Group: security

topic root > Group: computer science

computer science
distributed systems
operating system
program proving
type checking
automated testing
debugging by usage rules
distributed algorithms
dynamic analysis for program validation
error checking in robot programming
error safe systems
flavor analysis and typestates for supplementary type checking
implementation of hypertext databases
message protocols
mobile code
programming without errors
random number generation
reliability of distributed systems
replicated data
safety critical systems
static analysis for program validation
type checking by trademark
type-safe and secure languages
using hypertext for cooperative work

all groups
map of the Thesa web site
topics s-z
topics to process


A system needs to protect itself from unexpected or malicious input. Except for software errors, protection of all input provides protection throughout the system. The idea is to separate the system from its input by certifying input data types, object consistency, and permission rights. Critical operations may be seen as sub-systems with their own input. In any case, unexpected input must be explicitly handled; even if this means an abort.

Malicious input is difficult to defend against. For instance users may use statistical methods to determine a system's implementation. One solution is a specific purpose machine which can only be used as intended, but development, maintenance and debugging require full access to the system's internals. Any hooks provided can also be used by the malicious user. Such access can be restricted if tied to hardware signatures. Then the user must own the master terminal before gaining full system access. (cbb 5/80)

Software errors are an often overlooked aspect of system security. Most security systems must assume that the underlying software is error-free. Two important requirements are limited domains and thorough consistency checking. The limited domains prevents an error from effecting the entire system, and consistency checking confirms the correctness of the software. (cbb 12/92)

Group members up

Topic: authentication
Topic: backup processor
Topic: cryptographic hash function
Topic: cryptographic protocols
Topic: database security
Topic: digital signature
Topic: distributed system security
Topic: encryption
Topic: key distribution
Topic: limitations of system security
Topic: operating system security
Topic: password protection
Topic: power fail recovery
Topic: public key encryption
Topic: preventing accidental errors
Topic: security by access functions
Topic: security by access rights
Topic: security by audit trail
Topic: security by capabilities
Topic: security by information flow
Topic: security by roles
Topic: security by seal
Topic: security by secure domains
Topic: security of remotely executed code
Topic: security by trust
Topic: security issues with electronic mail
Topic: security leaks and weaknesses
Subtopic: secure system up

Quote: a totally secure system requires full, unclassified, understanding by everyone; otherwise significant points of potential weakness may be overlooked [baraP8_1964b]
Quote: security is a negative kind of requirement; prevent all unauthorized use of information; anticipate every possible threat [saltJH9_1975]
Quote: a narrow concentration on protection mechanisms, especially those logically impossible to defeat, may lead to false confidence [saltJH9_1975]
Quote: Java security should be usable, simple, adequate, and adaptable; security should be general and systematic [gongL11_2011]
Quote: Java code should execute as intended without undesirable side effects; accept only Java code, test for intended behavior, prevent bad, unintended behavior [gongL11_2011]
Quote: good security encompasses prevention, detection, and reaction; e.g., a vault with alarms and the threat of arrest [schnB_2000]
Quote: computers should be as secure as real-world systems, and people believe it; real-world systems are not very secure [lampBW6_2004]
Quote: real-world security balances value, locks, and punishment; e.g., use locks to prevent casual intrusion [lampBW6_2004]
Quote: perfect security is expensive and inconvenient; e.g., safe deposit box [lampBW6_2004]
Quote: security is needed for secrecy, integrity of resources, availability, and accountability [lampBW6_2004]
Quote: producing valid systems is a domain dependent activity [blumBI8_1985]
Quote: simplify user security as my documents, shared documents, and public documents in separate directories; vendors and administrators handle everything else [lampBW6_2004]
Quote: security concerns user authentication, service authentication, key management, and encryption of communication [coxR8_2002]
Quote: 1974 security study of Multics is relevant today; like Unix [kargPA12_2002]
Quote: Multics has better security than most systems today; security was a primary goal; no buffer overflows; minimized complexity [kargPA12_2002]

Subtopic: external verifier up

Quote: the external verifier for red-green partitions has a red light, a green light, and a button; the user explicity switches from red-to-green or green-to-red; not the machine itself [gligV3_2010]

Subtopic: usable security up

Quote: usable security for commodity computers; high security for sensitive transactions, feasible recourse for security breaches, a simple and uniform security policy [gligV3_2010]

Subtopic: secure message up

Quote: an electronic message to purchase stock implies no one else will read the message; no one will modify the message; the message is authentic and timely; an acknowledgement means that the transaction occurred [yahaR5_1993]

Subtopic: guarded partitions up

Quote: secure, direct access divides information into mutually exclusive partitions with guarded doors; the guard must identify authorized users and their access rights [saltJH9_1975]
Quote: an authority check is usually implemented by having the guard demand a match between something he knows and something the prospective user posseses [saltJH9_1975]
Quote: must protect the guard's authorization information and the association between a user and the unforgeable label or tickets associated with his virtual processors [saltJH9_1975]

Subtopic: security and change up

Quote: the dynamics of use cuts across all security levels; how does one establish and change the specification of who may access what; programs may change authorization dynamically; severe complications [saltJH9_1975]
Quote: for dynamic authorization of sharing within a computer, there must be some previous communication from the receipient to the sender, external to the system; compare the recipient's principal to the external authorization [saltJH9_1975]

Subtopic: security is not secrecy up

Quote: true security is not the same as unthinking secrecy; in a free society, effective secrecy in peacetime is almost impossible [baraP8_1964b]

Subtopic: enforced interactions up

Quote: divide a system into simple, fully debugged, units; enforce a unit's interactions with a small number of other units; do not depend on good will and a full understanding of the rules [lampBW_1971]

Subtopic: security policy up

Quote: provenance tracking should guarantee completeness, integrity, availability, confidentiality, and efficiency [hasaR12_2009]
Quote: compare security policies of independent implementations of an API; security checks occur before security-sensitive events such as native method calls and API returns [srivV6_2011]
Quote: security-policy differencing has not instrinsic false positives: implementations of the same API must enforce the same policy [srivV6_2011]
Quote: frame navigation policy for secure communication within web browsers; fragment identifier messaging and postMessage [bartA6_2009]
Quote: security is about policy and isolation; no adequate user model that minimizes hassle while remaining true [lampB11_2009]
Quote: a security user needs to know who can do what to which things [lampB11_2009]
Quote: a security administrator needs a declarative policy such as groups and roles [lampB11_2009]
Quote: first, define the threat model and risks; second, create a security policy; third, design the countermeasures that enforce the policy [schnB_2000]
Quote: a secure OS needs mandatory security, controlled by a policy administrator, that enforces who has access to data and its encryption [schnB_2000]
Quote: prefer policy over tunable settings for security and resource allocation; express in terms of goals; allows audit, avoids user error [kampPH7_2004]
Quote: a shared system must be easy to monitor; policy implications must be clear and testable [kampPH7_2004]
Quote: provide primitives for easily expressing security policy in broad terms [kampPH7_2004]

Subtopic: design principles up

Quote: security design principles: keep the design simple, fail-safe defaults, complete mediation, open design, separation of privilege, least privilege, least common mechanism, psychological acceptability [saltJH9_1975]
Quote: security must be easy to use and understand; users should routinely and automatically apply the protection mechanisms correctly; errors occur with a radically different specification language [saltJH9_1975]

Subtopic: automatic security up

Quote: access rights require a great deal of flexibility; otherwise they are too cumbersome to use [lampBW_1971]
Quote: it must become a pleasure to write programs that safeguard themselves against the inroads of others, or at the very least it must be automatic, like the use of a high level language [lampBW_1971]

Subtopic: assurance up

Quote: assurance and authenticated operation are important security goals; assurance is correct behavior despite attacks [englP7_2003]
Quote: the goal of security is assurance that our systems possess only the properties that we want; assurance that systems work properly [schnB_2000]
Quote: constantly question security; question your assumptions; question your decisions; trust no one, especially yourself [schnB_2000]
Quote: use formalization to assure security, exclude tacit pre-assumptions, clarify notations, and resolve universal structures [zemaH3_1966]

Subtopic: attack resilience up

Quote: failure-oblivious computing automatically detects invalid memory accesses and substitutes faked values; invulnerable to security attacks due to memory; user detects acceptable results [rinaM6_2004]
Quote: fast, space-efficient, scalable string searching algorithm for concurent scanning with a large number of signatures; resilient to attacks; 2 Gbits/sec [petrF11_2009]

Subtopic: information flow up

Quote: HiStar prevents information flow of tainted files to untainted components, including the network; implements passwords, Unix IDs, process memory protection, and user-level security; GNU software runs unmodified [zeldN11_2011]
Quote: information flow by security label attached to kernel objects; when a thread's label changes, invalidate the label of its memory maps [zeldN11_2011]
Quote: in HiStar, kernel objects hold all state that is accessible to user processes [zeldN11_2011]
Quote: a HiStar integrity category is the opposite of a secrecy category; data can flow from A to B only if A's label includes all of the integrity categories in B's label [zeldN11_2011]

Subtopic: multiparty protocol up

Quote: secure, multiparty protocols in Bitcoin by constructing timed commitments; e.g., a secure multiparty lottery; no matter how the dishonest players behave, the honest parties are not cheated [andrM4_2016]

Subtopic: sharing by list or ticket up

Quote: protection mechanisms that permit sharing are either list-oriented (e.g., access-control list) or ticket-oriented (e.g., capability) [saltJH9_1975]

Subtopic: containers up

Quote: resource containers for fine-grained resource management in monolithic kernels; e.g., high-performance Web server; negligible overhead compared to HTTP transsactions [bangG2_1999]

Subtopic: shared files up

Quote: shared files need to be safe from unknown users, accidents, maliciousness, unauthorized users, and software and hardware failures [daleRC11_1965]
Quote: shared files need to be safe from overzealous application of other safeguards [daleRC11_1965]

Subtopic: owned secrets up

Quote: each thread T owns a set of categories; owned categories are ignored for operations on behalf of T; may extract secret data from the system [zeldN11_2011]

Subtopic: security by dispersal up

Quote: rapidly disperse information into multiple pieces or locations; reconstruct from any n pieces, but not from m-1 pieces; like an error correcting code [rabiMO4_1989]

Subtopic: security as challenge-response up

Quote: CAPTCHA, like most security measures, creates a delayed challenge-response between humans; the bad guys have as much time as they need to fashion a response [moulB2_2008]

Subtopic: weakest link up

Quote: some security principles do not apply to computer systems; work factor does not apply to indirect attacks; compromise recording is too late and easily circumvented [saltJH9_1975]
Quote: secure the weakest link in the attack tree; look at the entire vulnerability landscape [schnB_2000]

Subtopic: human error up

Quote: complexity increases the probability of human error in design, code, and operations; subtle bugs hide in complex, concurrent, fault-tolerant systems [newcC4_2015]
Quote: accidents are almost always the result of incorrect estimates of the likelihood of one or more things [newcC4_2015]

Subtopic: automated testing up

Quote: SAGE security tester for binary code; what you fuzz is what you ship [godeP3_2012]

Subtopic: detection up

Quote: detection and punishment are the primary instruments of security [lampBW6_2004]
Quote: tampering with a mechanical voting machine is visible after the fact; but a software attack can leave the machine exactly the same [nislE1_2007]
Quote: modern society does not prevent crime; it detects crime after the fact [schnB_2000]
Quote: detect intruders in close to real time, while they are still engaged in the attack [schnB_2000]
Quote: understand the attack and what it means; detect, localize, identify, assess [schnB_2000]

Subtopic: white hat infiltration up

Quote: measured the conversion rate for email spam; infiltrated the Storm botnet; 1e-5 to 1e-7 conversion rate [kaniC9_2009]

Subtopic: security model up

Quote: Bell and LaPadula security model prevents unauthorized observation and modification; implement as a finite state machine; lattice of access classes [amesSR7_1983]
Quote: security is relative; a security proof requires a model of the system and a model of the attacker [mitcJC1_2001]

Subtopic: threat model up

Quote: an attack tree is an AND/OR threat model; OR nodes are alternative attacks, AND nodes are steps to implement the attack [schnB_2000]
Quote: evaluate a system's vulnerabilities by propagating leaf nodes to the attack tree's root; e.g., PGP [schnB_2000]

Subtopic: security kernel or reference monitor up

Quote: a security kernel can protect against subversion; subject to third party inspection and verification; a small, complete, and non-bypassable component [andeEA6_2004]
Quote: security kernel for the protection of shared information; requires a protection policy and security theorem; either discretionary or nondiscretionary [amesSR7_1983]
Quote: a security kernel is managed by trusted subjects; e.g., an interface to control the access policy for untrusted subjects [amesSR7_1983]
Quote: a reference monitor must validate the security policy for every reference to information; it must be tamper-proof and verifiable; requires hardware segmentation and protection rings; security kernel [scheRR11_2016]
Quote: factotum is a simple security architecture based on a small trusted code base; easy to verify, easy to understand, and easy to use; implemented as a file server [coxR8_2002]
Quote: the factotum handles security and authentication protocols; enables encryption of all communication channels; the secstore store keys [coxR8_2002]
Quote: factotum security protocols are state machines with a generic interface; message reads and writes are separate, non-blocking RPCs [coxR8_2002]
Quote: system boot requires a security coprocessor to store cyrptographic keys for sealed storage and attestation; verifies the kernel's digest and starts in a well-defined state [englP7_2003]
Quote: construct user devices with a secure clock and a secure supervising program; can not change; runs periodically [rabiMO10_2005]
Quote: the nexus is a security-critical system manager with an isolated address space, secure agents, authenticated operations, and secure user input and output [englP7_2003]

Subtopic: trust management, security system up

Quote: survey of trust management systems and their policy/rights language; framework for authorization in distributed systems [chapPC8_2008]
Quote: users require a trusted path to the security manager; e.g., ctrl-alt-del [yeeKP12_2002]
Quote: classify all programs as trusted or untrusted; by signature or explicit trust [lampBW6_2004]
Quote: use trust-management systems for direct authorization of security-critical actions; combines policy with credentials [blazM_1999]
Quote: trust-management systems support delegation and policy specification, refinement, and hierarchies [blazM_1999]
Quote: PolicyMaker trust-management--blackboard system of source s_i approves request r_i via an authorization program [blazM_1999]
Quote: KeyNote trust-management--depth-first search to satisfy a policy assertion made of conditions and licensees key expressions; no inter-assertion communication [blazM_1999]
Quote: SD3 trust management computes answer and verified proof together; only certified evaluator in trusted computing base; e.g., a secure name service [jimT5_2000]
Quote: SD3 extends datalog by associating names with authenticated public keys, e.g., T(x,y):-K$E(x,y) holds if E(x,y) and relation E under keyholder of K [jimT5_2000]
Quote: SD3 names may be tied to an IP address; e.g., (K@A)$E(x,y) is relation E at A under public key K; remote evaluator returns E(x,y) as a certificate signed by its private key [jimT5_2000]
Quote: Grid Security Infrastructure is a widely used security infrastructure with single sign-on and site/local security policies [butlR12_2000]
Quote: GSI entities can delete rights with a proxy; chains of proxy certificates are rooted at the same user certificate [butlR12_2000]

Subtopic: security as a formal system up

Quote: without a formal semantics or a formal type system, can not reason about Java or the security properties of its libraries [deanD5_1996]
Quote: use spi calculus for typechecking security protocols using shared-key cryptography [abadM9_1999]
Quote: EROS has formal verification of security properties and very little performance loss [shapJS1_2002]
Quote: fix security warnings or add annotations; run Splint until done [evanD1_2002]
Quote: secure DNS resolver in 10 lines of code; easier to understand than BIND's security policy [jimT5_2000]
Quote: A says S means that principal A supports the statement S; A speaks for B (A=>B) means that if A makes a statement, so does B [wobbE2_1994]
Quote: 'A as R' means that A is a principal in role R with reduced rights; A=>(A as R) [wobbE2_1994]
Quote: B|A means B quoting A, i.e., (B says A) says S [wobbE2_1994]
Quote: 'B for A' means B acts for A; this includes B|A (B quoting A) [wobbE2_1994]

Subtopic: secure server up

Quote: comprehensive protection of the heap with minimal assumptions and low overhead; separates heap data and meta-data; layout obfuscation, random padding between objects, random recycling [kharM10_2006]

Subtopic: security server up

Quote: the Plan 9 factotum handles the user's keys and security interactions; no cryptographic code in applications; like the SSH agent [coxR8_2002]
Quote: after factotum is marked 'private', no secret must escape; process memory is inaccessible and never swapped to disk [coxR8_2002]
Quote: can attack Plan 9's factotum by rebooting the server with a debugging kernel [coxR8_2002]
Quote: on boot, the secstore encypted data file server initializes the factotum security agent; uses PAK key exchange; no backup; enables single-sign-on authentication with strong keys [coxR8_2002]

Subtopic: production security up

Quote: how to harden digital designs against security attacks during production; focus on digital backdoors, triggered by time or input data [sethS9_2015]

Subtopic: trusted platform up

Quote: extend the trust that users have in a trusted platform to commodity devices; e.g., verify security hardware of commodity device; how to extend trust to remote computers [parnB6_2012]

Subtopic: secure language up

Quote: programs must withstand rigorous analysis; a robust program written in an insecure language is like a house built upon sand [milnR_1997]
Quote: a programming language is secure if it does not lead to machine or implementation effects that are inexplicable in terms of the language [hoarCA_1974]
Quote: a language is secure if it detects most cases where its concepts break down and produce meaningless results [brinP4_1999]
Quote: correct if correct input leads to correct output; secure if arbitrary inputs do not have undesired consequences [mitcJC1_2001]
Quote: Cyclone is a safe dialect of C; avoids buffer overflows, format string attacks, and memory management errors; static analysis plus run-time checks and annotations [jimT6_2002]

Subtopic: bootup up

Quote: on bootup, HiStar restores the entire system, including threads, from the most recent on-disk snapshot; no trusted boot script [zeldN11_2011]

Subtopic: secure storage up

Quote: survey of confidential data storage and deletion methods [diesSM11_2010]

Subtopic: encapsulate state up

Quote: prefer object-orientation implementation for shared systems; encapsulates state in a class; avoids globals [kampPH7_2004]
Quote: prefer component-oriented designs for shared systems; increased flexibility, can easily disable a subsystem [kampPH7_2004]

Subtopic: user perspective up

Quote: security is a lot easier if you assume trusted and intelligent users; for the most part, insiders are your allies [schnB_2000]
Quote: security depends on the user perspective, whatever the user wants; e.g, deleting files is often OK [yeeKP12_2002]
Quote: security and usability should be complementary; both want computers to correctly do what users want [yeeKP12_2002]
Quote: efficiency and safety of real world actions are often difficult to discern; must be learned; tools can help [yeeKP12_2002]
Quote: path of least resistance--default settings are secure, avoid accidents, make security easy [yeeKP12_2002]
Quote: a system is secure for a user if it only does what the user believes it can do [yeeKP12_2002]
Quote: define security boundaries that matter to the user, with different security policies [yeeKP12_2002]
Quote: users should explicitly authorize all unexpected behavior; things can't become unsafe by themselves [yeeKP12_2002]

Subtopic: visible security up

Quote: a user should know that things are safe by knowing how each actor is limited; visible authorities [yeeKP12_2002]
Quote: view the actor-ability state in terms of granting actions [yeeKP12_2002]
Quote: users should know their abilities within a security system; e.g., granting an authority that can not be revoked [yeeKP12_2002]
Quote: users must securely identify objects and actions; if not, an untrusted program can spoof a trusted one [yeeKP12_2002]
Quote: need expressive language for setting security policy and understanding the consequences of security-related decisions [yeeKP12_2002]
Quote: require an interactive dialog before unlocking personal accounts; protects against host-resident attacks [coxR8_2002]

Subtopic: data security up

Quote: to ensure security, a reference monitor must be tamper proof, invoked on every data reference, and small enough to be proven correct [kargPA6_1974]
Quote: security rings and memory segmentation might be provably secure; e.g., Multics, a descriptor-based system [kargPA6_1974]

Subtopic: content security up

Quote: the Superfingerprint server delivers content identification (e.g. an execution trace), content hashes, and signature verification pairs; verifies authorship [rabiMO10_2005]
Quote: if the Shield system identifies content, it verifies that current usage matches the usage policy allowed by a tag; no duplicate tags [rabiMO10_2005]

Subtopic: implicit authorization up

Quote: selecting a file grants a program authority to open the file for reading [yeeKP12_2002]

Subtopic: revoke authorization up

Quote: revoke authorities to keep the actor-ability state manageable [yeeKP12_2002]

Subtopic: usage rules up

Quote: bug detectors for thread correctness, performance issue, security violation, usage bug, dropped exception, null pointer, open stream, unchecked return, unconditional wait [hoveD12_2004]
Quote: ESP checks very large C/C++ programs with a finite state machine of syntactic code patterns; most branches are irrelevant; e.g., security properties over a million lines with 25 false errors [laruJR5_2004]
Quote: safety check of untrusted machine code by typestate analysis; allows manipulation of host data structures; checks array bounds, address alignment, initialization, null pointers, stack manipulation [xuZ6_2000]
Quote: use PQL for runtime security protection; dynamically detect and correct SQL injection, cross-site scripting, and path traversal attacks [martM10_2005]

Subtopic: security key up

Quote: a key is a secret and the context for using the secret; e.g., the protocol, user, and other parameters [coxR8_2002]
Quote: Plan 9 uses plain text keys which may be read by users; centrally stored and managed [coxR8_2002]

Subtopic: secure channel up

Quote: a secure OS needs a trusted path to trusted software that cannot be impersonated; is a login screen valid? [schnB_2000]
Quote: A channel is secure if every message comes from the same process [wobbE2_1994]
Quote: if Q is a key, 'Q says P=>Q' if Q signs P=>Q; requires a secure channel or a local key [lampBW6_2004]

Subtopic: chain of trust up

Quote: in a certificate, the '-|' (turnstile marker) following the subject controls whether another authorization may follow the current one; combinations of implications are only allowed if the markers match [elieJE5_1998]
Quote: extend the trust that users have in a trusted platform to commodity devices; e.g., verify security hardware of commodity device; how to extend trust to remote computers [parnB6_2012]
Quote: a chain of trust by links of the form "Principal P speaks for principal Q about statements in set T"; e.g., key K_Tom speaks for Tom@Gov about everything [lampBW6_2004]
Quote: a proof of authority consists of verifiable statements; logic of authentication; e.g., Bob speaks for Alice regarding the statements in set T [howeJ_2000]
Quote: a verifier, guard, or auditor establishes a link in the chain of trust [lampBW6_2004]
Quote: 'principal says delegation' is evidence for trust; why trust the principal?, who says?, why is the principal willing? [lampBW6_2004]
Quote: A says S means that principal A supports the statement S; A speaks for B (A=>B) means that if A makes a statement, so does B [wobbE2_1994]
Quote: with hierarchical naming, it is an axiom that a parent speaks for the children; the child delegates authority to the parent [lampBW6_2004]
Quote: every key is the root of a name space; by signing Q==>K/N, Q speaks for K/N [lampBW6_2004]
Quote: can establish manually that K_intel==>Intel; allows K_intel to say K_Alice==>Alice@Intel [lampBW6_2004]
Quote: believe K_Alice==> by trusting that K_com==>com; e.g., as signed by Verisign [lampBW6_2004]
Quote: a secure hash of a program image is a principal that can not make statements about trust; must be loaded by a trusted host [lampBW6_2004]
Quote: a capability is a signed delegation for a complete chain of trust; e.g., an open file descriptor; efficient; more complicated setup and revocation [lampBW6_2004]
Quote: a chain of trust is a proof of an access control decision; store in a tamper-resistant log for auditing and accountability [lampBW6_2004]

Subtopic: least privelege up

Quote: least privilege; every program and every user of the system should operate using the least set of privileges necessary to complete the job; same as the military's need-to-know [saltJH9_1975]

Subtopic: separation of duty up

Quote: separation of duty is a conjunction of principals who make the same statement separately; helps prevent insider fraud [lampBW6_2004]
Quote: a seal provides separation of privilege; it protects the internal fields of an object; another capability protects access to the object; a program may hold the seal while a user holds the capability [saltJH9_1975]

Subtopic: security by defense in depth up

Quote: improved security through defense in depth; e.g., door locks, window alarms, and motion sensors [schnB_2000]
Quote: for good security, watch the watchers; e.g., banks and casinos [schnB_2000]

Subtopic: security by choke point up

Quote: a choke point forces users into a narrow channel for easier monitoring and control; e.g., turnstiles, checkout lanes, doors, firewalls, routers, fraud detectors [schnB_2000]

Subtopic: security by compartments, namespace up

Quote: compartmentalize security; limit damage from a successful attack; e.g., door keys, user accounts, encrypted files [schnB_2000]
Quote: hierarchical and protected namespaces permit trust to be assigned with low cost separation between namespace subsets [kampPH7_2004]
Quote: the jail model substitutes namespace limits for security labels; semi-permeable partitioning of files, processes, and network; no super-user privileges; simple and efficient [kampPH7_2004]
Quote: an attacker's activities are constrained by the jail and fully visible to the administrator; the jail administrator can inspected anything in the jail [kampPH7_2004]
Quote: namespace limits prevent access to objects that cannot be named; simple implementation and user-comprehensible behavior [kampPH7_2004]
Quote: each principal has a root directory of retained objects [dennJB3_1966]

Subtopic: fail securely, fail-safe up

Quote: systems should fail securely, i.e., fail-safe; if a firewall crashes, it should not let in any packets [schnB_2000]

Subtopic: respond to attacks up

Quote: respond to attacks, otherwise detection is a waste [schnB_2000]
Quote: be vigilant; for detection and response to be effective, it must work always; be prepared for an attack [schnB_2000]
Quote: recover quickly from attacks; preventative countermeasures fail all the time; field upgrades [schnB_2000]

Subtopic: untrusted programs and domains up

Quote: creating an object has two steps -- locate the code description, define it into a live object; the first should be open and extensible, the second, tightly controlled [gongL11_2011]
Quote: sandbox untrusted programs in a completely separate world with separate folders, history, Web cache, etc. [lampBW6_2004]
Quote: only communication with untrusted domains by explicit copy or network file share [lampBW6_2004]
Quote: a restricted token is a disjunction of principals who must receive access together; e.g., a flaky program can only touch objects that explicitly grant access to the program and another principal [lampBW6_2004]

Subtopic: security as authorization up

Quote: the gold standard for security consists of authenticating principals, authorizing access, and auditing the guard's decisions [lampBW6_2004]
Quote: limit damage via the principle of least authority; at the process or object level [karpAH12_2003]
Quote: limit damage instead of preventing security attacks [karpAH12_2003]
Quote: is the key that signed this request authorized to take this action? [blazM_1999]
Quote: explicitly designate the source of any authority [shapJS1_2002]
Quote: type checking ensures well-defined operations on data; security checking ensures authorization to execute operations [brinP_1973]
Quote: CapaFS uses capability file names for ubiquitous access and delegation; separates user identification from authorization [regaJT8_2001]

Subtopic: security as identity, principal up

Quote: detect counterfeits with microscopic dielets embedded in electronic component packaging; dielets are near-field RFID chips [ralsP8_2016]
Quote: the principal is the agent of accountability inside a computer system; even though responsibility for any specific action of a processor is shared among the user, the programmer, and system maintainer [saltJH9_1975]
Quote: the domain of a principal is all objects which the principal has been authorized to use [saltJH9_1975]
Quote: for dynamic authorization of sharing within a computer, there must be some previous communication from the receipient to the sender, external to the system; compare the recipient's principal to the external authorization [saltJH9_1975]
Quote: an identity-based cryptosystem uses a trusted key generation computer to generate a public key/private key pair; the public key is the user's network identity for encryption and digital signature [shamA_1984]
Quote: a principal is an individual or group who is charged for system resources [dennJB3_1966]

Subtopic: guaranteed newness, fresh up

Quote: a bit-pattern is fresh if any use must be recent; an encrypted nonce may appear fresh, but the key may be old and possibly compromised [abadM1_1996]
Quote: a counter may be a nonce if it is protected against replay; an encrypted counter can guarantee newness [abadM1_1996]

Subtopic: security and encryption up

Quote: encryption is not synonymous with security; its improper use can lead to errors [abadM1_1996]

Subtopic: security policy up

Quote: apply security policies to groups of machines; e.g., private access to home folder, shared access to workgroup folders, vendor-approved releases, signed programs [lampBW6_2004]
Quote: report all exceptions to a security policy; report all changes to a previous set of exceptions [lampBW6_2004]
Quote: specify a security policy in terms of sensitive store locations; i.e., locations or files which an applet must not modify [leroX1_1998]
Quote: simple types are too coarse for a security policy; e.g., a string can be a message, a file name, or a cryptographic key [leroX1_1998]
Quote: does this set of credentials prove that a request complies with the local security policy? [blazM_1999]
Quote: a local security policy usually delegates authorization to trusted credential issuers [blazM_1999]
Quote: a secure program accesses resources as defined by an audited, security policy; including execution time [hartPH12_2001]

Subtopic: user input, attacker-exposed code up

Quote: for safety, attacker-exposed code must exhaustively vet input; but guarding against all possibilities is complex and difficult; even a single equality conditional can derail random fuzz testing [cadaC10_2006]

Subtopic: security setup up

Quote: security setup constributes nothing to useful output; only noticed if audit or attack [lampBW6_2004]
Quote: security setup consists of folder structure, access control lists, group memberships, passwords, installed software, trusted machines [lampBW6_2004]

Subtopic: secrecy up

Quote: authenticity concerns data sources and timeliness while secrecy concerns data destinations [abadM9_1999]
Quote: a defender has knowledge of the terrain; keep it obscure; leverage unpredictability in security systems [schnB_2000]

Subtopic: automated security up

Quote: Unix programmer's workbench protected data automatically; reduced housekeeping chores [doloTA7_1978]

Subtopic: history up

Quote: a hardware, descriptor register isolates virtual processors from each other; base and bound values; developed in late 50s for time sharing, reliable multiprogramming, and naming scope rules [saltJH9_1975]
Quote: Java 1.0's sandbox, while simple, led to complicated design, fragile code, and numerous security bugs [gongL11_2011]
Quote: multi-programming needs meta-instructions for parallel processing, naming, and protection [dennJB3_1966]
Quote: duplicating private data at a fork came from Witsenhausen [dennJB3_1966]

Related up

Group: distributed systems
Group: operating system
Group: program proving
Group: testing
Group: type checking
Topic: automated testing
Topic: debugging by usage rules
Topic: distributed algorithms
Topic: dynamic analysis for program validation
Topic: error checking in robot programming
Topic: error safe systems
Topic: flavor analysis and typestates for supplementary type checking
Topic: implementation of hypertext databases
Topic: message protocols
Topic: mobile code
Topic: programming without errors
Topic: random number generation
Topic: reliability of distributed systems
Topic: replicated data
Topic: roles
Topic: safety critical systems
Topic: static analysis for program validation
Topic: trust
Topic: type checking by trademark
Topic: type-safe and secure languages
Topic: using hypertext for cooperative work

Subtopics up

attack resilience
automated security
automated testing
automatic security
chain of trust
content security
data security
design principles
encapsulate state
enforced interactions
external verifier
fail securely, fail-safe
guaranteed newness, fresh
guarded partitions
human error
implicit authorization
information flow
least privelege
multiparty protocol
owned secrets
production security
respond to attacks
revoke authorization
secure channel
secure language
secure message
secure server
secure storage
secure system
security and change
security and encryption
security as a formal system
security as authorization
security as challenge-response
security as identity, principal
security by choke point
security by compartments, namespace
security by defense in depth
security by dispersal
security is not secrecy
security kernel or reference monitor
security key
security model
security policy
security policy
security server
security setup
separation of duty
shared files
sharing by list or ticket
threat model
trust management, security system
trusted platform
untrusted programs and domains
usable security
usage rules
user input, attacker-exposed code
user perspective
visible security
weakest link
white hat infiltration

Updated barberCB 6/05
Copyright © 2002-2023 by C.B. Barber
Thesa, Avev, and thid-... are trademarks of C.B. Barber