The principle of least privilege states that every program and every user of the system should operate using the least set of privileges necessary to complete the job [Saltzer 1974, Saltzer 1975]. The Build Security In website [DHS 2006] provides additional definitions of this principle. Executing with minimal privileges mitigates against exploitation in case a vulnerability is discovered in the code.
Noncompliant Code Example
An application may spawn another process as part of its normal course of action. On Windows, the newly-spawned process automatically receives the same privileges as the parent process [MSDN]. By allowing the child process to run in the same security context as the parent process, the attack surface for the application is extended to the child process. Furthermore, this example allows the child process to inherit handles from the parent process by passing
TRUE to the
It is possible that the act of calling
launch_notepad() will give the user an elevated Notepad application (from which the user could execute Explorer.exe), allowing the user access to all user's files, change system settings, and so on.
By using the Windows Integrity Mechanism [MSDN] when creating the process, you can assign an integrity level to the launched child process. Doing so allows you to execute the child process with a specific set of privileges instead of defaulting to the parent process's security level.
The compliant solution demonstrates how to launch notepad.exe using a low integrity level, regardless of what privilege level the parent process is running from. It also disallows handle inheritance by passing
FALSE to the
bInheritsHandles parameter, because notepad.exe does not require access to any of the process's handles.
Possible values for the integrity level SID strings are listed in the following table:
|Integrity level SID||Name|
Mandatory Label\Low Mandatory Level
Mandatory Label\Medium Mandatory Level
Mandatory Label\High Mandatory Level
Mandatory Label\System Mandatory Level
Failure to follow the principle of least privilege may allow exploits to execute with elevated privileges.
Use of CreateProcess
|ISO/IEC TR 24772||Adherence to Least Privilege [XYN]|
|MITRE CWE||CWE-250, Execution with unnecessary privileges|
CWE-272, Least privilege violation