120 likes | 134 Views
Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein) . (Breather) . Principles of Secure Design. Least Privilege Fail Safe Defaults Economy of Mechanism Complete Mediation Defense in depth Open Design Separation of Privilege Least Common Mechanism
E N D
Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein) (Breather)
Principles of Secure Design • Least Privilege • Fail Safe Defaults • Economy of Mechanism • Complete Mediation • Defense in depth • Open Design • Separation of Privilege • Least Common Mechanism • Psychological Acceptability
Principle of Least Privilege • A subject should only be given the privileges it needs to complete its task and no more. • The privileges should be controlled by the function, not the identity, similar to the right to know principle. • For example, a cashier cannot write checks.
Principle of Fail-Safe Defaults • Unless explicit access has been granted, access should be denied. Moreover, if a system is unable to complete a task, it should roll back to the start state, for safety. • Example: A regular user may not modify other people's mail files; in addition, if the mail program cannot deliver mail, the only thing it can do is report failure.
Principle of Economy of Mechanism • Security mechanisms should be as simple as possible. • This way, it is easier to check for errors.
Principle of Complete Mediation • All accesses to objects must be checked to ensure that they are still allowed.
Principle of Defense in Depth • The more lines of defense there are against an attacker, the better the defense, specially if the additional line(s) are of different nature.
Principle of Open Design • The security of a mechanism should not depend on the secrecy of its design or implementation. • Specially important for crypto. • Example DVD's
Principle of Separation of Privilege • A system should not grant permission based on a single condition. • Example: on BSD systems, su users must belong to the wheel group and know the root password.
Principle of Least Common Mechanism • Mechanisms to access resources should not be shared (because they provide a haven for covert channels)
Principle of Psychological Acceptability • Security mechanisms should not make it more difficult to access a resource. • Examples: ssh, login mechanism
Exercises • Which of these principles apply to operating systems, and which of them are followed by Linux/Unix? Which are followed by Windows? • What would be the effect of checking EACH I/O file access for permission? Assume that each check would require an extra disk operation.