Principles: Threat Models, Trusted Computing Bases, and Design Principles

Topics and Goals

• Threat modeling and case study
  • Goal: Develop (formal and informal) threat models for modern systems.
• Trusted Computing Bases (TCBs)
  • Goal: Understand the definition of a TCB
  • Goal: Identify the TCB for a novel system
• Design principles for secure systems
  • Goal: Justify fundamental security principles
  • Goal: Apply them to the analysis of novel situations

Threat Models

• What is the defining characteristic of security?
• What is a security mindset?
• What does a threat model include?
  • Assets
  • System’s goals
    • What are typical system goals?
  • Adversary definition
    • How do we define an adversary model?
      • Why don’t we include the adversary’s strategy?
    • How can we compare adversaries?

• How can we categorize defenses?

• E-Voting case study

Trusted Computing Bases (TCB)

• What is the TCB?
• What’s the difference between something that is Trusted vs Trustworthy?
• Why do we need a TCB?
• What are the qualities of an ideal TCB?

General Design Principles

• Summary:
  • Economy of mechanism a.k.a KISS
  • Fail-safe defaults
  • Don’t rely on security by obscurity
  • Complete mediation
  • Least privilege
  • Separation of privilege
  • Defense in depth
  • Factor in users/acceptance/psychology
  • Work factor/economics
• Why is each one important?
• Give a positive and negative example of each