Principles: Threat Models, Trusted Computing Bases, and the “Gold” Standard

Topics and Goals

• Threat modeling and case study
  • Goal: Develop (formal and informal) threat models for modern systems.
• Trusted Computing Bases (TCBs)
  • Goal: Understand the definition of a TCB
  • Goal: Identify the TCB for a novel system
• Lampson’s “gold” standard techniques
  • Authentication, Authorization, Audit
  • Goal: Identify mechanisms for achieving each
  • Goal: Distinguish between authentication & authorization

Threat Models

• What is the defining characteristic of security?
• What is a security mindset?
• What does a threat model include?
  • Assets
  • System’s goals
    • What are typical system goals?
  • Adversary definition
    • How do we define an adversary model?
      • Why don’t we include the adversary’s strategy?
    • How can we compare adversaries?

• How can we categorize defenses?

• E-Voting case study

Trusted Computing Bases (TCB)

• What is the TCB?
• What’s the difference between something that is Trusted vs Trustworthy?
• Why do we need a TCB?
• What are the qualities of an ideal TCB?

“Gold” Standard

• Three core princples for reasoning about secure systems:
  • Authentication: Who is it?
  • Authorization: What can they do?
  • Audit: What happened?