Chapter 12 Design Principles Overview There are principles

  • Slides: 9
Download presentation
Chapter 12: Design Principles • Overview – There are principles for many kinds of

Chapter 12: Design Principles • Overview – There are principles for many kinds of design • Generally, a design should consider: Balance, Rhythm, Proportion, Dominance, Unity – There are principles for the design and implementation of security mechanisms • Principles – – – Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Psychological Acceptability 1

Overview • Simplicity – Less to go wrong – Fewer possible inconsistencies • Policy

Overview • Simplicity – Less to go wrong – Fewer possible inconsistencies • Policy conflict – Easy to understand – Fewer data check during transmission among components • Assumptions of input/output data may lead to serious security problems • Restriction – Minimize access – Inhibit communication • Hiding not only the contents, but also the fact that the communication exists 2

Least Privilege • A subject should be given only those privileges necessary to complete

Least Privilege • A subject should be given only those privileges necessary to complete its task – Restrict the privilege grant – The function of the subject (what she/he need to do), instead of its identity (who she/he is), controls the assignment of rights – Rights added as needed, discarded after use – Minimal protection domain 3

Fail-Safe Defaults • Restrict how privileges are initialized • Default action is to deny

Fail-Safe Defaults • Restrict how privileges are initialized • Default action is to deny access • If action fails, system should be restored to the state before action began – Either none or all – No partial transaction allowed 4

Economy of Mechanism • Simplify the design and implementation • Keep it as simple

Economy of Mechanism • Simplify the design and implementation • Keep it as simple as possible – KISS Principle (Keep it simple, si__y) • Simpler means less can go wrong – And when errors occur, they are easier to understand fix – Weaker assumptions need to be made • Interfaces and interactions – Assumptions of input and output • Suppose to be a small file, but who knows – Interactions with other entities • Bugs in windows 5

Complete Mediation • Restrict caching of information • Check every access • Usually done

Complete Mediation • Restrict caching of information • Check every access • Usually done once, on first action – UNIX: access checked on open, not checked thereafter • If permissions change, users may get unauthorized access • Tradeoff with efficiency – DNS and web content 6

Open Design • Security should not depend on secrecy of design or implementation –

Open Design • Security should not depend on secrecy of design or implementation – Popularly misunderstood to mean that source code should be public. Not necessarily – Secrecy can enhance the security, but if the design becomes exposed, the security of the mechanism cannot be affected – Does not apply to information such as passwords or cryptographic keys – People can figure out your system design • CPU simulator; Trash digger; stealing; 7

Psychological Acceptability • Security mechanisms should not add to difficulty of accessing resource –

Psychological Acceptability • Security mechanisms should not add to difficulty of accessing resource – Hide complexity introduced by security mechanisms – Ease of installation, configuration, use – Human factors critical here • Zero interaction authentication 8

Key Points • Principles of secure design underlie all security-related mechanisms • Require: –

Key Points • Principles of secure design underlie all security-related mechanisms • Require: – Good understanding of goal of mechanism and environment in which it is to be used – Careful analysis and design – Careful implementation 9