Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.

Published byTodd Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert."— Presentation transcript:

1 The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert Bruce

2 Overview Focus of paper on multiple user computer system User authority –Who can do something to something –Who can see something “Privacy” social Concern here is controlling access to data (security)

3 Security Violations Unauthorized release of information Unauthorized modification of information Unauthorized denial of use of information

4 Definitions Protection – control access to information Authentication – verify identity of user

5 Categories of Protection Schemes Unprotected –Typical batch system –Physical isolation (computer room) All or Nothing –User totally isolated in the system –No sharing of resources –Typical of early TS systems (Dartmouth BASIC)

6 Categories of Protection Schemes Controlled Sharing –OS puts limits on access –TOPS-10 file system w/ WRX control User-programmed Sharing Controls –Like OO files w/ access methods –User control access as he likes –Claims UNIX has this?

7 Categories of Protection Schemes Putting Strings on Information –Trace or control information after released –File retains access status even when others have it Overriding question on these schemes is how controls can change over time –How is privilege changed? –Can access privilege be modified or revoked on the fly?

8 Design Principles Since we can’t build software without flaws, we need ways to reduce number and severity of security flaws What follows are 10 Design Principles to apply when designing and creating protection mechanisms They were true in 1975 and remain relevant today

9 Design Principles 1. Economy of Mechanism –KISS Principle –Easier to implement –Allows total inspection of security mechanism

10 Design Principles 2. Fail-safe Defaults –Default case should be to exclude access Explicitly give right to access –The reverse is risky i.e. find reasons to exclude You may not think of all reasons to exclude

11 Design Principles 2. Fail-safe Defaults (cont.) –Easier to find and fix error that excludes legitimate user He will complain –Won’t normally see error that includes illegitimate user He probably won’t complain

12 Design Principles 3. Complete Mediation –Check every access to objects for rights –All parts of the system must check –Don’t just open the door once and allow all access after that Authority may change Access levels in security mechanism may change over time

13 Design Principles 4. Open Design –Don’t try security by obfuscation or ignorance Not realistic that mechanism won’t be discovered –Mechanism should be public –Use more easily protected keys or passwords –Can be reviewed and evaluated without compromising the system

14 Design Principles 5. Separation of Privilege –2 keys are better than one –No one error or attack can cause security violation –Similar to nuclear weapons authority process –Not always convenient for user

15 Design Principles 6. Least Privilege –Programs and users should run with least feasible privilege –Limits damage from error or attack –Minimize potential interaction among privileged programs Minimize unexpected use of privilege

16 Design Principles 6. Least Privilege (cont.) –Designing this way helps identify where privilege transitions are Identifies where firewalls should go –Analogous to the “Need to Know” principle

17 Design Principles 7. Least Common Mechanism –Minimize mechanisms shared by all users (e.g. shared variables) –Shared data can be compromised by one user –If always shared, all users need to be satisfied –Example – shared function should be run in users space rather than as system procedure

18 Design Principles 8. Psychological Acceptability –Design for ease of use Then it will be used and not avoided or compromised for user’s convenience –Model the mechanism so the user can easily understand Then he will use as intended

19 Design Principles 9. Work Factor –Make it cost more to compromise security than it is worth –Automation can make this principle difficult to follow –Work factor may be difficult to calculate –Perhaps Public Key Encryption falls into this category

20 Design Principles 10. Compromise Recording –Note all security breaches (and then change plan?) E.g. note each file access time –Not very practical, since can’t tell what data has been taken or modified

21 Summary No security system is perfect – at best we minimize the vulnerabilities Technology may advance but engineering design principles which were good in 1975 remain relevant today

22 Technical Underpinnings The remainder of the section discusses some high level technical details Some of these were not common in 1975 but have become so –E.g. most modern processor architectures have relocation and bounds registers and multiple protection bits

23 Authentication Mechanisms Passwords –Little has changed since then Still easy to guess or snoop Biometric or physical electronic key can still be snooped Bidirectional authentication is better –Defeats snooping –I’m not aware us usage in computer systems today

24 Shared Information Protection Schemes List-oriented –Who is authorized? –Need to do look-up –Slow if lots of accesses Ticket-oriented –User has a token that grants access –Like key to a lock –Need technology to deter forged tickets –Like today’s certificates

25 Shared Information Protection Schemes List-oriented –Often used at the human interface E.g. login Ticket-oriented –Most often used at the file access level

Download ppt "The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert."

Similar presentations

Secure System Design and Access Control

Secure System Design and Access Control
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #12-1 Chapter 12: Design Principles Overview Principles –Least Privilege –Fail-Safe.
Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-

1 Steve Chenoweth Friday, 10/21/11 Week 7, Day 4 Right – Good or bad policy? – Asking the user what to do next! From malware.net/how-to-remove-protection-system-
1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.

1 Design Principles CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute April 13, 2004.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.

Design Principles Overview Principles Least Privilege Fail-Safe Defaults Economy of Mechanism Complete Mediation Open Design Separation of Privilege Least.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.

CS-550 (M.Soneru): Protection and Security - 1 [SaS] 1 Protection and Security.
(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏

(Breather)‏ Principles of Secure Design by Matt Bishop (augmented by Michael Rothstein)‏
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
Topics in Information Security Prof. JoAnne Holliday Santa Clara University.

Topics in Information Security Prof. JoAnne Holliday Santa Clara University.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

Similar presentations

Ads by Google