Thursday, February 15, 2007

limited security benefits of limited users

the idea of running as a limited user is getting a lot of attention these days... it's not a new idea, the principle of least privilege has been around for a very long time, but there are some out there who (incorrectly) view it as the solution to the malware problem...

the principle of least privilege states that you should give the least amount of privileges necessary for an entity to do his/her/its task and no more... the idea is to keep people and/or things away from that which they have no need to access... you might well be thinking that this sounds like it really should solve the malware problem, after all if we can prevent the malware from being able to access things it needs to access in order to do it's job then it won't work anymore... indeed, many people think that this practice should be able to prevent viruses and all sorts of other malware... they think that by running as a limited user that any malware they happen to come across will be unable to access the system files and/or resources that are key to the malware's ability to do bad things....

the implicit assumption here is that you need administrative privileges to be able to do bad things... when you make it explicit, however, it should become obvious that this is false... as a limited user you can still delete or modify your own files, can't you? you can still connect to the internet and send data to 3rd parties and receive data back, right? you can still run programs that can display text and/or images, too... those things are more than enough to implement malware that operates in a limited user context... if you can delete or modify your own files then so could a (malicious or otherwise) program you run - opening you up to viruses and a variety of different types of trojans... if you can send and receive data over the internet then so can a (malicious or otherwise) program you run - opening you up to worms and remote control programs like RATs and bots, not to mention all sorts of spyware... and let's not forget that if a program you run can display text and/or graphics it can display annoying ads (ie. adware)...

as you can see, there are all sorts of malware that can theoretically run in a limited user environment... what running as a limited user will do is stop a great deal of the current malware from operating because that malware was designed with the assumption that it would run in an administrative user context... it was a safe assumption to make because most people did and still do run as administrator, and with all the extra power available in such a scenario why wouldn't a malware creator try and take advantage of it... the power they are generally most interested in, the one that is most advantageous to a malware writer is the ability to install the malware - to modify the system in such a way as to ensure that the malware gets run as soon as the computer starts up... but not being able to do that doesn't mean that a virus can't infect or a worm can't spread or a trojan can't trash your files or give remote control to a 3rd party as soon as you run it, it just means that it won't automatically continue doing it when the computer reboots...

and this isn't just theoretical, either... 20+ years ago while performing some of the first academic research into computer viruses, fred cohen was able to get a virus to spread successfully on a professionally administered unix system without having root (administrator) access and without needing the root user to run the virus...

0 comments: