design principles for secure systems systems driving
play

Design Principles for Secure Systems Systems Driving Ideas for - PDF document

Jan 16, 2024 •288 likes •468 views

1 Design Principles for Secure Systems Systems Driving Ideas for Security Principles Saltzer and Schroeder (1975) defined 8 principles that are based on the ideas of simplicity and restriction are based on the ideas of simplicity and

  1. 1 Design Principles for Secure Systems Systems

  2. Driving Ideas for Security Principles • Saltzer and Schroeder (1975) defined 8 principles that are based on the ideas of simplicity and restriction are based on the ideas of simplicity and restriction • Simplicity – Less to go wrong Less to go wrong – Fewer possible inconsistencies – Easy to understand y • Restriction – Minimize access – an entity can access only information it needs (also known as “need to know” principle) – Inhibit communication – an entity can communicate with other entities only when necessary and in few (and narrow) other entities only when necessary, and in few (and narrow) ways as possible 2

  3. Design Principles g p • Economy of Mechanism • Open Design • Open Design • Principle of Least Privilege • Complete Mediation • Complete Mediation • Separation of Privilege • Failsafe Defaults F il f D f lt • Least Common Mechanism • Psychological Acceptability P h l i l A bili • Additional principles – Diversity of Mechanism i i f h i – Multiple Lines of Defense 3

  4. Economy of Mechanism • Use simple and straightforward mechanisms wherever possible p – Simplicity means • Less can go wrong • When errors occur, they are easier to understand and fix – Interfaces and interactions • Interfaces to other modules are crucial because modules often I t f t th d l i l b d l ft make implicit assumptions about input or output parameters or the current system state • Avoid a lot of extra features. Bells and whistles add complication, and that introduces errors • The simplest mechanism that does the job is the best 4

  5. Economy of Mechanism • Consider reusing components whenever possible, as long as the components to be reused are believed to be of good quality. – Why would anyone want to re-implement AES or SHA-1, when there are several widely used libraries available? • Do not implement unnecessary security mechanisms. p y y – An example is file encryption supporting the access control service that in turn supports the goals of confidentiality and integrity by preventing unauthorized file access. – If file encryption is a necessary part of accomplishing the goals, then the mechanism is appropriate. – However, if these security goals are adequately supported without inclusion of However, if these security goals are adequately supported without inclusion of file encryption, then that mechanism would be an unneeded system complexity. 5

  6. Open Design • No security through obscurity. The security of a mechanism should not depend on the secrecy of its design and implementation (i.e., attacker's ignorance of how the mechanism works or is built) – If the strength of a program’s security depends on the ignorance of user, a knowledgeable user can defeat the security mechanism • “Security through obscurity” is not a good principle – How about passwords or cryptographic keys? • This principle is controversial. hi i i l i i l – Showing a design or source code to attackers certainly makes their task easier. NSA, for instance, refused to publish their analysis that the DES encryption algorithm is secure. The lack of information, however, ti l ith i Th l k f i f ti h decreases people's assurance in the security of DES. – Publicizing the design give security researchers the opportunity to find and fix the flaws before the attackers do and fix the flaws before the attackers do. 6

  7. Open Design • Issues of proprietary software and trade secrets complicate the application of this principle the application of this principle • In some cases, companies do not want their designs made public to protect them from competitors • The principle then requires that the design and implementation be available to people barred from disclosing it outside the company g p y 7

  8. Principle of Least Privilege • Every subject/program should be given the minimum set of privileges necessary to complete the job. p g y p j – The function of a subject, and not its identity, should control the assignment of rights – Rights should be added as needed, discarded after use Ri ht h ld b dd d d d di d d ft • This limits the damage that can result from an accident or error accident or error • It limits the number of privileged programs (which could be compromised) in the system. • It also helps in debugging, is good for increasing assurance, and allows isolation of small critical subsystems subsystems. 8

  9. Complete Mediation • Complete Mediation. Every access to every object is checked. – In practice, this is relaxed/violated! Why? – Usually done once, on first action • UNIX: access checked on OPEN, not checked thereafter h k d h k d h (READ) • If permissions change after, the user may get unauthorized access access – Example: process for user A opens a file; user A is terminated revoking all his privileges; process accesses fil file which has been open for days and user privilege is hi h h b f d d i il i not verified. 9

  10. Separation of Privilege • Two keys are better than one. Each privilege sho ld req ire a separate secret should require a separate secret. – A system should not grant permission based on a single condition single condition – More than one condition must be verified in order to gain access to gain access • Separate passwords for separate objects. 10

  11. Separation of Privilege • Example: company cheques for more than $100k must be signed by two officers of the company must be signed by two officers of the company • Example: On Berkeley-based version of Unix, a user is not allowed to change from his account to the root is not allowed to change from his account to the root account unless two conditions are verified: (i) the user knows the root password; (ii) the user is in the wheel group (with GID 0) • This allows finer-grained control of access to the system, and limits what can be compromised if a single secret is revealed. • Can be overly cumbersome for the user. 11

  12. Failsafe Defaults • No access by default. It is much better (and less prone to error) to define who can have access p ) than to directly define who cannot . – Problem: user needs a privilege that was not p g anticipated so his work is delayed while the privilege is authorized. • If the subject is not able to complete its action or task, it should undo those changes it made in the , g security state of the system before it terminates. If the program fails, the system is still safe. p g , y – What happens if the program crashes, not fails? 12

  13. Least Common Mechanism • Mechanisms used to access resources should not be shared – Information can flow along shared channels – Covert channels Covert channels • This principle is implemented by isolation mechanisms mechanisms – Virtual machines – Sandboxes Sandboxes 13

  14. Psychological Acceptability • Security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present. – Hide complexity introduced by security mechanisms – Ease of installation, configuration, use – Human factors critical here – On the other hand, security requires that the messages impart no unnecessary information • For example, if a user supplies the wrong password, the system should reject the attempt with a message saying that the login failed that the login failed – If it were to say that the password was incorrect, the user would 14 know that the account name was legitimate

  15. Other principles: Diversity of M Mechanism h i • Diversity of Mechanism Security mechanisms that have the same design or follow similar logic are likely to fail in similar ways (hence, at the same time or fall to the same trick of an attacker). Di erse mechanisms are nlikel to share Diverse mechanisms are unlikely to share vulnerabilities. • With diverse mechanisms the odds are increased • With diverse mechanisms, the odds are increased that no single vulnerability is common to all. 15

  16. Other principles: Multiple Lines of Defense f D f • Unfortunately, no security mechanism is totally secure. Plan for something to fail ll Pl f hi f il and have a second (and third) line of defense defense. • Example: Try to keep the bad guys out (firewall) but if they do get in minimize the (firewall) but if they do get in, minimize the harm they can do (strict access controls), and if they manage to get access, have good and if they manage to get access, have good audit logs so you can track them down and prosecute. p 16

  17. Key Points • Principles of secure design underlie all security- related mechanisms related mechanisms • They encompass not only technical details but also human interaction l h i t ti • They require – Good understanding of • The goal of the security mechanism and • The environment in which it is to be used – Careful analysis and design – Careful implementation 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets

May 19: Design Principles and Confinement Principles of Secure Design One set; other sets say basically the same thing Confinement, non-VM isolation Library operating systems Sandboxes Program modification Covert

584 views • 30 slides
Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles

CSE 127: Computer Security Sandboxing and isolation Deian Stefan Today Lecture objectives: Understand basic principles for building secure systems Understand mechanisms used to build secure systems Principles of secure design

1.1k views • 64 slides
Applications of Systems Ecology to Site Design? Some principles of systems modeling Dr. David

Applications of Systems Ecology to Site Design? Some principles of systems modeling Dr. David

Applications of Systems Ecology to Site Design? Some principles of systems modeling Dr. David Blersch Biosystems Engineering Department Auburn University dmb0040@auburn.edu Ecological Design in the Southeast: Workshop and Design Charrette

558 views • 20 slides
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Secure Systems

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Secure Systems

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Secure Systems Computer systems can be considered a closed box. Informa8on in the box is safe as long as nothing enters or leaves the box. Systems S8ll

206 views • 16 slides
Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer

Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer

Design Principles for Security-conscious Systems 1 Overview Design principles from Saltzer & Schroeders 1975 paper A few case studies What did Saltzer-Schroeder overlook? (Personal opinions) 2 Saltzer and Schroeders

780 views • 45 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles

Outline Saltzer & Schroeders principles CSci 5271 More secure design principles Introduction to Computer Security Day 7: Defensive programming and design, part 1 Software engineering for security Stephen McCamant Announcements

355 views • 7 slides
UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

UMBC A B M A L F T U M B C I O M Y O T R 1 (November 26, 2000 11:15 pm) I E

Principles of VLSI Design Introduction CMPE 413/CMSC 711 Principles of VLSI Design Instructor: Professor Jim Plusquellic Text: Principles of CMOS VLSI Design: A Systems Perspective, by Neil H.E. Weste and Kamran Eshraghian. Supplementary

752 views • 21 slides
Computer Science 240 Principles of Software Design Goals of Software Design Create systems

Computer Science 240 Principles of Software Design Goals of Software Design Create systems

Computer Science 240 Principles of Software Design Goals of Software Design Create systems that Work Easy as possible to understand, debug, and maintain Hold up well under changes Have reusable components Design is

470 views • 20 slides
State Revenue Systems and State Revenue Systems and Principles of Tax Policy Principles of Tax

State Revenue Systems and State Revenue Systems and Principles of Tax Policy Principles of Tax

State Revenue Systems and State Revenue Systems and Principles of Tax Policy Principles of Tax Policy Blue Ribbon Tax Structure Commission Vermont General Assembly Bert Waisanen National Conference of State Legislatures September 1, 2009

1.2k views • 72 slides
in Health Systems: More GPS than Self-Driving Car Sarah M. Greene, MPH Health Care Systems

in Health Systems: More GPS than Self-Driving Car Sarah M. Greene, MPH Health Care Systems

Dissemination & Implementation in Health Systems: More GPS than Self-Driving Car Sarah M. Greene, MPH Health Care Systems Research Network D&I Conference, December 2016 Acknowledgements Michael Parchman Brian Austin Eric Larson

304 views • 18 slides
Control Systems for Multi-rotors Principles, Modeling and Software Design Corrado Santoro ARSLAB

Control Systems for Multi-rotors Principles, Modeling and Software Design Corrado Santoro ARSLAB

Control Systems for Multi-rotors Principles, Modeling and Software Design Corrado Santoro ARSLAB - Autonomous and Robotic Systems Laboratory Dipartimento di Matematica e Informatica - Universit` a di Catania, Italy santoro@dmi.unict.it

931 views • 60 slides
Operating System Principles: File Systems CS 111 Operating Systems Peter Reiher Lecture 13 CS

Operating System Principles: File Systems CS 111 Operating Systems Peter Reiher Lecture 13 CS

Operating System Principles: File Systems CS 111 Operating Systems Peter Reiher Lecture 13 CS 111 Page 1 Summer 2017 Outline File systems: Why do we need them? Why are they challenging? Basic elements of file system design

762 views • 58 slides
Types of Expert Systems Interpretation Systems Prediction Systems Diagnosis Systems

Types of Expert Systems Interpretation Systems Prediction Systems Diagnosis Systems

Types of Expert Systems Interpretation Systems Prediction Systems Diagnosis Systems Design Systems Planning Systems Monitoring Systems Debugging Systems Repair Systems Instruction Systems Control

329 views • 7 slides
Principles of Software Construction: Objects, Design, and Concurrency Design: From Systems to

Principles of Software Construction: Objects, Design, and Concurrency Design: From Systems to

Principles of Software Construction: Objects, Design, and Concurrency Design: From Systems to Objects toad Fall 2014 Jonathan Aldrich Charlie Garrod School of School of Computer Science Computer Science Administrivia Homework 1 due

464 views • 25 slides
Systems Engineering and Architecture Richard M. Murray Control and Dynamical Systems California

Systems Engineering and Architecture Richard M. Murray Control and Dynamical Systems California

Systems Engineering and Architecture Richard M. Murray Control and Dynamical Systems California Institute of Technology Design Principles in Biological Systems 21 April 2008 Product Systems Engineering Systems engineering methodology

408 views • 18 slides
Assignment #3 Which is something you may wish to do since it is Assignment #3 So You Want to

Assignment #3 Which is something you may wish to do since it is Assignment #3 So You Want to

Assignment #3 Which is something you may wish to do since it is Assignment #3 So You Want to Write some Procedural Shaders In fact Assignment #3 Assignments Goal is to be able to produce something nicer than Some advice:

92 views • 5 slides
A Pixelated Readout System What does one want for a real DUNE sized system? Rick Van Berg Penn

A Pixelated Readout System What does one want for a real DUNE sized system? Rick Van Berg Penn

A Pixelated Readout System What does one want for a real DUNE sized system? Rick Van Berg Penn 8/14/18 General System Considerations Power Complexity / Reliability Data volumes Requirements Sensitivity SNR Data

428 views • 20 slides
Department of Computer Science CSCI 5622: Machine Learning Chenhao Tan Lecture 18: Clustering

Department of Computer Science CSCI 5622: Machine Learning Chenhao Tan Lecture 18: Clustering

Department of Computer Science CSCI 5622: Machine Learning Chenhao Tan Lecture 18: Clustering Slides adapted from Jordan Boyd-Graber, Chris Ketelsen 1 Learning objectives Learn about general clustering Learn about the K-Means

1.01k views • 60 slides
SQL data manipula.on language SQL Data Manipulation Language (DML) Primarily declarative

SQL data manipula.on language SQL Data Manipulation Language (DML) Primarily declarative

SQL data manipula.on language SQL Data Manipulation Language (DML) Primarily declarative query language Specify what you want to compute and not how Starting point: relational calculus aka first-order predicate logic With many

1.34k views • 113 slides
Some Experiments Michele Conforti DMPA, University of Padova Domenico Salvagnin with Benders

Some Experiments Michele Conforti DMPA, University of Padova Domenico Salvagnin with Benders

Some Experiments Michele Conforti DMPA, University of Padova Domenico Salvagnin with Benders CGLPs DEI, University of Padova IBM ILOG CPLEX master CGLP Basic Benders CGLP structure same objective same variables are fixed! same size and

549 views • 13 slides
Statistical Analysis of Corpus Data with R You shall know a word by the company it keeps!

Statistical Analysis of Corpus Data with R You shall know a word by the company it keeps!

Statistical Analysis of Corpus Data with R You shall know a word by the company it keeps! Collocation extraction with statistical association measures Part 2 Designed by Marco Baroni 1 and Stefan Evert 2 1 Center for Mind/Brain Sciences

829 views • 56 slides
CSE 510 Web Data Engineering SQL UB CSE 510 Web Data Engineering Applications View of a

CSE 510 Web Data Engineering SQL UB CSE 510 Web Data Engineering Applications View of a

CSE 510 Web Data Engineering SQL UB CSE 510 Web Data Engineering Applications View of a Relational Database Management System (RDBMS) Application Persistent data structure Large volume of data RDBMS Client Independent

580 views • 18 slides
More general naming A substitution model for Bindex Theory of Programming Languages Computer

More general naming A substitution model for Bindex Theory of Programming Languages Computer

Substitution subst Bindex subst model Bindex environment model More general naming A substitution model for Bindex Theory of Programming Languages Computer Science Department Wellesley College Substitution subst Bindex subst model Bindex

510 views • 12 slides

More recommend