Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 13: Design Principles

Published byΖένια Μέλιοι Modified over 5 years ago

Similar presentations

Presentation on theme: "Chapter 13: Design Principles"— Presentation transcript:

1 Chapter 13: Design Principles
Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least Common Mechanism Psychological Acceptability April 6, 2004 ECS 235

2 Overview Simplicity Restriction Less to go wrong
Fewer possible inconsistencies Easy to understand Restriction Minimize access Inhibit communication April 6, 2004 ECS 235

3 Least Privilege A subject should be given only those privileges necessary to complete its task Function, not identity, controls Rights added as needed, discarded after use Minimal protection domain April 6, 2004 ECS 235

4 Fail-Safe Defaults Default action is to deny access
If action fails, system as secure as when action began April 6, 2004 ECS 235

5 Economy of Mechanism Keep it as simple as possible
KISS Principle Simpler means less can go wrong And when errors occur, they are easier to understand and fix Interfaces and interactions April 6, 2004 ECS 235

6 Complete Mediation Check every access
Usually done once, on first action UNIX: Access checked on open, not checked thereafter If permissions change after, may get unauthorized access April 6, 2004 ECS 235

7 Open Design Security should not depend on secrecy of design or implementation Popularly misunderstood to mean that source code should be public “Security through obscurity” Does not apply to information such as passwords or cryptographic keys April 6, 2004 ECS 235

8 Separation of Privilege
Require multiple conditions to grant privilege Separation of duty Defense in depth April 6, 2004 ECS 235

9 Least Common Mechanism
Mechanisms should not be shared Information can flow along shared channels Covert channels Isolation Virtual machines Sandboxes April 6, 2004 ECS 235

10 Psychological Acceptability
Security mechanisms should not add to difficulty of accessing resource Hide complexity introduced by security mechanisms Ease of installation, configuration, use Human factors critical here April 6, 2004 ECS 235

11 Key Points Principles of secure design underlie all security-related mechanisms Require: Good understanding of goal of mechanism and environment in which it is to be used Careful analysis and design Careful implementation April 6, 2004 ECS 235

12 Chapter 2: Access Control Matrix
Overview Access Control Matrix Model Boolean Expression Evaluation History Protection State Transitions Commands Conditional Commands Special Rights Principle of Attenuation of Privilege April 6, 2004 ECS 235

13 Overview Protection state of system Access control matrix
Describes current settings, values of system relevant to protection Access control matrix Describes protection state precisely Matrix describing rights of subjects State transitions change elements of matrix April 6, 2004 ECS 235

14 Description objects (entities) o1 … om s1 … sn s1 s2 … subjects sn
Subjects S = { s1,…,sn } Objects O = { o1,…,om } Rights R = { r1,…,rk } Entries A[si, oj]  R A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj objects (entities) subjects s1 s2 sn o1 … om s1 … sn April 6, 2004 ECS 235

15 Example 1 Processes p, q Files f, g Rights r, w, x, a, o f g p q
p rwo r rwxo w q a ro r rwxo April 6, 2004 ECS 235

16 Example 2 Procedures inc_ctr, dec_ctr, manage Variable counter
Rights +, –, call counter inc_ctr dec_ctr manage inc_ctr + dec_ctr – manage call call call April 6, 2004 ECS 235

17 Boolean Expression Evaluation
ACM controls access to database fields Subjects have attributes Verbs define type of access Rules associated with objects, verb pair Subject attempts to access object Rule for object, verb evaluated, grants or denies access April 6, 2004 ECS 235

18 Example Subject annie Verb paint Object picture
Attributes role (artist), groups (creative) Verb paint Default 0 (deny unless explicitly granted) Object picture Rule: paint: ‘artist’ in subject.role and ‘creative’ in subject.groups and time.hour >= 0 and time.hour < 5 April 6, 2004 ECS 235

19 ACM at 3AM and 10AM At 3AM, time condition met; ACM is:
not met; ACM is: … picture … … picture … … annie … paint … annie … April 6, 2004 ECS 235

20 History Database: name position age salary Alice teacher 45 $40,000
Bob aide 20 $20,000 Cathy principal 37 $60,000 Dilbert teacher 50 $50,000 Eve teacher 33 $50,000 Queries: sum(salary, “position = teacher”) = 140,000 sum(salary, “age > 40 & position = teacher”) should not be answered (deduce Eve’s salary) April 6, 2004 ECS 235

21 ACM of Database Queries
Oi = { objects referenced in query i } f(oi) = { read } for oj  Oi, if |Çj = 1,…,i Oj| < 2 f(oi) =  for oj  Oi, otherwise O1 = { Alice, Dilbert, Eve } and no previous query set, so: A[asker, Alice] = f(Alice) = { read } A[asker, Dilbert] = f(Dilbert) = { read } A[asker, Eve] = f(Eve) = { read } and query can be answered April 6, 2004 ECS 235

22 But Query 2 From last slide:
f(oi) = { read } for oj  Oi, if |Çj = 1,…,i Oj| < 2 f(oi) =  for oj  Oi, otherwise O2 = { Alice, Dilbert } but | O2 Ç O1 | = 2 so A[asker, Alice] = f(Alice) =  A[asker, Dilbert] = f(Dilbert) =  and query cannot be answered April 6, 2004 ECS 235

23 State Transitions Change the protection state of system
H represents transition Xi Ht Xi+1: command t moves system from state Xi to Xi+1 Xi H* Xi+1: a sequence of commands moves system from state Xi to Xi+1 Commands often called transformation procedures April 6, 2004 ECS 235

24 Primitive Operations create subject s; create object o
Creates new row, column in ACM; creates new column in ACM destroy subject s; destroy object o Deletes row, column from ACM; deletes column from ACM enter r into A[s,o] Adds r rights for subject s over object o delete r from A[s,o] Removes r rights from subject s over object o April 6, 2004 ECS 235

25 Create Subject Precondition: s  S Primitive command: create subject s
Postconditions: S´ = S { s }, O´ = O { s } (y  O´)[a´[s, y] = ], (x  S´)[a´[x, s] = ] (x  S)(y  O)[a´[x, y] = a[x, y]] April 6, 2004 ECS 235

26 Create Object Precondition: o  O Primitive command: create object o
Postconditions: S´ = S, O´ = O  { o } (x  S´)[a´[x, o] = ] (x  S)(y  O)[a´[x, y] = a[x, y]] April 6, 2004 ECS 235

27 Add Right Precondition: s  S, o  O
Primitive command: enter r into a[s, o] Postconditions: S´ = S, O´ = O a´[s, o] = a[s, o]  { r } (x  S´)(y  O´ – { o }) [a´[x, y] = a[x, y]] (x  S´ – { s })(y  O´) [a´[x, y] = a[x, y]] April 6, 2004 ECS 235

28 Delete Right Precondition: s  S, o  O
Primitive command: delete r from a[s, o] Postconditions: S´ = S, O´ = O a´[s, o] = a[s, o] – { r } (x  S´)(y  O´ – { o }) [a´[x, y] = a[x, y]] (x  S´ – { s })(y  O´) [a´[x, y] = a[x, y]] April 6, 2004 ECS 235

29 Destroy Subject Precondition: s  S
Primitive command: destroy subject s Postconditions: S´ = S – { s }, O´ = O – { s } (y  O´)[a´[s, y] = ], (x  S´)[a´[x, s] = ] (x  S´)(y  O´) [a´[x, y] = a[x, y]] April 6, 2004 ECS 235

30 Destroy Object Precondition: o  o Primitive command: destroy object o
Postconditions: S´ = S, O´ = O – { o } (x  S´)[a´[x, o] = ] (x  S´)(y  O´) [a´[x, y] = a[x, y]] April 6, 2004 ECS 235

31 Creating File Process p creates file f with r and w permission
command create•file(p, f) create object f; enter own into A[p, f]; enter r into A[p, f]; enter w into A[p, f]; end April 6, 2004 ECS 235

32 Mono-Operational Commands
Make process p the owner of file g command make•owner(p, g) enter own into A[p, g]; end Mono-operational command Single primitive operation in this command April 6, 2004 ECS 235

33 Conditional Commands Let p give q r rights over f, if p owns f
command grant•read•file•1(p, f, q) if own in A[p, f] then enter r into A[q, f]; end Mono-conditional command Single condition in this command April 6, 2004 ECS 235

34 Multiple Conditions Let p give q r and w rights over f, if p owns f and p has c rights over q command grant•read•file•2(p, f, q) if own in A[p, f] and c in A[p, q] then enter r into A[q, f]; enter w into A[q, f]; end April 6, 2004 ECS 235

35 Copy Right Allows possessor to give rights to another
Often attached to a right, so only applies to that right r is read right that cannot be copied rc is read right that can be copied Is copy flag copied when giving r rights? Depends on model, instantiation of model April 6, 2004 ECS 235

36 Own Right Usually allows possessor to change entries in ACM column
So owner of object can add, delete rights for others May depend on what system allows Can’t give rights to specific (set of) users Can’t pass copy flag to specific (set of) users April 6, 2004 ECS 235

37 Attenuation of Privilege
Principle says you can’t give rights you do not possess Restricts addition of rights within a system Usually ignored for owner Why? Owner gives herself rights, gives them to others, deletes her rights. April 6, 2004 ECS 235

38 Key Points Access control matrix simplest abstraction mechanism for representing protection state Transitions alter protection state 6 primitive operations alter matrix Transitions can be expressed as commands composed of these operations and, possibly, conditions April 6, 2004 ECS 235

39 Chapter 3: Foundational Results
Overview Harrison-Ruzzo-Ullman result Corollaries Take-Grant Protection Model SPM and successors April 6, 2004 ECS 235

40 Overview Safety Question HRU Model Take-Grant Protection Model
SPM, ESPM Multiparent joint creation Expressive power Typed Access Matrix Model April 6, 2004 ECS 235

41 What Is “Secure”? Adding a generic right r where there was not one is “leaking” If a system S, beginning in initial state s0, cannot leak right r, it is safe with respect to the right r. April 6, 2004 ECS 235

42 Safety Question Does there exist an algorithm for determining whether a protection system S with initial state s0 is safe with respect to a generic right r? Here, “safe” = “secure” for an abstract model April 6, 2004 ECS 235

43 Mono-Operational Commands
Answer: yes Sketch of proof: Consider minimal sequence of commands c1, …, ck to leak the right. Can omit delete, destroy Can merge all creates into one Worst case: insert every right into every entry; with s subjects and o objects initially, and n rights, upper bound is k ≤ n(s+1)(o+1) April 6, 2004 ECS 235

Download ppt "Chapter 13: Design Principles"

Similar presentations

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.

1 Access Control Matrix CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 9, 2004.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.

April 6, 2004ECS 235Slide #1 Chapter 13: Design Principles Overview Principles –Least Privilege –Fail-Safe Defaults –Economy of Mechanism –Complete Mediation.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #3-1 Chapter 3: Foundational Results Overview Harrison-Ruzzo-Ullman result –Corollaries.
590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.

590J Lecture 21: Access Control (contd). Review ● Recall: – Protection system is a description of conditions under which a system is secure – P is the.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.

1 Access Control Matrix CSSE 442 Computer Security Larry Merkle, Rose-Hulman Institute March 16, 2007.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.

1 September 14, 2006 Lecture 3 IS 2150 / TEL 2810 Introduction to Security.
Csci5233 computer security & integrity 1 Access Control Matrix.

Csci5233 computer security & integrity 1 Access Control Matrix.
IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.

IS-2150/TEL-2810: Introduction of Computer Security1 September 7, 2005 Introduction to Computer Security Access Control Matrix Take-grant model.
ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.

ECE509 Cyber Security : Concept, Theory, and Practice Access Control Matrix Spring 2014.
Chapter 2: Access Control Matrix

Chapter 2: Access Control Matrix
CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 14 Jonathan Katz.
ISA 562 1 Access Control ISA 562 Internet Security Theory & Practice.

ISA Access Control ISA 562 Internet Security Theory & Practice.

Similar presentations

Ads by Google