Principle 4:Least privilege (cont.) Expose minimal functionality in interfaces of objects,classes, packages,applications. in code: -not public int x; but private int x; not public void mO but package void m() Least privilege example: -Standard coding standard not to use import java.lang.*; but always import java.lang.String; -CSE825 11
CSE825 11 Principle 4: Least privilege (cont.) Expose minimal functionality in interfaces of objects, classes, packages, applications. in code: ─ not public int x; ─ but private int x; ─ not public void m() ─ but package void m() Least privilege example: ─ Standard coding standard not to use import java.lang.*; but always import java.lang.String;
Principle 4:Least privilege (cont.) Use Secure Defaults By default, -security should be switched on -permissions turned off This will ensure that we apply principle of least privilege ■ Counterexample:bluetooth connection on mobile phone is by default on,but can be abused -CSE825 12
CSE825 12 Principle 4: Least privilege (cont.) Use Secure Defaults By default, ─ security should be switched on ─ permissions turned off This will ensure that we apply principle of least privilege Counterexample: bluetooth connection on mobile phone is by default on, but can be abused
Principle 5:Compartmentalization Break the system up into as many isolated units as possible -Simplicity -Containing attacker in case of failure Example:submarines are built with many chambers,each separately sealed Example:prison. Counterexample:Famous violations of this principle exist standard UNIX privilege model -A program with root privilege can do everything(including erase logs) A few operating systems,such as Trusted Solaris,do compartmentalize. Tradeoff with manageability. Counterexample:OS that crashes if an application crashes. -CSE825 13
CSE825 13 Principle 5: Compartmentalization Break the system up into as many isolated units as possible ─ Simplicity ─ Containing attacker in case of failure Example: submarines are built with many chambers, each separately sealed Example: prison. Counterexample: Famous violations of this principle exist standard UNIX privilege model ─ A program with root privilege can do everything (including erase logs) A few operating systems, such as Trusted Solaris, do compartmentalize. Tradeoff with manageability. Counterexample: OS that crashes if an application crashes
Principle 5:Compartmentalization (cont. Use different machines for different tasks Example:run web application on a different machine from employee salary database Example:use different user accounts on one machine for different tasks Compartementalization provided by typical OS is poor! Partition hard disk and install OS twice CSE825 14
CSE825 14 Principle 5: Compartmentalization (cont.) Use different machines for different tasks Example: run web application on a different machine from employee salary database Example: use different user accounts on one machine for different tasks Compartementalization provided by typical OS is poor! Partition hard disk and install OS twice
Principle 6:Simplicity KISS mantra--"Keep it simple,stupid!" Designs and implementations should be as simple as possible -Complexity increases the risk of problems;unavoidable in any system. -Complex code tends to be harder to analyze and maintain.It also tends to be far more buggy. Should try to reuse components whenever possible. Be careful in applying this principle -Keep system simple on the condition of keeping system secure. Use choke points to improve simplicity -Force all security-critical operations through a few choke points. CSE825 15
CSE825 15 Principle 6: Simplicity KISS mantra -- "Keep it simple, stupid!" Designs and implementations should be as simple as possible ─ Complexity increases the risk of problems; unavoidable in any system. ─ Complex code tends to be harder to analyze and maintain. It also tends to be far more buggy. Should try to reuse components whenever possible. Be careful in applying this principle ─ Keep system simple on the condition of keeping system secure. Use choke points to improve simplicity ─ Force all security-critical operations through a few choke points