1 / 12

(Breather) ‏

Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein) ‏. (Breather) ‏. Principles of Secure Design. Least Privilege Fail Safe Defaults Economy of Mechanism Complete Mediation Defense in depth Open Design Separation of Privilege Least Common Mechanism

neilc
Télécharger la présentation

(Breather) ‏

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏ (Breather)‏

  2. Principles of Secure Design • Least Privilege • Fail Safe Defaults • Economy of Mechanism • Complete Mediation • Defense in depth • Open Design • Separation of Privilege • Least Common Mechanism • Psychological Acceptability

  3. Principle of Least Privilege • A subject should only be given the privileges it needs to complete its task and no more. • The privileges should be controlled by the function, not the identity, similar to the right to know principle. • For example, a cashier cannot write checks.

  4. Principle of Fail-Safe Defaults • Unless explicit access has been granted, access should be denied. Moreover, if a system is unable to complete a task, it should roll back to the start state, for safety. • Example: A regular user may not modify other people's mail files; in addition, if the mail program cannot deliver mail, the only thing it can do is report failure.

  5. Principle of Economy of Mechanism • Security mechanisms should be as simple as possible. • This way, it is easier to check for errors.

  6. Principle of Complete Mediation • All accesses to objects must be checked to ensure that they are still allowed.

  7. Principle of Defense in Depth • The more lines of defense there are against an attacker, the better the defense, specially if the additional line(s) are of different nature.

  8. Principle of Open Design • The security of a mechanism should not depend on the secrecy of its design or implementation. • Specially important for crypto. • Example DVD's

  9. Principle of Separation of Privilege • A system should not grant permission based on a single condition. • Example: on BSD systems, su users must belong to the wheel group and know the root password.

  10. Principle of Least Common Mechanism • Mechanisms to access resources should not be shared (because they provide a haven for covert channels)‏

  11. Principle of Psychological Acceptability • Security mechanisms should not make it more difficult to access a resource. • Examples: ssh, login mechanism

  12. Exercises • Which of these principles apply to operating systems, and which of them are followed by Linux/Unix? Which are followed by Windows? • What would be the effect of checking EACH I/O file access for permission? Assume that each check would require an extra disk operation.

More Related