Star Wars and the Principle of Least Privilege

In this week’s Friday Star Wars Security Blogging, I’m continuing with the design principles from Saltzer and Scheoder’s classic paper. (More on that in this post.) This week, we look at the principle of least privilege:

Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number of potential interactions among privileged programs to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur. Thus, if a question arises related to misuse of a privilege, the number of programs that must be audited is minimized. Put another way, if a mechanism can provide “firewalls,” the principle of least privilege provides a rationale for where to install the firewalls. The military security rule of “need-to-know” is an example of this principle.

In a previous post, I was having trouble choosing a scene to use. So I wrote to several people, asking for advice. One of those people was Jeff Moss, who has kindly given me permission to use his answer as the core of this week’s post:

How about when on the Death Star, when R2D2 could not remotely deactivate the
tractor beam over DeathNet(tm), Obi Wan had to go in person to do the job. This
ultimately lead to his detection by Darth Vader, and his death. Had R2D2 been
able to hack the SCADA control for the tractor beam he would have lived.
Unfortunately the designers of DeathNet employed the concept of least privilege,
and forced Obi Wan to his demise.

i-must-go-alone.jpg

Initially, I wanted to argue with Jeff about this. An actual least privilege system, I thought, would not have allowed R2 to see the complete plans and discover where the tractor beam controls are. But R2 is just playing with us. He already has the complete technical readouts of the Death Star inside him. He doesn’t really need to plug in at all, except to get an orientation and a monitor to display Obi Wan’s route.

But even if R2 didn’t have complete plans, note the requirement to have the privileges “necessary to complete the job.” Its not clear if you could operate a battle station without having technical plans widely available for maintenance and repair. Which is a theme I’ll return to as the series winds to its end.

If you enjoyed this post, a good way to read more of the series is the Star Wars category archive.