Open Design and Least Privilege Principles

Security Principles

• The KISS principle: Keep it simple, stupid, to reduce the attack surface and increase trust in security mechanisms.

Micro-kernel OS

• A micro-kernel OS has a small attack surface, as the kernel only contains critical functionality.
• All "extra" functionality runs in separate processes or kernel modules.
• Examples: GNU Hurd, seL4 (formally verified).

Fail-Safe Defaults

• A system should have a conservative protection scheme by default (secure "out-of-the-box").
• Users should "opt-in" to less-secure configurations.
• Examples: default username and password settings.

Complete Mediation

• Every access to every object must be checked for authorization.
• Incomplete mediation implies a path exists to bypass a security mechanism.
• Example: Windows checks credentials when accessing a computer, but not when accessing through the printer setup process.

Open Design

• The security of a mechanism should not depend on the secrecy of its design or implementation.
• A system should be secure even if the adversary knows everything about its design and implementation.
• Contrast with "security through obscurity".

Least Privilege

• Subjects should possess the bare minimum authority needed to operate successfully.
• Closely related to separation of privilege.
• Examples: Linux users are not given root or sudo permissions by default, unlike Windows 98.

Least Common Mechanism

• Minimize the amount of mechanism common to more than one user.
• Shared resources represent a potential information path between users and can be abused to leak information.

Psychological Acceptability

• A security mechanism should not make the resource more complicated to access compared to the non-secure case.
• Recognizes the human element in computer security: humans prefer convenience.

Security Approaches

• Four basic approaches to system security: Avoidance, Detection, Prevention, and Recovery + Forensics.