Friday, 7 November 2008

The Fundimental Maxims of Security

There are a number of maxims for the creation of a secure system in information technology. The question is where do these come from and what are they all.

The paper, "The Protection of Information in Computer Systems" by J. H. Saltzer and M. D. Schroeder [Proc. IEEE 63, 9 (Sept. 1975), pp. 1278-1308] was the watershed paper on this topic and the origins of he maxims that we take for granted today.

These maxims are the fundamentals of information security. These are:

  1. Economy of mechanism: Keep the design as simple and small as possible.
  2. Fail-safe defaults: Base access decisions on permission rather than exclusion.
  3. Complete mediation: Every access to every object must be checked for authority.
  4. Open design: The design should not be secret.
  5. Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.
  6. Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
  7. Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users.
  8. Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
Point 8 is commonly overlooked. To make a security system work it needs to be accepted by the people using it. If we make a system too complex it will fail. If people perceive it is impeding on their ability to undertake their job, they will find a way to bypass it.

These Maxims are listed in the section of the paper under called "Design Principles". This section begins by stating: "Whatever the level of functionality provided, the usefulness of a set of protection mechanisms depends upon the ability of a system to prevent security violations. In practice, producing a system at any level of functionality (except level one) that actually does prevent all such unauthorized acts has proved to be extremely difficult. Sophisticated users of most systems are aware of at least one way to crash the system, denying other users authorized access to stored information. Penetration exercises involving a large number of different general-purpose systems all have shown that users can construct programs that can obtain unauthorized access to information stored within. Even in systems designed and implemented with security as an important objective, design and implementation flaws provide paths that circumvent the intended access constraints. Design and construction techniques that systematically exclude flaws are the topic of much research activity, but no complete method applicable to the construction of large general-purpose systems exists yet. This difficulty is related to the negative quality of the requirement to prevent all unauthorized actions".

A few applications (such as Port Knocking) should go over these maxims and maybe they might realize that they are not meeting several of them.

No comments: