The principle of least privilege is a well-known secure computing aim but is difficult to achieve in practice. An application should run with the minimal set of permissions/privileges required for its tasks. Permissions/privileges for an application include the ability to read, write, and display other data and/or launch other applications and processes. Operating systems typically run applications under the user account of the logged-in user and the user account is forced to trust the application with all of the rights that the user holds regardless of whether or not they are necessary to run the application. The operating system is typically responsible for provisioning user accounts. Provisioning an account includes setting up the rights of the user and verifying the user identity by calling an appropriate credential/identity mapping process. The account provisioning process is usually performed on a per-user basis. That is, the rights and privileges the logged-in user holds are automatically assigned to the requested application. This is a problem for home users who are typically listed as system administrators and for systems administrators, developers and others in a corporate environment who possess broad privileges for at least two reasons.
First, an application which is completely “trusted” ends up with potentially unlimited access to other data and applications (limited only by the extent of the user's privileges). Unlimited access for an application is a problem even in the event that the requested application is not itself per se malicious, as the application may still cause buffer overruns, SQL injections, or be manipulated by hackers who cause intentional problems.
Second, when an application has unlimited access rights, the auditing of events occurring in a system becomes complicated since it is difficult to prove that the application did not perform an action (since the application could have performed the action). Acceptable auditing of the execution environments in which an application is to run is required for banking, medical and other applications requiring secure execution. Conventional methods of limiting access rights of an application such as running the application as a web application (which may need to be re-written) in a common (often unprivileged) operating system account, or using the origin of the code as the basis of deciding if permission is to be granted suffer from an inability to restrict users to their own data or only controlling permissions above the operating system level, respectively.