lecture 2 security principles(NOT IN BOOK)
economy of mechanism
-Keep the design as simple and small as possible -simplicity in the design and implementation of security measures - easy to fix errors because of simple design
secure the weakest link
-a software security system is only as strong as its weakest link -attackers go after the easy targets
Separation of privilege
-access to objects should depend on more than one condition being satisfied -This principle dictates that multiple conditions should be required to achieve access to restricted resources or have a program perform some action.
compartmentalize
-basic access building block is not all or nothing -minimize the amount of damage that can be done by breaking the system into units -very few OS do this because it is difficult to manage
ten design principles for protection mechanicsms
-economy of mechanism -fail-safe defaults -complete mediation -open design -separation of privilege -least privilege -least common mechanism -psychological acceptability -work factor -compromise recording
promote privacy
-often trades off against usability -system should forget credit card numbers but users hate having to type it in each time
use your community resources
-repeated use without failure promotes trust -public scrutiny promotes trust
principles for software security
-secure the weakest link -practice defense in depth -fail securely -follow the principle of least privilege -compartmentalize -keep it simple -promote privacy -remember that hiding secrets is hard -be reluctant to trust -use community resources
to make security friendly
-security should no impact users who obey the rules -it should be easy for users to give access -should be easy for users to restrict access established defaults should be reasonable
fail safe defaults
-states that the default configuration of a system should have a conservative protection scheme -example: new users should have minimal access -unfortunately, OS and apps often have default options that favor usability over security
practice defense in depth
-use diverse defensive strategies -if one later turns out to be inadequate, another layer will hopefully prevent a complete compromise
least privilege
Each program and user of a computer system should operate with the bare minimum privileges necessary to function properly. -
least common mechanism
In systems with multiple users, mechanisms allowing resources to be shared by more than one user should be minimized.
work factor
The cost of circumventing a security mechanism should be compared with the resources of an attacker when designing a security scheme. -for example, a system developed to protect a university database doesn't need to be as sophisticated as protecting military secrets
open design
The security architecture and design of a system should be made publicly available. -security should not depend on secrecy of the design -should be open for scrutiny by the community which leads to early discovery of vulnerabilities caused by design errors
compromise recording
This principle states that sometimes it is more desirable to record the details of an intrusion than to adopt more sophisticated measures to prevent it. -a security camera can protect a building without reinforcing doors and windows
four key elements to creating a practical security strategy
block attacks, updates defenses, minimize losses, and send secure information
complete mediation
every access to a resource must be checked for compliance with a protection scheme example: on an online banking website it should require users to sign on again every 15 minutes
psychological acceptability
users interfaces should be well designed and intuitive, easy to use, so that users routinely and automatically apply the mechanism correctly. otherwise, they will be bypassed.
