The protection mechanism should have a simple and small design.
The protection mechanism should deny access by default, and grant access only when explicit permission exists.
The protection mechanism should check every access to every object.
The protection mechanism should not depend on attackers being ignorant of its design to succeed. It may however be based on the attacker's ignorance of specific information such as passwords or cipher keys.
The protection mechanism should grant access based on more than one piece of information.
The protection mechanism should force every process to operate with the minimum privileges needed to perform its task.
The protection mechanism should be shared as little as possible among users.
The protection mechanism should be easy to use (at least as easy as not using it).
Matt Bishop Office: 3059 Engineering Unit II Phone: +1 (530) 752-8060 Fax: +1 (530) 752-4767 Email: bishop@cs.ucdavis.edu | Copyright Matt Bishop, 2000. All federal and state copyrights reserved for all original material presented in this course through any medium, including lecture or print. |