The Protection of Information in Computer Systems Jerome H. Saltzer and Michael D. Schroeder - 1975 ------------------------------------------------- Background: There are a wide range of considerations to engineering complete security of information. Thus, it is often helpful to place security violations in categories: unauthorized information release, unauthorized information modification, and unauthorized denial of use. Summary: This paper focusses on the protection (controlling access of stored information) and authentication aspects of securing computer information and provides design principles for designing protection and authentication mechanisms. Caveat: By focussing on these two aspects, this paper takes narrow view of information security, which is dangerous because it may lead to false confidence in the system as a whole. Levels of protection: unprotected, all-or-nothing (i.e., completely isolate users), controlled sharing (i.e., explicitely control access to each data item), user-programmed sharing controls (i.e., allow access control to be controlled by arbitrary programs), and putting strings on information (i.e., maintain control after information has been released). Principles for protection: 1. Economy of mechanism: Simple and small designs make it easier to check for implementation errors. 2. Fail-sefe defaults: Default situation is lack of access. 3. Complete mediation: Control access to every object. 4. Open design: Security by obscurity does not work. 5. Separation of privilege: When possible, require two keys. 6. Least privilege: Operate using the least set of privileges necessary to complete a task. 7. Least common mechanism: Minimize shared mechanims (especially shared variables) because they represent a potential information path between users. 8. Psychological acceptability: Make the UI easy to use so that users apply the protection mechanism correctly. 9. Work factor: Compare the cost of circumventing the mechanism with the resources of a potential attacker (difficult with computers). 10. Compromise recording: Add mechanisms that guarantee or aid discovery of compromises (can cover tracks with computers). Authentication mechanism: passwords (something you know), physical tokens (something you have), and bio-identification (something you are). Some issues involving these mechanisms include easy-to-guess passwords, eavesdropping, and Trojan horse attacks. Authorization in shared data: - List-oriented (access control lists): Users are authorized by having their names placed on a list for an object. This mechanism requires an associative lookup for each access and is thus not used in applications where traffic is high. - Ticket-oriented (capabilities): Users are authorized by giving them a ticket for the object. This mechanism has the challenges of controlling ticket forgery and passing tickets to other users. - Note: Often both mechanisms are used; a list-oriented system is used at the human interface and a ticket-oriented system is used in the underlying system. In this arrangement, a list-oriented guard hands out temporary tickets which the lower level (ticket-oriented) guards will honor. Review: Most of the good stuff is in the first section. The rest is hard to understand, boring, and outdated.