Security Design Principles 1 Permission Policies This document

Security Design Principles 1. Permission Policies This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Learning Outcomes Upon completion of this unit, students will be able to: • Recognize what fail-safe defaults, least privilege, complete mediation are and how they work • Recognize why these principles should be implemented in order to make software as secure as possible This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Fail-safe defaults—what is it • Unless a subject is given explicit access to an object, it should be denied access to that object • This restricts how privileges are initialized when a subject or object is created. • Whenever access, privilege, or some other security related attribute is not granted, it should be denied by default. • If the system fails, it should fail in such a way that continues to protect the system from attackers This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Safe-failures in the real world • The principle of safe-failure is applied widely in familiar places • Electric door locks generally unlock when the power fails to avoid trapping people in side buildings. • This is done to protect the people inside the building • In the same sense, the fail-safe default protects the system This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Least privilege--- What is it? • The practice of limiting access to the minimal level that will still allow normal functioning • Translates to giving people the lowest level of user rights that they can have and still do their jobs • Originated in United States Department of Defense in the 1970 s • In software, it requires that in a particular layer of an environment, every module (such as a process, user, or program) must be able to access only the resources and information that are necessary for its legitimate purpose This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Least privilege --What are its benefits? • Better system stability • For example, applications running with restricted rights will not have access to perform operations that could crash the machine • Better system security • Vulnerabilities in one application cannot be used to exploit the rest of the machine • Ease of Deployment • The fewer privileges an application requires the easier it is to deploy within a large environment. This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Least privilege --Example: • Your school website has separate pages for banking information, grades, class schedule, and e -mail. • The email module should not have access to your banking information, because it is not required in order to complete its job. • This keeps the banking information and other information in the other modules safe if the email account gets compromised. This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Least privilege--Target Hack • Target was recently hacked because of a violation of the Principle of Least Privilege • Target worked with a third-party refrigeration vendor, whose system was linked with their own. • Since these systems were linked, once the hackers were into the vendor’s accounts, it was easy for them to access Target’s important information: credit card numbers. • If the systems would not have been connected, this problem may have been prevented. This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Complete mediation-what is it? • The Principle of Complete Mediation states that access to objects should be checked repeatedly to ensure that permission is granted • Every time someone tries to access that object, the system should authenticate the privileges associated • The operating system should mediate EVERY access to an object This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Complete mediation-why use it? • If the access control rights of an object are decreased or changed after the first time the rights are granted and the system does not check the next access to that object, then a permissions violation may occur • Caching permissions may increase the performance rate of a system, but at the cost of security levels This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Complete mediation--efficiency • If the principle of Complete Mediation is to be implemented correctly in a system, it needs to be done efficiently • This means that in addition to normal runtime, this must also be done at • Initialization • Shutdown • Restart This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017

Example • The Directory Name Service (DNS) caches information mapping hostnames into IP addresses. • If an attacker is able to corrupt these files by implanting records with fake IP addresses and names, the host will route connections to that host incorrectly. • This is why it is important for the data permissions to be checked every time they are accessed. This document is licensed with a Creative Commons Attribution 4. 0 International License © 2017