![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0114: Untrusted Programs Must Not Execute With Security-Relevant Privileges
NUMBER: I-0114
STATUS: Ready to Prepare for Management/CCIMB
TITLE: Untrusted Programs Must Not Execute With Security-Relevant
Privileges
FIRST POST: [criteria 2352]
REQUIREMENT: System Architecture
CRITERIA CLASSES: B2, B3, A1
DOCUMENT(S): Trusted Facility Manual
RELATED TO:
I-0183 Restrictions On Untrusted Programs In Low Assurance Products
STATEMENT:
The following interprets the requirement that ``The TCB modules shall be designed such that the principle of least privilege is enforced.'' in its interaction with the definition of Least Privilege as the requirement that ``each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks.''Procedural or ADP mechanisms shall be in place to prevent programs not in the TCB from being executed with access policy override privileges, TCB protection-override privileges, or privileges related to other criteria requirements (e.g., audit).
PROJECTED IMPACT:
This may have an impact on those products rated B2 and above that allow users to execute untrusted programs white retaining administrative override capabilities.SUPPORT:
A significant concern in trusted products is that of Trojan Horses; i.e., programs that trick a trusted user into executing them and then take advantage of the trusted user's privileges. The goal of this interpretation is to reduce the risk of such programs in products rated B2 and above. The TCSEC makes no attempt to reduce this risk in products rated B1 and below; however, protection of the TCB domain is still required.At B2 and above, a product's design is supposed to reflect the principle of least privilege, and be designed such that subjects possess only those abilities necessary to perform their authorized tasks.
Programs not in the TCB, by definition, perform no security-relevant function. As such, there is no need for them to execute with security-relevant override abilities for them to perform this functions. Allowing them to execute with security-relevant capabilities provides an avenue for the Trojan Horse to take advantage of those capabilities.
There are many ways to achieve this restriction. ADP systems may choose to disallow execution of non-TCB programs by users with security-relevant privileges. Alternatively, clear guidance can be provided in user and administrator documentation that such programs are not to be executed. Whether a TFM warning is sufficient depends on the number of individuals classed as trusted users.
Note that, in many cases, use of privilege is just one way to achieve a particular goal. For example, an administrator may find it easier to use a MAC override privilege to edit a user's files. If the editor is untrusted, this opens an attack avenue for a Trojan Horse. However, that administrator could also change their MAC and DAC attributes such that they could access the file without requiring privilege, and then edit the file. This reduces the potential damage possible if a Trojan Horse is present.