SB 22: Design Principles for Security Flashcards
What is the underlying idea of design principles?
To design with simplicity and restrictions in mind. Simplicity minimizes the risk of problems and makes problems easier to deal with. Restrictions means there is less data needing to be checked during system interactions and people/processes only have access to what they actually need.
What is the principle of least privilege?
A subject should only be given the privileges it needs to be able to complete its task. Analogous to the “need to know” rule. Is complex to implement in practice because it requires a high level of detail.
What it the “Principle of least authority”?
Not an official principle. Closely related to the principle of least privilege. A subject should only be given the authority it needs to complete its task.
What is the difference between the principle of least privilege and least authority?
Only a difference if we make a distinction between authority and permissions. Permission being what actions a process can take on objects directly. Authority being the effects processes may have on an object, directly or indirectly through interactions with other “subjects”.
Principle of fail-safe defaults
Unless a subject is given explicit access to an object it should be denied access. Default access therefore needs to be none. Changes that cannot be completed should be undone.
Principle of economy of mechanism
Security mechanisms should be as simple as possible. Simplicity means less risk of errors occurring.
Principle of complete mediation
Restricts the caching of information. Requires that all accesses to objects be checked to ensure they are allowed. The mediator should check the authenticity and integrity of the access request, if those are validated and the access is authorized the request is granted.
Principle of open design
The security of a mechanism should not depend on the secrecy of its design or implementation. Secrets don’t always stay secrets, it might therefore be wise to plan for compromise of secrets. Especially relevant with cryptographic systems and software as it can give a false sense of security if the algorithms are kept secret.
Principle of separation of privilege
A system should not grant permissions based on a single condition. Equivalent to the separation of duty.
Principle of least common mechanism
Mechanisms used to access resources should not be shared. Sharing resources can create vulnerabilities.
Principle of least astonishment
Security mechanisms should be designed so that (1) users understand why the mechanism works the way it does and (2) it is simple to use. Security software that is complicated to set up could result in poor or incorrect configurations. It should also output understandable messages with no unnecessary information. I.e “incorrect login” NOT “incorrect password”