Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation (see SEC50-J. Avoid granting excess privileges) but also by ensuring that privileged code contains only those operations that require increased privileges. Superfluous code contained within a privileged block must operate with the privileges of that block, increasing the attack surface.
Noncompliant Code Example
This noncompliant code example contains a
changePassword() method that attempts to open a password file within a
doPrivileged block and performs operations using that file. The
doPrivileged block also contains a superfluous
System.loadLibrary() call that loads the authentication library.
This example violates the principle of least privilege because an unprivileged caller could also cause the authentication library to be loaded. An unprivileged caller cannot invoke the
System.loadLibrary() method directly because this could expose native methods to the unprivileged code [SCG 2010]. Furthermore, the
System.loadLibrary() method checks only the privileges of its immediate caller, so it should be used only with great care. For more information, see SEC52-J. Do not expose methods that use reduced-security checks to untrusted code.
This compliant solution moves the call to
System.loadLibrary() outside the
doPrivileged() block. Doing so allows unprivileged code to perform preliminary password reset checks using the file but prevents it from loading the authentication library.
loadLibrary() invocation could also occur before preliminary password reset checks are performed; in this example, it is deferred for performance reasons.
Minimizing privileged code reduces the attack surface of an application and simplifies the task of auditing privileged code.
|CERT.SEC51.PCL||Limit the number of lines in "privileged" code blocks|