Outline for October 2, 2014

Reading: text, §1, 2

  1. Basic components
    1. Confidentiality
    2. Integrity
    3. Availability
  2. Threats
    1. Snooping
    2. Modification
    3. Masquerading; contrast with delegation
    4. Repudiation of origin
    5. Denial of receipt
    6. Delay
    7. Denial of service
  3. Role of policy
    1. Example of student copying files from another
    2. Emphasize: policy defines security
    3. Distinguish between policy and mechanism
  4. Goals of security
    1. Prevention
    2. Detection
    3. Recovery
  5. Trust
    1. First problem: security mechanisms correctly implement security policy
    2. Second problem: policy does what you want; define secure, precise
  6. Operational issues; change over time
    1. Cost-benefit analysis
    2. Risk analysis (comes into play in cost-benefit too)
    3. Laws and customs
  7. Human Factors
    1. Organizational problems
    2. People problems (include social engineering)
  8. Access control matrix and entities
    1. State is (S, O, A) where S subjects, O objects, A access control matrix
    2. Entries are rights (represent abstract notions)
  9. Primitive operations
    1. enter r into A[s, o]
    2. delete r from A[s, o]
    3. create subject s (note that ∀x [A[s’, x] = A[x, s’] = ∅])
    4. create object o (note that ∀x [A[x, o’] = ∅])
    5. destroy subject s
    6. destroy object o
  10. Commands and examples
    1. Regular command: create•file
    2. Mono-operational command: make•owner
    3. Conditional command: grant•rights
    4. Biconditional command: grant•read•if•r•and•c
    5. Doing “or” of 2 conditions: grant•read•if•r•or•c
  11. Miscellaneous points
    1. Copy flag and right
    2. Own as a distinguished right
    3. Principle of attenuation of privilege
You can also obtain a PDF version of this. Version of October 1, 2014 at 10:45PM
ECS 235A, Computer and Information Security
Fall Quarter 2014