The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection...
-
Upload
todd-stephens -
Category
Documents
-
view
216 -
download
0
Transcript of The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection...
![Page 1: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/1.jpg)
The Protection of Information in Computer
SystemsPart I. Basic Principles of Information Protection
Jerome Saltzer & Michael Schroeder
Presented by
Bert Bruce
![Page 2: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/2.jpg)
Overview
• Focus of paper on multiple user computer system
• User authority– Who can do something to something– Who can see something
• “Privacy” social• Concern here is controlling access
to data (security)
![Page 3: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/3.jpg)
Security Violations
• Unauthorized release of information
• Unauthorized modification of information
• Unauthorized denial of use of information
![Page 4: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/4.jpg)
Definitions
• Protection – control access to information
• Authentication – verify identity of user
![Page 5: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/5.jpg)
Categories of Protection Schemes
• Unprotected– Typical batch system– Physical isolation (computer room)
• All or Nothing– User totally isolated in the system– No sharing of resources– Typical of early TS systems
(Dartmouth BASIC)
![Page 6: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/6.jpg)
Categories of Protection Schemes
• Controlled Sharing– OS puts limits on access– TOPS-10 file system w/ WRX control
• User-programmed Sharing Controls– Like OO files w/ access methods– User control access as he likes– Claims UNIX has this?
![Page 7: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/7.jpg)
Categories of Protection Schemes
• Putting Strings on Information– Trace or control information after released– File retains access status even when
others have it
• Overriding question on these schemes is how controls can change over time– How is privilege changed?– Can access privilege be modified or
revoked on the fly?
![Page 8: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/8.jpg)
Design Principles
• Since we can’t build software without flaws, we need ways to reduce number and severity of security flaws
• What follows are 10 Design Principles to apply when designing and creating protection mechanisms
• They were true in 1975 and remain relevant today
![Page 9: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/9.jpg)
Design Principles
• 1. Economy of Mechanism– KISS Principle– Easier to implement– Allows total inspection of security
mechanism
![Page 10: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/10.jpg)
Design Principles
• 2. Fail-safe Defaults– Default case should be to exclude
access• Explicitly give right to access
– The reverse is risky• i.e. find reasons to exclude• You may not think of all reasons to
exclude
![Page 11: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/11.jpg)
Design Principles
• 2. Fail-safe Defaults (cont.)– Easier to find and fix error that
excludes legitimate user• He will complain
– Won’t normally see error that includes illegitimate user
• He probably won’t complain
![Page 12: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/12.jpg)
Design Principles
• 3. Complete Mediation– Check every access to objects for
rights– All parts of the system must check– Don’t just open the door once and
allow all access after that• Authority may change• Access levels in security mechanism
may change over time
![Page 13: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/13.jpg)
Design Principles
• 4. Open Design– Don’t try security by obfuscation or
ignorance• Not realistic that mechanism won’t be
discovered
– Mechanism should be public– Use more easily protected keys or
passwords– Can be reviewed and evaluated
without compromising the system
![Page 14: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/14.jpg)
Design Principles
• 5. Separation of Privilege– 2 keys are better than one– No one error or attack can cause
security violation– Similar to nuclear weapons authority
process– Not always convenient for user
![Page 15: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/15.jpg)
Design Principles
• 6. Least Privilege– Programs and users should run with
least feasible privilege– Limits damage from error or attack– Minimize potential interaction among
privileged programs• Minimize unexpected use of privilege
![Page 16: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/16.jpg)
Design Principles
• 6. Least Privilege (cont.)– Designing this way helps identify
where privilege transitions are• Identifies where firewalls should go
– Analogous to the “Need to Know” principle
![Page 17: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/17.jpg)
Design Principles
• 7. Least Common Mechanism– Minimize mechanisms shared by all
users (e.g. shared variables)– Shared data can be compromised by
one user– If always shared, all users need to
be satisfied– Example – shared function should
be run in users space rather than as system procedure
![Page 18: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/18.jpg)
Design Principles
• 8. Psychological Acceptability– Design for ease of use
• Then it will be used and not avoided or compromised for user’s convenience
– Model the mechanism so the user can easily understand
• Then he will use as intended
![Page 19: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/19.jpg)
Design Principles
• 9. Work Factor– Make it cost more to compromise
security than it is worth– Automation can make this principle
difficult to follow– Work factor may be difficult to
calculate– Perhaps Public Key Encryption falls
into this category
![Page 20: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/20.jpg)
Design Principles
• 10. Compromise Recording– Note all security breaches (and then
change plan?)• E.g. note each file access time
– Not very practical, since can’t tell what data has been taken or modified
![Page 21: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/21.jpg)
Summary
• No security system is perfect – at best we minimize the vulnerabilities
• Technology may advance but engineering design principles which were good in 1975 remain relevant today
![Page 22: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/22.jpg)
Technical Underpinnings
• The remainder of the section discusses some high level technical details
• Some of these were not common in 1975 but have become so– E.g. most modern processor
architectures have relocation and bounds registers and multiple protection bits
![Page 23: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/23.jpg)
Authentication Mechanisms• Passwords
– Little has changed since then• Still easy to guess or snoop
• Biometric or physical electronic key can still be snooped
• Bidirectional authentication is better– Defeats snooping– I’m not aware us usage in computer
systems today
![Page 24: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/24.jpg)
Shared Information Protection Schemes
• List-oriented– Who is authorized?– Need to do look-up– Slow if lots of accesses
• Ticket-oriented– User has a token that grants access– Like key to a lock– Need technology to deter forged
tickets– Like today’s certificates
![Page 25: The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.](https://reader035.fdocuments.net/reader035/viewer/2022070409/56649e985503460f94b9b99f/html5/thumbnails/25.jpg)
Shared Information Protection Schemes
• List-oriented– Often used at the human interface
• E.g. login
• Ticket-oriented– Most often used at the file access
level