Mitigation-page

MID-012: OS-based Access Control Mechanisms

Mitigation Tier: Foundational

Description

The OS should enforce access controls for all users and programs to prevent unauthorized access to OS resources, services, and system calls. There are numerous methods of restricting permissions and privileges to users and programs, including leveraging OS-based access control mechanisms that restrict OS system calls or sandbox-based approaches that encapsulate programs within restrictive environments. These mechanisms should be implemented to enforce access based on the principle of least privilege - which states that programs and users should only have access to the resources that they absolutely need to operate, and nothing else.

Operating systems typically deploy various access control mechanisms that restrict which system calls can be executed and what resources those system calls can access. While many operating systems include a default Discretionary Access Control (DAC) mechanism, these have limitations on their ability to define granular permissions for privileged functions. Strong access control mechanisms include (i) capabilities-based permission models, which provide more granular controls over privileged functions, or (ii) mandatory access control (MAC) mechanisms (e.g., SELinux), which allow fully customizable privileges across all system calls and resources. Further, programs should obtain privileged access only for key functions and then downgrade those privileges after the function is performed (e.g., setuid/setguid). The access control mechanisms deployed by the device must be sufficiently sophisticated to support the variety of programs and applications, their exposure to threats (e.g., networks services), and the criticality of specific data or resources.

Other mechanisms can be used to further restrict what resources an executing process may access. For example, in Linux the seccomp feature can be used to limit which of the OS kernel’s system calls a process may invoke, further constricting the attack surface a compromised process can access to increase its foothold on a device.

IEC 62443 4-2 Mappings

  • CR 2.1 - Authorization Enforcement 

References

[1] AppArmor. “Linux kernel security module.” apparmor.net. Accessed: Aug. 28, 2024. [Online.] Available: https://www.apparmor.net/

[2] M. Kerrisk. “seccomp.” man7.org. Accessed: Aug. 28, 2024. [Online.] Available: https://www.man7.org/linux/man-pages/man2/seccomp.2.html

[3] RedHat. “4.2 SELinux and Mandatory Access Control (MAC).” redhat.com. Accessed: Aug. 28, 2024. [Online.] Available: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_security_guide/sect-virtualization_security_guide-svirt-mac

[4] RedHat. “10.4. Defining Role-Based Access Controls.” redhat.com. Accessed: Aug. 28, 2024. [Online.] Available: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/defining-roles

[5] J. Kline. “The Linux Security Hardening Checklist for Embedded Systems.” starlab.io. Accessed: Aug. 28, 2024. [Online.] Available: https://www.starlab.io/blog/the-linux-security-hardening-checklist-for-embedded-systems