Outline for April 7, 2005

Reading: §13, 4.1-4.5


Two MIT graduate students bought a number of used hard drives on E-Bay and analyzed them. They were able to recover lots of files, including files containing very personal information (such as a love letter), and in some cases even restore the operating system of the computer to which the hard drive belonged. Some of these disks had simply been discarded, but others had files deleted, or were reformatted--and still the students could recover the files!

The news article said that the students' results showed how unaware people were of security issues. Is the data being on the discarded disks in fact a vulnerability? Are the "delete," "rm," "format," and other such commands used to erase these disks secure? If not, what is the vulnerability in these programs, and how would you fix it?


  1. Principles of Secure Design
    1. Principle of Least Privilege
    2. Principle of Fail-Safe Defaults
    3. Principle of Economy of Mechanism
    4. Principle of Complete Mediation
    5. Principle of Open Design
    6. Principle of Separation of Privilege
    7. Principle of Least Common Mechanism
    8. Principle of Psychological Acceptability
  2. Policy
    1. Sets of authorized, unauthorized states
    2. Secure systems in terms of states
    3. Mechanism vs. policy
  3. Types of Policies
    1. Military/government vs. confidentiality
    2. Commercial vs. integrity
  4. Types of Access Control
    1. Mandatory access control
    2. Discretionary access control
    3. Originator-controlled access control
  5. High-Level Policy Languages
    1. Characterization
    2. Example: DTEL
  6. Low-Level Policy Languages
    1. Characterization
    2. Example: Tripwire configuration file

Here is a PDF version of this document.