From the course: Threat Modeling: Denial of Service and Elevation of Privilege

Unlock the full course today

Join today to access over 22,400 courses taught by industry experts or purchase this course individually.

Attenuation in defense

Attenuation in defense

From the course: Threat Modeling: Denial of Service and Elevation of Privilege

Start my 1-month free trial

Attenuation in defense

- [Instructor] What is attenuation? Let's imagine we have a command processor and it accepts commands of the form one, two, three with app one to ls, two to cat and three to rm. Another processor simply accepts commands. The client sends ls, rm or cat directly. The first processor is attenuating its privilege. It's narrowing what it's willing to do for its correspondence. Obviously Sudo does this, it is the poster child for doing so intentionally. But more to the point many programs control what they'll do on behalf of a client. This is most obvious with servers. A web server running as UID dub-dub-dub can run almost anything in user bin with any arguments at once but it doesn't pass that capability onto its clients the way the second processor does. Wiki sites are famous for letting anyone edit them but they restrict that to what's in the Wiki docs directory. They don't let just any one edit slash config. Similarly…

Contents