Improper Isolation or Compartmentalization
Draft Class
Structure: Simple
Description
The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.
Common Consequences 1
Scope: Access Control
Impact: Gain Privileges or Assume IdentityBypass Protection Mechanism
The exploitation of a weakness in low-privileged areas of the software can be leveraged to reach higher-privileged areas without having to overcome any additional obstacles.
Detection Methods 3
Automated Static Analysis - Binary or BytecodeSOAR Partial
According to SOAR, the following detection techniques may be useful:
```
Cost effective for partial coverage:
```
Compare binary / bytecode to application permission manifestManual Static Analysis - Source CodeHigh
According to SOAR, the following detection techniques may be useful:
```
Highly cost effective:
```
Manual Source Code Review (not inspections)
```
Cost effective for partial coverage:
```
Focused Manual Spotcheck - Focused manual analysis of sourceArchitecture or Design ReviewHigh
According to SOAR, the following detection techniques may be useful:
```
Highly cost effective:
```
Inspection (IEEE 1028 standard) (can apply to requirements, design, source code, etc.)
Formal Methods / Correct-By-Construction
```
Cost effective for partial coverage:
```
Attack ModelingPotential Mitigations 1
Phase: Architecture and Design
Break up privileges between different modules, objects, or entities. Minimize the interfaces between modules and require strong access control between them.
Demonstrative Examples 2
ID : DX-167
Single sign-on technology is intended to make it easier for users to access multiple resources or domains without having to authenticate each time. While this is highly convenient for the user and attempts to address problems with psychological acceptability, it also means that a compromise of a user's credentials can provide immediate access to all other resources or domains.The traditional UNIX privilege model provides root with arbitrary access to all resources, but root is frequently the only user that has privileges. As a result, administrative tasks require root privileges, even if those tasks are limited to a small area, such as updating user manpages. Some UNIX flavors have a "bin" user that is the owner of system executables, but since root relies on executables owned by bin, a compromise of the bin account can be leveraged for root privileges by modifying a bin-owned executable, such as CVE-2007-4238.
Observed Examples 2
CVE-2021-33096Improper isolation of shared resource in a network-on-chip leads to denial of service
CVE-2019-6260Baseboard Management Controller (BMC) device implements Advanced High-performance Bus (AHB) bridges that do not require authentication for arbitrary read and write access to the BMC's physical address space from the host, and possibly the network [REF-1138].
References 4
The Protection of Information in Computer Systems
Jerome H. Saltzer and Michael D. Schroeder
Proceedings of the IEEE 63
09-1975
ID: REF-196
Separation of Privilege
Sean Barnum and Michael Gegick
06-12-2005
ID: REF-535
CVE-2019-6260: Gaining control of BMC from the host processor
Stewart Smith
2019
https://www.flamingspork.com/blog/2019/01/23/cve-2019-6260:-gaining-control-of-bmc-from-the-host-processor/(2025-07-29)
ID: REF-1138
State-of-the-Art Resources (SOAR) for Software Vulnerability Detection, Test, and Evaluation
Gregory Larsen, E. Kenneth Hong Fong, David A. Wheeler, and Rama S. Moorthy
07-2014
ID: REF-1479
Applicable Platforms
Languages:
Not Language-Specific : Undetermined
Modes of Introduction
Architecture and Design
Implementation
Alternate Terms
Separation of Privilege
Some people and publications use the term "Separation of Privilege" to describe this weakness, but this term has dual meanings in current usage. This node conflicts with the original definition of "Separation of Privilege" by Saltzer and Schroeder; that original definition is more closely associated with Reliance on a Single Factor in a Security Decision. Because there are multiple interpretations, use of the "Separation of Privilege" term is discouraged.Related Weaknesses
Notes
RelationshipThere is a close association with Execution with Unnecessary Privileges (Execution with Unnecessary Privileges). Improper Isolation or Compartmentalization is about providing separate components for each "privilege"; Execution with Unnecessary Privileges is about ensuring that each component has the least amount of privileges possible. In this fashion, compartmentalization becomes one mechanism for reducing privileges.
TerminologyThe term "Separation of Privilege" is used in several different ways in the industry, but they generally combine two closely related principles: compartmentalization (this node) and using only one factor in a security decision (Reliance on a Single Factor in a Security Decision). Proper compartmentalization implicitly introduces multiple factors into a security decision, but there can be cases in which multiple factors are required for authentication or other mechanisms that do not involve compartmentalization, such as performing all required checks on a submitted certificate. It is likely that Improper Isolation or Compartmentalization and Reliance on a Single Factor in a Security Decision will provoke further discussion.