designing secure systems vyas sekar carnegie mellon university
TRANSCRIPT
![Page 1: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/1.jpg)
Designing Secure Systems
Vyas SekarCarnegie Mellon University
![Page 2: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/2.jpg)
Introduction
![Page 3: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/3.jpg)
3
In the beginning ..
Life was simple
Limited function
Single user
![Page 4: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/4.jpg)
4
General Purpose Computers
General Purpose
Computer
Resource1(Alice)
Resource3(Shared)
Resource2(Bob)
![Page 5: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/5.jpg)
5
Protection Mechanism
Control Transfer of InformationAmong Users of the Utility
![Page 6: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/6.jpg)
6
![Page 7: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/7.jpg)
7
Goals of this lecture• Know Lampson’s “gold” standard
– Authentication– Authorization– Audit
• Know types of authorization mechanisms
• Understand concept of TCB
• Internalize design principles for secure systems
![Page 8: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/8.jpg)
AAA definitions
Useful read:Security in the Real WorldButler Lampson
![Page 9: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/9.jpg)
9
General Purpose Computers
General Purpose
Computer
Resource1(Alice)
Resource3(Shared)
Resource2(Bob)
![Page 10: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/10.jpg)
10
Obvious questions
• How do I know that it is in fact Alice?
• Can Alice access Bob’s file? Can she access the shared file?
• Did Alice try to delete Bob’s file?
![Page 11: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/11.jpg)
11
Obvious questions• How do I know that it is in fact Alice? Authentication
• Can Alice access Bob’s file? Can she access the shared file?
Authorization
• Did Alice try to delete Bob’s file? Audit
![Page 12: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/12.jpg)
12
PrincipalReferenceMonitor
Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
AuditAbstract Access Control Model
![Page 13: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/13.jpg)
13
Principals for Authentication
• “Who did that” or “Who is getting access”
• Typically user
• Can also be groups, machines, or programs
![Page 14: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/14.jpg)
14
Mechanisms for Authentication
• Passwords
• Secure hardware; e.g., hardware dongle
• Two-(multi-) factor mechanisms
![Page 15: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/15.jpg)
15
Authorization
Who is trusted to perform “what” operations on this object
Key question: How do we specify the policy?(More later)
![Page 16: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/16.jpg)
16
Audit• Evidence for decisions being made
• Useful for forensics
• Useful as a diagnostic tool
• Audit-trail can help track attacks
• Extremely important!
![Page 17: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/17.jpg)
Principles of Access Control
![Page 18: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/18.jpg)
18
Protection State
• State of system: current values for all resources of the system
• Protection State: subset of state that deals with protection
All Possible Protection States P
Authorized States Q
![Page 19: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/19.jpg)
19
• Security Policy: Characterizes states in Q• Access control matrix: Precise
representation of Q• Security Mechanism: Prevents system from
entering P-Q
All Possible Protection States P
Authorized States Q
![Page 20: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/20.jpg)
20
Subjects, Objects, Rights• Objects (o): Set of protected entities relevant to system
– Files– Directories– Memory– Processes
• Subjects (s): set of active objects– So – Running processes, users, …
• Rights (r):– Read– Write– Append– Own– …
![Page 21: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/21.jpg)
21
Examples
UNIX• Subjects: Running
processes• Objects: Files,
directories, processes,…
• Rights:– read– write– execute
AFS• Subjects: Kerberos Principles• Objects: Files, directories,
processes, …• Rights
– Lookup – List contents of directory– Insert – Add new files to directory– Delete – Remove Files– Administer – Change access
controls– Read– Write– Lock - Programs that need to flock
![Page 22: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/22.jpg)
22
Basic Idea: Lampson’s Access MatrixSubjects are row headings, objects are column
headings. Entry M[s,o] determines rights for subject s when accessing object o.
objects (entities)
subj
ects
s1
s2
…
sn
o1 … om • Subjects S = { s1,…,sn }
• Objects O = { o1,…,om }
• Rights R = { r1,…,rk }
• Entries A[si, oj] R
• A[si, oj] = { rx, …, ry } means subject si has rights rx, …, ry over object oj* From: Computer Security, Art & Science
![Page 23: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/23.jpg)
23
Example 1: File System Level
f g p q
p rwo r rwxo w
q a ro r rwxo
• Processes p,q• Files f,g• Rights r,w,x,a,o
* From: Computer Security, Art & Science
![Page 24: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/24.jpg)
24
Types of Access Control• Discretionary Access Control (DAC):
User can set an access control mechanism to allow or deny access to an object.– It’s at the users discretion what to allow.– Example: UNIX
• Mandatory Access Control (MAC): System mechanism controls access to an object and an individual user cannot alter that access.– What is allowed is mandated by the system (or system administrator).– Example: Law allows a court to access driving records without owners
consent. It’s mandated.
![Page 25: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/25.jpg)
25
Access Control Mechanisms
• ACM’s great in theory. Can be very precise. But are huge
• Two Implementation strategies:– Access Control Lists– Capabilities
![Page 26: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/26.jpg)
26
Access Control Lists
f g David Andre
David rwo r rwxo w
Andre a ro r rwxo
• Columns in ACM’s
• f: {(David, rwo), (Andre, a)}• g: {(David, r), (Andre, ro)}
• More formally: An ACL is a set of pairs (s, r): s S, r \subseteq R
![Page 27: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/27.jpg)
27
Default Permissions• Normal: if not named, no rights over file
– Principle of Fail-Safe Defaults
• Not-Normal: If not explicitly denied, has rights
• If many subjects, may use groups or wildcards in ACL
![Page 28: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/28.jpg)
28
Abbreviations & UNIX• ACLs can be long … so combine users
– UNIX: 3 classes of users: owner, group, rest– rwx rwx rwx– Ownership assigned based on creating process
• Some systems: if directory has setgid permission, file group owned by group of directory (SunOS, Solaris)
• Limitations– Suppose Anne wants:
• all rights for herself.• Beth to have read access• Caroline to have write access• Della to have read and write• Elizabeth to execute
– 5 desired arrangements, so three triples insufficient
![Page 29: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/29.jpg)
29
ACLs + Abbreviations• Augment abbreviated lists with ACLs
– Intent is to shorten ACL
• ACLs override abbreviations– Exact method varies
• Example: IBM AIX– Base permissions are abbreviations, extended permissions are ACLs
with user, group– ACL entries can add rights, but on deny, access is denied
* From: Computer Security, Art & Science
![Page 30: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/30.jpg)
30
Thoughts on the ACL’s
1. Which subjects can modify an ACL?2. If there is a privileged user, what if any
ACL’s apply to that user?3. Does the ACL support groups or wildcards?4. How are contradictory access control
permissions handled?5. If a default setting is allowed, does it apply
only when subject is not explicitly mentioned?
![Page 31: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/31.jpg)
31
Capabilities• Rows of access control matrix
• David: {(f,rwo), (g,r)}• Andre: {(f,a), (g,ro)}• Formally: A capability list c is a set of pairs
{(o,r) : o O , r \subseteq R}
f g David Andre
David rwo r rwxo w
Andre a ro r rwxo
![Page 32: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/32.jpg)
32
Semantics
• Like a bus ticket– Mere possession indicates rights that subject has over
object– Object identified by capability (as part of the token)
• Name may be a reference, location, or something else
• Must prevent process from altering capabilities– Otherwise subject could change rights encoded in
capability or object to which they refer
* From: Computer Security, Art & Science
![Page 33: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/33.jpg)
33
Example
• UNIX open() call returns a file descriptor. The file descriptor is a capability– Even if file is deleted and a new file with the
same name is created, your capability works.
![Page 34: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/34.jpg)
34
Capability Implementation1. Tags:
– Capabilities stored in memory words with associated tag bit that can only be modified in kernel model
2. Protected Memory:– Capabilities stored in kernel memory and can only be
accessed indirectly.
3. Cryptography– Capabilities are encrypted and cannot be modified
w/o detection by user process– Can be stored in user space
![Page 35: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/35.jpg)
35
Capability Revocation
• Scan all C-lists, remove relevant capabilities– Far too expensive!
• Use indirection– Each object has entry in a global object table– Names in capabilities name the entry, not the object
• To revoke, zap the entry in the table• Can have multiple entries for a single object to allow control of different
sets of rights and/or groups of users for each object
![Page 36: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/36.jpg)
36
ACLs vs. Capabilities• Both theoretically equivalent.• Consider these questions
1. Given a subject, what objects can it access, and how?• Capabilities better
2. Given an object, what subjects can access it, and how?• ACLs better
• Tracking which subjects can access an object more common, thus ACL’s more popular because they are more efficient.
• Other choices possible, e.g., revocation on per-subject basis easier with Capabilities.
![Page 37: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/37.jpg)
Notion of Trusted Computing Base
![Page 38: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/38.jpg)
38
Why should I trust this?
What does it mean for the access control mechanism to work correctly?
PrincipalReferenceMonitor
Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
Audit
![Page 39: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/39.jpg)
39
Need a “trusted” component
• We rely upon to operate correctly
• Necessary for the whole system to be secure
• Corollary: If this misbehaves all bets re: security goals are off!
![Page 40: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/40.jpg)
40
Example of TCB
User ServerSSH
??
![Page 41: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/41.jpg)
41
Example of TCB
User ServerSSH
SSHDOSCPU
MAILWEB
![Page 42: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/42.jpg)
42
What is in the TCB here?
What does it mean for the access control mechanism to work correctly?
PrincipalReferenceMonitor
Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
Audit
![Page 43: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/43.jpg)
43
Ideal TCB Design
• Cannot be bypassed– E.g., finding a route that firewall doesn’t check
• Tamper resistant– E.g., messing with the SSHD or OS executables
• Verifiable– Implies you want TCB to be as small as possible
![Page 44: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/44.jpg)
44
Why do we need a TCB?• Securing every piece of a system is hard!
• TCB is a pragmatic compromise– Separate system into trusted and untrusted
• Can focus security efforts on the trusted piece– Reason about security more rigorously
• Caveat: Determining TCB is easier said than done
![Page 45: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/45.jpg)
Design Principles
Useful read:The Protection of Information in Computer SystemsJerome Saltzer and Michael Schroeder
![Page 46: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/46.jpg)
46
The Key Principles• Economy of mechanism a.k.a KISS• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
![Page 47: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/47.jpg)
47
Keep it Simple, Stupid (KISS)
• Rule of thumb:1-5 defects per 1K lines of code
• Windows XP = 40 MLOC– All in TCB
• Smaller, simpler TCB is easier to reason about
![Page 48: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/48.jpg)
48
The Key Principles• Economy of mechanism a.k.a KISS• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
![Page 49: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/49.jpg)
49
Fail safe Defaults
PrincipalReferenceMonitor
Object
RequestedOperation
ApprovedOperation
Source Guard Resource
Authentication Authorization
Audit
![Page 50: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/50.jpg)
50
The Key Principles• Economy of mechanism a.k.a KISS• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
![Page 51: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/51.jpg)
51
Complete Mediation
• Every access to every object is checked by the reference monitor
• Easier said than done!
• TOCTTOU problems
![Page 52: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/52.jpg)
52
Mediation: TOCTTOU Vulnerabilities
Time-Of-Check-To-Time-Of-Use
int openfile(char *path){struct stat s;if (stat(path,&s) < 0))
return -1;if (!S_ISREG(s.st_mode)){
error(“only regular files allowed”);return -1;
return open(path,O_RDONLY)}
Change path
![Page 53: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/53.jpg)
53
Mediation: TOCTTOU Vulnerabilities
Time-Of-Check-To-Time-Of-Use
Void withdraw(int w){b = getbalance();if (b<w)
error(“not enough $$”);b = b-w;send(w)
}
Buy
![Page 54: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/54.jpg)
54
The Key Principles• Economy of mechanism a.k.a KISS• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
![Page 55: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/55.jpg)
55
Separation of Privileges
Launch Missile
Launch Missile
![Page 56: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/56.jpg)
56
The Key Principles• Economy of mechanism a.k.a KISS• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
![Page 57: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/57.jpg)
57
Least Privilege
General Purpose
Computer
File1(Alice)
File3(Shared)
File2(Bob)
Read File1
![Page 58: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/58.jpg)
58
The Key Principles• Economy of mechanism a.k.a KISS• Fail-safe defaults• Complete mediation• Separation of privilege• Least privilege• Factor in users/acceptance/psychology• Work factor/economics• Detect if you cant prevent• Don’t rely on security by obscurity
![Page 59: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/59.jpg)
59
Lecture summary• Know Lampson’s “gold” standard
– Authentication– Authorization– Audit
• Know types of authorization mechanisms– Mandatory vs discretionary, Capabilities vs ACL
• Understand concept of TCB
• Internalize design principles for secure systems
![Page 60: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/60.jpg)
60
Questions?
![Page 61: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/61.jpg)
END
![Page 62: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/62.jpg)
62
Thought
![Page 63: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/63.jpg)
63
Style Guide
• Fonts: We use microsoft fonts because they have the fewest reposition/scaling issues when going between mac and windows.– Cambria for body– Calibri for headline– Consolas for our monospace font (e.g., code)
![Page 64: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/64.jpg)
64
Boxes are center(arrange, align, center in )
This box would drive David nuts
![Page 65: Designing Secure Systems Vyas Sekar Carnegie Mellon University](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bfc81a28abf838ca82cd/html5/thumbnails/65.jpg)
65
Use the theme colors
• THIS IS NOT A THEME COLOR AND WILL NOT LOOK RIGHT WHEN YOU COPY/PASTE INTO ANOTHER THEME
• Theme colors are under the color drop-down on the top
Don’t use a non-theme color!It’s like wearing brown shoes and a black belt. You might not care, but everyone else notices.