Outline for June 1, 2000
- Principles of Secure Design
- Refer to both designing secure systems and securing existing systems
- Speaks to limiting damage
- Principle of Least Privilege
-
Give process only those privileges it needs
-
Discuss use of roles; examples of systems which violate this (vanilla UNIX) and which maintain this (Secure Xenix)
-
Examples in programming (making things setuid to root unnecessarily, limiting protection domain; modularity, robust programming)
-
Example attacks (misuse of privileges, etc.)
- Principle of Fail-Safe Defaults
-
Default is to deny
-
Example of violation: su program
- Principle of Economy of Mechanism
-
KISS principle
-
Enables quick, easy verification
-
Example of complexity: sendmail
- Principle of Complete Mediation
-
All accesses must be checked
-
Forces system-wide view of controls
-
Sources of requests must be identified correatly
-
Source of problems: caching (because it may not reflect the state of the system correctly); examples are race conditions, DNS poisoning
- Principle of Open Design
-
Designs are open so everyone can examine them and know the limits of the security provided
-
Does not apply to cryptographic keys
-
Acceptance of reality: they can get this info anyway
- Principle of Separation of Privilege
-
Require multiple conditions to be satisfied before granting permission/access/etc.
-
Advantage: 2 accidents/errors/etc. must happen together to trigger failure
- Principle of Least Common Mechanism
-
Minimize sharing
-
New service: in kernel or as a library routine? Latter is better, as each user gets their own copy
- Principle of Psychological Acceptability
-
Willingness to use the mechanisms
-
Understanding model
-
Matching user's goal
- Auditing
-
Goals: reconstruction or deduction?
-
Relationship to security policy
-
Application logs
-
System logs
- Example analysis technique
-
GOAL methodology
-
Do it on local file accesses
- Problems
-
Log size
-
Impact on system services
-
Correllation of disparate logs
- Intrusion detection
-
Anomaly detection
-
Misuse detection
-
Specification detection
- Anomaly detection
-
Dorothy Denning's model and IDES
-
Useful characteristics (examples)
-
Cautions and problems
-
Defeating it
- Misuse detection
-
TIM (from DEC)
-
Rule-based analysis and attack recognition
-
Cautions and problems
-
Defeating it
- Specification Detection
-
Property-Based Testing (introduce specifications here)
-
Example
-
Cautions and problems
-
Defeating it
- Toss in a network
-
NSM
-
DIDS
-
GrIDS
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 6/8/2000