Many operating system services require special privilege
to execute their tasks. A programming error in a
privileged service opens the door to system compromise
in the form of unauthorized acquisition of privileges. In
the worst case, a remote attacker may obtain superuser
privileges. In this paper, we discuss the methodology
and design of privilege separation, a generic approach
that lets parts of an application run with different levels
of privilege. Programming errors occurring in the unprivileged
parts can no longer be abused to gain unauthorized
privileges. Privilege separation is orthogonal
to capability systems or application confinement and
enhances the security of such systems even further.
Privilege separation is especially useful for system
services that authenticate users. These services execute
privileged operations depending on internal state
not known to an application confinement mechanism.
As a concrete example, the concept of privilege separation
has been implemented in OpenSSH. However,
privilege separation is equally useful for other authenticating
services. We illustrate how separation of privileges
reduces the amount of OpenSSH code that is executed
with special privilege. Privilege separation prevents
known security vulnerabilities in prior OpenSSH
versions including some that were unknown at the time
of its implementation.
%0 Journal Article
%1 privescal
%A Provos, Niels
%A Friedl, Markus
%A Honeyman, Peter
%D 2003
%J 12th USENIX Security Symposium
%K escalation privilege security separation
%P 11
%T Preventing Privilege Escalation
%U http://www.citi.umich.edu/u/provos/papers/privsep.pdf
%X Many operating system services require special privilege
to execute their tasks. A programming error in a
privileged service opens the door to system compromise
in the form of unauthorized acquisition of privileges. In
the worst case, a remote attacker may obtain superuser
privileges. In this paper, we discuss the methodology
and design of privilege separation, a generic approach
that lets parts of an application run with different levels
of privilege. Programming errors occurring in the unprivileged
parts can no longer be abused to gain unauthorized
privileges. Privilege separation is orthogonal
to capability systems or application confinement and
enhances the security of such systems even further.
Privilege separation is especially useful for system
services that authenticate users. These services execute
privileged operations depending on internal state
not known to an application confinement mechanism.
As a concrete example, the concept of privilege separation
has been implemented in OpenSSH. However,
privilege separation is equally useful for other authenticating
services. We illustrate how separation of privileges
reduces the amount of OpenSSH code that is executed
with special privilege. Privilege separation prevents
known security vulnerabilities in prior OpenSSH
versions including some that were unknown at the time
of its implementation.
@article{privescal,
abstract = {Many operating system services require special privilege
to execute their tasks. A programming error in a
privileged service opens the door to system compromise
in the form of unauthorized acquisition of privileges. In
the worst case, a remote attacker may obtain superuser
privileges. In this paper, we discuss the methodology
and design of privilege separation, a generic approach
that lets parts of an application run with different levels
of privilege. Programming errors occurring in the unprivileged
parts can no longer be abused to gain unauthorized
privileges. Privilege separation is orthogonal
to capability systems or application confinement and
enhances the security of such systems even further.
Privilege separation is especially useful for system
services that authenticate users. These services execute
privileged operations depending on internal state
not known to an application confinement mechanism.
As a concrete example, the concept of privilege separation
has been implemented in OpenSSH. However,
privilege separation is equally useful for other authenticating
services. We illustrate how separation of privileges
reduces the amount of OpenSSH code that is executed
with special privilege. Privilege separation prevents
known security vulnerabilities in prior OpenSSH
versions including some that were unknown at the time
of its implementation.},
added-at = {2007-03-17T18:02:51.000+0100},
author = {Provos, Niels and Friedl, Markus and Honeyman, Peter},
biburl = {https://www.bibsonomy.org/bibtex/23cd5c96fbcf5244590a2931ea57925dc/mobileink},
description = {Preventing Privilege Escalation},
interhash = {3d05f00f625452a5fd4579c61d523a5d},
intrahash = {3cd5c96fbcf5244590a2931ea57925dc},
journal = {12th USENIX Security Symposium},
keywords = {escalation privilege security separation},
month = {August},
pages = 11,
timestamp = {2007-03-17T18:02:51.000+0100},
title = {Preventing Privilege Escalation},
url = {http://www.citi.umich.edu/u/provos/papers/privsep.pdf},
year = 2003
}