Computer Security

Design Principles
 ECONOMY OF MECHANISM

• Design of security measures embodied in both

hardware and software should be as simple and
small as possible
• For example, file encryption supporting the
access control service that in turn supports
the goals of confidentiality and integrity by
preventing unauthorized file access.
 FAIL-SAFE DEFAULT

• The default situation is lack of access, and the

protection scheme identifies conditions under
which access is permitted
• Unless a subject is given explicit access to an
object, it should be denied access to that object
• Fail-safe also means that a device will not
endanger lives or property when it fails.
 Fail Safe Example

For example, if a building catches fire, fail-safe

systems would unlock doors to ensure quick
escape and allow firefighters inside, while
fail-secure would lock doors to prevent
unauthorized access to the building.
 COMPLETE MEDIATION

• Every access must be checked against the

access control mechanism to ensure that it is
allowed
• Systems should not rely on access decisions
retrieved from a cache.
 Complete Mediation
.What happens in most systems is that those
privileges are cached away for later use. The
subject’s privileges are authenticated once at the
initial access. For subsequent accesses the system
assumes that the same privileges are enforce for
that subject and object. This may or may not be the
case. The operating system should mediate all and
every access to an object.
For Example DNS Spoofing attack , MITM attack
 OPEN DESIGN

• Design of a security mechanism should be open

rather than secret
• The security of a mechanism should not depend
on the secrecy of its design or implementation.
• For example, cryptographic systems
 SEPARATION OF PRIVILEGE

• Practice in which multiple privilege attributes

are required to achieve access to a restricted
resource
 LEAST PRIVILEGE
• Every process and every user of the system
should operate using the least set of privileges
necessary to perform the task
• Any access control system should allow each user
only the privileges that are authorized for that
user
• Subject should be given only those privileges that
it needs in order to complete its task
 PSYCHOLOGICAL ACCEPTABILITY

• Security mechanisms should not interfere

unduly with the work of users, while at the
same time meeting the needs of those who
authorize access
• Security mechanisms – hinder the usability or
accessibility of resources, users may opt to turn
off those mechanisms
 LEAST COMMON MECHANISM

• Mechanisms used to access resources should

not be shared.
• Sharing resources provides a channel along
which information can be transmitted. Hence,
sharing should be minimized as much as
possible.
 ISOLATION
• Public access systems should be isolated from critical
resources to prevent disclosure or tampering
• Criticality of the information is high - organizations may
want to limit the number of systems on which that data is
stored and isolate them
• Processes and files of individual users should be isolated
from one another except where it is explicitly desired
 MODULARITY
• Goal is to provide common security functions and
services as common modules
 Layering
• Use of multiple, overlapping protection approaches
addressing the people, technology, and operational
aspects of information systems
 References
• Computer Security – Matt Bishop
• Computer Security – William Stallings