilege Liang Chen Jason Crampton Information Security

Inter-domain Role Mapping and Least Privilege Liang Chen Jason Crampton Information Security Group, Royal Holloway, University of London 12th ACM Symposium on Access Control Models and Technologies IDRM and Least Privilege Introduction

458 views • 18 slides
Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel and Suman Janna Some slides are from

1.03k views • 58 slides
Practical Least-Squares for Computer Graphics Siggraph Course 11 Siggraph Course 11 Practical

Practical Least-Squares for Computer Graphics Siggraph Course 11 Siggraph Course 11 Practical

Outline Least Squares with Generalized Errors Robust Least Squares Constrained Least Squares Practical Least-Squares for Computer Graphics Siggraph Course 11 Siggraph Course 11 Practical Least-Squares for Computer Graphics Outline Least

745 views • 59 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

230 views • 18 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio

Extending propositional separation logic for robustness properties of separation logic Alessio Mansutti LSV, CNRS, ENS Paris-Saclay Paris - April 2019 What we will see An extension of propositional separation logic that can express some

571 views • 42 slides
Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart

Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart

' $ Text/Graphics Separation Revisited Karl Tombre, Salvatore Tabbone, Loc Plissier, Bart Lamiroy, Philippe Dosch August 2002 & % ' $ Text/Graphics Separation Revisited Text/Graphics Separation Text/Graphics Separation XY

738 views • 19 slides
Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms

Temporary Read-Only Permissions for Separation Logic Making Separation Logics Small Axioms Smaller Arthur Charguraud Franois Pottier LTP meeting Saclay, November 28, 2016 Motivation More Motivation Separation Logic with Read-Only

441 views • 27 slides
Decomposition Announcements Modular Design Separation of Concerns 4 Separation of Concerns A

Decomposition Announcements Modular Design Separation of Concerns 4 Separation of Concerns A

Decomposition Announcements Modular Design Separation of Concerns 4 Separation of Concerns A design principle: Isolate different parts of a program that address different concerns 4 Separation of Concerns A design principle: Isolate

888 views • 76 slides
Least-Action Filtering L. C. G. Rogers Statistical Laboratory, University of Cambridge

Least-Action Filtering L. C. G. Rogers Statistical Laboratory, University of Cambridge

Least-Action Filtering L. C. G. Rogers Statistical Laboratory, University of Cambridge Least-Action Filtering p. 1/1 Summary Least-Action Filtering p. 2/1 Summary Basics of least-action filtering Finding the least-action

934 views • 74 slides
In-House Counsel Depositions: Navigating Complex Privilege Issues Preserving the Attorney Client

In-House Counsel Depositions: Navigating Complex Privilege Issues Preserving the Attorney Client

In-House Counsel Depositions: Navigating Complex Privilege Issues Preserving the Attorney Client Privilege and Preserving the Attorney-Client Privilege and presents presents Maintaining Confidentiality A Live 90-Minute Teleconference/Webinar

703 views • 49 slides
Cyber-physical Models of Power System State Estimation Security Gyrgy Dn School of

Cyber-physical Models of Power System State Estimation Security Gyrgy Dn School of

Cyber-physical Models of Power System State Estimation Security Gyrgy Dn School of Electrical Engineering KTH, Royal Institute of Technology Stockholm, Sweden Joint work with: Ognjen Vukovi, Henrik Sandberg, Kin Cheong Sou, Andr

556 views • 39 slides
B24B: Useful, Affordable IT for the Poorest 4 billion June 25, 2002 Thomas Kalil

B24B: Useful, Affordable IT for the Poorest 4 billion June 25, 2002 Thomas Kalil

B24B: Useful, Affordable IT for the Poorest 4 billion June 25, 2002 Thomas Kalil tkalil@uclink.berkeley.edu Grand challenge ! Provide affordable, useful digital services to the 4 billion people on the planet earning less than $1,500 ! Not a

399 views • 10 slides
Optical Packet Switching the technology and its potential role in future communication networks

Optical Packet Switching the technology and its potential role in future communication networks

Optical Packet Switching the technology and its potential role in future communication networks Results from IST project . Lars Dittmann COM Technical University of Denmark ld@com.dtu.dk 1 ld@com.dtu.dk Zagreb 210503 What

1.05k views • 20 slides
CORPORATE OFFICE PROPERTIES TRUST Results for 1Q 2020 April 30, 2020 The Preferred Provider

CORPORATE OFFICE PROPERTIES TRUST Results for 1Q 2020 April 30, 2020 The Preferred Provider

CORPORATE OFFICE PROPERTIES TRUST Results for 1Q 2020 April 30, 2020 The Preferred Provider of Mission Critical Real Estate Solutions Table of Contents Results for 1Q 2020............................Page 3 Safe Harbor I. Unless

756 views • 41 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

357 views • 7 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

980 views • 56 slides
Database Security Enforced Database security - only authorized users can perform authorized

Database Security Enforced Database security - only authorized users can perform authorized

IT360: Applied Database Systems Database Security Kroenke: Ch 9, pg 309-314 PHP and MySQL: Ch 9, pg 217-227 1 Rights Database Security Enforced Database security - only authorized users can perform authorized activities Responsibilities

318 views • 9 slides
Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland

Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland

Security, IAM AWS sh shared red res espon ponsib sibility ility mo model el Portland State University CS 430P/530 Internet, Web & Cloud Systems Cloud ud se security urity In this course, security "in-the-cloud" via

449 views • 28 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.