04 Privilege Separation
Apply the principles of least privilege and test-before-use to implement defense in depth.
Privilege Separation
Run code separated into modules that each run with minimal privileges. In particular, separate code that handles input normalization, network and system access, or user interaction. Refuse processing of data that does not conform to the expected format in later modules (the sender might be under attacker control).
A module is encapsulated into one process (, system, container, vm, …).
- run each module with minimal privileges required
- if higher privileges are required, use before processing any data, then drop privileges
- do full input validation in each module
If a module requires more than one set of privileges for data processing, split it!
Attack Points
When software is split in multiple modules, there are two main attack points.
- the individual modules (or components) themselves
- the communication protocols between the modules
Components
Principles for secure components:
- do full input validation, even on internal input interfaces
- keep internal communication as simple as possible
- if input validation fails for an internal component, log issue and terminate (optionally flag sender as compromeised [application-internal intrusion detection])
- make attacking one component from another one as hard as possible
- do not expose internal communication (is also has to be secure!)
- treat config or data files as communication channels
- select correct level of separation:
- high security requires small, restricted components
- low security can use larger, less restricted components
- if architecture seems insecure, change it
- split large, complex components into smaller ones
Communication
Suitable communication mechanisms:
- Anonymous pipes and named pipes
- local sockets (“unix domain sockets”)
- signals
- files in the filesystem (with proper permissions/restrictions)
Side notes for forking:
- delete all file descriptors from the parent that the child does not need
- erase all memory that contains secrets of the parent
Less suitable communication mechanisms:
- remote procedure calls (RPC): have bad security track record
- shared memory: buffer overflow can propagate
- sending serialized objects: may end up sending compomised objects
- network sockets: exposes internal communication to the network.
Can still work if:- use localhost (127.0.0.1): only exposed to local processes
- secure networking
- isolated network
- vpn: might work but violates KISS
Example: Web Server
A web server is a good example for privilege separation.
- parent is privileged
- child has minimal to no privileges
- child can request privileged actions from parent
- parent only accepts limited communication from child and does careful input validation
In an ideal world, no data from the network is ever given to the parent.
In reality, only carefully sanitized data iis given to the parent.
stateDiagram-v2
state "Parent Process (privileged)" as P
state "Child Process (unprivileged)" as C
state "Client" as U
C --> P: Requests to perform privileged operations
P --> C: Responses
C --> U
U --> C
Existing Software
Some existing software that uses privilege separation:
- OpenSSH
- Postfix MTA
Kernel- and User-Space
Disclaimer: Microkernels might be different and provide some separation.
Generally, only differentiating between kernel- and user-space is not enough. The kernel combines many different functionalities and is therefore a large attack surface.
Why are not all kernels microkernels?
- greater complexity: communication is more difficult
- performance: microkernels are slower, but this is getting better
But, on the plus side, microkernels can do privilege separation on the OS level.
3-Tier Architecture
The three tiers of a 3-tier architecture are:
- presentation tier: translates tasks and results to something the user can understand
- application tier: coordinates the application and contains business logic
- data tier: information is stored and retrieved here
Web-APIs and Microservices
Web-APIs and microservices might also be a form of privilege separation. But only if their intercommunication is secure.
Limits and Alternatives
Privilege separation only helps if you can detect attacks (else it only needs input validation) or you can normalize attack possibilities in preprocessing steps.
In general case:
- restrict the input as much as possible
- put other protection in place as far as possible
- revert to general risk management
Alternatives:
- write secure code (if it only was this simple…)
- zero trust (only really helps with IAM)
- ??? (what more can we do?)