Outline for April 5, 2005

1. Principles of Secure Design
   1. Refer to both designing secure systems and securing existing systems
   2. Speaks to limiting damage
2. Principle of Least Privilege
   1. Give process only those privileges it needs
   2. Examples in programming (making things setuid to root unnecessarily, limiting protection domain; modularity, robust programming)
   3. Example attacks (misuse of privileges, etc.)
3. Principle of Fail-Safe Defaults
   1. Default is to deny
   2. Example of violation: su program
4. Principle of Economy of Mechanism
   1. KISS principle
   2. Enables quick, easy verification
   3. Example of complexity: sendmail
5. Principle of Complete Mediation
   1. All accesses must be checked
   2. Forces system-wide view of controls
   3. Sources of requests must be identified correatly
   4. Source of problems: caching (because it may not reflect the state of the system correctly); examples are race conditions, DNS poisoning
6. Principle of Open Design
   1. Designs are open so everyone can examine them and know the limits of the security provided
   2. Does not apply to cryptographic keys
   3. Acceptance of reality: they can get this info anyway
7. Principle of Separation of Privilege
   1. Require multiple conditions to be satisfied before granting permission/access/etc.
   2. Advantage: 2 accidents/errors/etc. must happen together to trigger failure
8. Principle of Least Common Mechanism
   1. Minimize sharing
   2. New service: in kernel or as a library routine? Latter is better, as each user gets their own copy
9. Principle of Psychological Acceptability
   1. Willingness to use the mechanisms
   2. Understanding model
   3. Matching user's goal
10. ACM and primitive operations
    1. Go over subjects, objects (includes subjects), and state (S, O, A) where A is ACM
    2. Transitions modify ACM entries; primitive operations
       1. enter r into A[s, o]
       2. delete r from A[s, o]
       3. create subject s' (note A[s', x] = A[x, s'] = ∅ for all x)
       4. create object o' (note A[x, o'] = ∅ for all x)
       5. destroy subject s'
       6. destroy object o'
11. Commands
    1. command c(s₁, ..., s_k, o₁, ..., o_k)
       if r₁ in A[s₁, o₁] and
           r₂ in A[s₂, o₂] and
           ...
           r_m in A[s_m, o_m]
       then
            op₁;
            op₂;
            ...;
            op_n;
       end.
    2. Example 1: creating a file
       command create_file(p, f)
            create object f;
            enter Own into A[p, f]
            enter Read into A[p, f]
            enter Write into A[p, f]
       end.
    3. Example 2: granting one process read rights to a file
       command grant_read(p, q, f)
       if Own in A[p, f]
       then
            enter Read into A[q, f]
       end.