Design principles for secure systemsLecturer: Professor Fred B. SchneiderLecture notes by Lynette I. MillettRevis ed by Borislav DeianovRevis ed by Michael FreiThe classic treatment of design principles for secure systems is The Protection of Information in ComputerSystems by Saltzer & Schroeder, Proceedings of the IEEE, 63, 9 (Sept 1975), 1278--1308. After 25 years,this paper remains a gem.The presentation here also borrows from Computer Security in the Real World by Butler Lampson, IEEEComputer 37, 6 (June 2004), 37--46.Today, we begin our discussion of security. What properties are we interested in and what are good strategies inimplementing security?General Security IssuesWe first consider what we can learn from "real world" security. In the real world, security decisions are based onthree things:value,locks, andpoliceWe try to buy good enough locks so that the "bad guys" can't break in too often. The terms "good enough,""break in" and "too often" are key. We also assume that the police and courts work, so "bad guys" are caughtand punished. "Police" in this context is a generic term for any agency that might pursue offenders; it includes thecorporate hierarchy or the legal system. Similarly, the "bad guys" could be anyone, anywhere, including systemoperators for the system being secured. By "often enough" we don't mean always but enough so that crimedoesn't pay. In other words, the expected gain from committing a crime must be negative. Value is an importantaspect of this characterization, because generally we do not protect things of little value.A constraint we place on any security mechanism is that it add a minimum amount of interference to daily life. Forexample, locks must not be difficult or annoying to use. If they are, it's likely that people will find ways tocircumvent the annoyance and thus nullify the security protect0ions the locks offer. It should also be noted thatwith rare exceptions is a security breach of some sort the end of the world. Risk management allows recoveryfrom a security problem and decreases the need for complex and annoying locks. For example, rather thaninstalling a complicated locking system for automobiles we buy auto insurance to help deal with costs that arise inthe event of damage or theft.Externalities also have a role to play. Briefly, an externality occurs when somebody or some agency doessomething in which the cost implications for the doer are not the same as (usually significantly less than) the costimplications for society. For example, think of companies that pollute the environment. The cost of cleaningpollution is usually great, and until recently there was no corporate penalty for not fixing a pollution problem. Inshort, an externality exists when it is cheaper to do the wrong thing. This has obvious large implications forsecurity--an insecure subsystem may enable a system wide attack of great consequence.There are number of things to observe. First, note that all locks are not the same. They typically have differentkeys as well as different strengths. The strength of the lock tends to be chosen according to the value of what isbeing protected. The environment also influences the type and strength of the locks being used as well. Forexample, apartments in Ithaca likely have fewer and weaker locks than apartments in Manhattan. Second,people pay for security they believe they need. Security is not monolithic and there is not one mechanism foreveryone. Security is scaled with respect to both the value of the thing being secured and the threat against it.People's security "needs" are usually based on the perception of what's going on around them. If your neighborsare being broken into, then it's likely that you'll buy more security equipment than if not. Third, the police arecentral to the picture. The system still works even if locks are completely removed. Locks are only a deterrent;however, it is essential that there be enforcement and punishment strategies in place. There will undoubtedly besome security breaches no matter how good the locks are. Thus, it is critical that bad guys be found. Locksreduce temptation as well as reducing the police workload. Finally, security, as we have portrayed it, is holistic.It is only as good as its weakest link. Attackers will look for the weakest link, and thus it is generally best toexpend effort in determining where the weaknesses are and shoring them up. Given limited resources, the bestapproach is to make all elements equally strong, thus eliminating weakest links.Applications to Computer SecurityWe now move from an abstract discussion of security in our day-to-day lives to the world of computer security.How can the above discussion be applied in this new context? With regard to computer security, the story is toldin terms of three terms:Vulnerability: A weakness that can be exploited to cause damage.Attack: A method of exploiting a vulnerability.Threat: A motivated, capable adversary that mounts attacks.Bugs in a software system are vulnerabilities. Since we are not really good at building large systems, it seemsclear that any large software system will have many vulnerabilities. While a first strategy for addressing a securityproblem might be to find and fix each vulnerability, in fact, this is likely to be too costly to be practical. Rather, itis better to first identify threats, and then work on eliminating only those vulnerabilities that those threats wouldexploit.As an example, consider the problem of intercepting cellular phone transmissions. This possibility is clearly aresult of a design vulnerability--a consequence of the way cellular phone signals are encoded and transmitted. Athreat that exploits this vulnerability would be the small number of people who want to do this and have theknowledge and equipment to intercept transmissions. When cell phones were first introduced, the equipment washard to come by and few people had the knowledge to mount an attack. Thus, the threat was small. Currently,just about anyone can buy the equipment; the threat is huge. The vulnerability has remained the same, but thenature of the threat has changed. Currently, there is a large amount of cellular-phone fraud.Range of ThreatsWhat are the range of threats that network information systems face? The Defense Science Board has issued areport that includes their view of current threats to the national infrastructures. Their list, in order of increasingseverity, is as follows:Incomplete,