Principles: Threat Models, Trusted Computing Bases, and Design Principles
Topics and Goals
- Threat modeling and case study
- Goal: Develop (formal and informal) threat models for modern systems.
- Trusted Computing Bases (TCBs)
- Goal: Understand the definition of a TCB
- Goal: Identify the TCB for a novel system
- Design principles for secure systems
- Goal: Justify fundamental security principles
- Goal: Apply them to the analysis of novel situations
Threat Models
- What is the defining characteristic of security?
- What is a security mindset?
- What does a threat model include?
- Assets
- System’s goals
- What are typical system goals?
- Adversary definition
- How do we define an adversary model?
- Why don’t we include the adversary’s strategy?
- How can we compare adversaries?
- How do we define an adversary model?
-
How can we categorize defenses?
- E-Voting case study
Trusted Computing Bases (TCB)
- What is the TCB?
- What’s the difference between something that is Trusted vs Trustworthy?
- Why do we need a TCB?
- What are the qualities of an ideal TCB?
General Design Principles
- Summary:
- Economy of mechanism a.k.a KISS
- Fail-safe defaults
- Don’t rely on security by obscurity
- Complete mediation
- Least privilege
- Separation of duty
- Defense in depth
- Factor in users/acceptance/psychology
- Work factor/economics
- Why is each one important?
- Give a positive and negative example of each