Insufficient Compartmentalization |
| Weakness ID: 653 (Weakness Base) | Status: Draft |
DescriptionDescription Summary
Extended Description
When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.
Alternate Terms| Separation of Privilege: | Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of "Separation of Privilege" by Saltzer and Schroeder; that original definition is more closely associated with CWE-654. Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged. |
|---|
Time of Introduction- Architecture and Design
- Implementation
Applicable PlatformsLanguages
All
Common Consequences| Scope | Effect |
|---|---|
Confidentiality Integrity Availability | The exploitation of a weakness in low-privileged areas of the software can be leveraged to reach higher-privileged areas without having to overcome any additional obstacles. |
Demonstrative ExamplesExample 1
Single sign-on technology is intended to make it easier for users to access multiple resources or domains without having to authenticate each time. While this is highly convenient for the user and attempts to address problems with psychological acceptability, it also means that a compromise of a user's credentials can provide immediate access to all other resources or domains.
Example 2
The traditional UNIX privilege model provides root with arbitrary access to all resources, but root is frequently the only user that has privileges. As a result, administrative tasks require root privileges, even if those tasks are limited to a small area, such as updating user man pages. Some UNIX flavors have a "bin" user that is the owner of system executables, but since root relies on executables owned by bin, a compromise of the bin account can be leveraged for root privileges by modifying a bin-owned executable, such as CVE-2007-4238.
Potential MitigationsBreak up privileges between different modules, objects or entities. Minimize the interfaces between modules and require strong access control between them. |
Other Notes| The term "Separation of Privilege" is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (CWE-654). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that CWE-653 and CWE-654 will provoke further discussion. There is a close association with CWE-250 (Failure to Use Least Privilege). CWE-653 is about providing separate components for each privilege; CWE-250 is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges. |
Weakness Ordinalities| Ordinality | Description |
|---|---|
Primary | (where the weakness exists independent of other weaknesses) |
Relationships| Nature | Type | ID | Name | View(s) this relationship pertains to |
|---|---|---|---|---|
| ChildOf |  Category | 254 | Security Features | Development Concepts699 |
| ChildOf |  Weakness Class | 657 | Violation of Secure Design Principles | Development Concepts (primary)699 Research Concepts (primary)1000 |
| ChildOf | Weakness Class | 693 | Protection Mechanism Failure | Research Concepts1000 |
Causal NatureImplicit
References| Jerome H. Saltzer and Michael D. Schroeder. "The Protection of Information in Computer Systems". Proceedings of the IEEE 63. September, 1975. <http://web.mit.edu/Saltzer/www/publications/protection/>. |
| Sean Barnum and Michael Gegick. "Separation of Privilege". 2005-12-06. <https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/357.html>. |
Content History| Submissions | ||||
|---|---|---|---|---|
| Submission Date | Submitter | Organization | Source | |
| 2008-01-18 | Pascal Meunier | Purdue University | External Submission | |
| Modifications | ||||
| Modification Date | Modifier | Organization | Source | |
| 2008-07-01 | Eric Dalci | Cigital | External | |
| updated Time of Introduction | ||||
| 2008-09-08 | CWE Content Team | MITRE | Internal | |
| updated Alternate Terms, Common Consequences, Description, Relationships, Other Notes, Weakness Ordinalities | ||||
| 2009-01-12 | CWE Content Team | MITRE | Internal | |
| updated Name | ||||
| Previous Entry Names | ||||
| Change Date | Previous Entry Name | |||
| 2009-01-12 | Design Principle Violation: Insufficient Compartmentalization | |||
