What is Least privilege
- Should only have the rights necessary to perform a given function
- Default setting should be lack of access
- access needed temporarily, then it should be rescinded after use
Economy of mechanism
- Sufficiently small and simple as to be verified and implemented – e.g. security kernel
- Simpler means less can go wrong – and when errors occur, they are easier to understand and fix
Complete mediation
- Every access to every object must be checked
* Must be efficient with little overhead
Open design
- Don’t depend on secrecy of the design
- Security through obscurity’ is a bad idea - Should be open for scrutiny by the community
- Kerckhoffs’ Principle
Separation of privilege
- Access to objects should depend on more than one condition being satisfied
- Separation of duty - two person rule
Least common mechanism
•Minimise the amount of mechanisms common to more than one user and
depended on by all users
•Do not share state between programs; corruption of one = corruption of all
Psychological acceptability
•User interface must be easy to use, so that
users routinely and automatically apply the mechanisms correctly
•Security mechanisms should not add to difficulty of accessing resource
Fail securely
•If software has to fail ensure that it does it securely
Defence in depth
•Use diverse defensive strategies
•If one layer isn’t good enough, another layer will hopefully prevent a complete
compromise
Secure the weakest link
- A software security system is only as strong as its weakest link
- Attackers go after the easy targets
- Identify and strengthen weak links until an acceptable level of risk is achieved
Fail-Safe defaults
- If action fails, system as secure as when action began
- The default state is lack of access
- Need to argue why a user should have access, not argue why a user should not have access
Compartmentalise
- Minimize the amount of damage that can be done by breaking the system into units
- Very few operating systems do this because it is difficult to manage
- Root privilege is an example of how not to do it
Fail securely
•If software has to fail,make sure that it does it securely
Keep it simple
•Complexity can cause errors
Use your community resources
•Public scrutiny promotes trust
