10-08-2012, 04:15 PM
EIGHT PRINCIPLES FOR THE DESIGN AND IMPLEMENTATION OF SECURITY MECHANISMS.
design-principles.pptx (Size: 80.83 KB / Downloads: 25)
INTRODUCTION
Simplicity makes designs and mechanisms easy to understand.
Simplicity also reduces the potential for inconsistencies within a policy or set of policies.
Restriction minimizes the power of an entity. The entity can access only information it needs.
Entities can communicate with other entities only when necessary, and in as few (and narrow) ways as possible.
"Communication" is used in its widest possible sense, including that of imparting information by not communicating.
Principle of Least Privilege
A subject should be given only those privileges that it
needs in order to complete its task.
If a subject does not need an access right, the subject should not have that right
The function of the subject (as opposed to its identity) should control the assignment of rights.
If a specific action requires that a subject's access rights be augmented, those extra rights should be relinquished immediately on completion of the action.(analogue of the "need to know" rule)
If the subject does not need access to an object to perform its task, it should not have the right to access that object. Eg: if a subject needs to append to an object, but not to alter the information already contained in the object, it should be given append rights and not write rights.
Principle of Fail-Safe Defaults
Unless a subject is given explicit access to an object, it should be denied
access to that object.
The default access to an object is none
Whenever access, privileges, or some security-related attribute is not explicitly granted, it should be denied
If the subject is unable to complete its action or task, it should undo those changes it made in the security state of the system before it terminates
EXAMPLE: If the mail server is unable to create a file in the spool directory, it should close the network connection, issue an error message, and stop. It should not try to store the message elsewhere or to expand its privileges to save the message in another location, because an attacker could use that ability to overwrite other files or fill up other disks (a denial of service attack)..
Principle of Complete Mediation
Requires that all accesses to objects be checked to ensure that they are allowed.
When a UNIX process tries to read a file, the operating system determines if the process is allowed to read the file. If so, the process receives a file descriptor encoding the allowed access. Whenever the process wants to read the file, it presents the file descriptor to the kernel. The kernel then allows the access.
If the owner of the file disallows the process permission to read the file after the file descriptor is issued, the kernel still allows access. This scheme violates the principle of complete mediation, because the second access is not checked. The cached value is used, resulting in the denial of access being ineffective.