CS 513 - System Security
Lecture 3

Lecturer: Professor Fred B. Schneider
Notes by: Vicky Weissman
Lecture Date: 2/3/00

Today's Topics

Policy Vs. Mechanism

A policy is a specification. It's what you want.
A mechanism is an implementation. It's how you get what you want.
A mechanism should be designed to support various policies.

Principle of Least Privilege

The Principle of Least Privilege dictates that each task, process, or user (generically referred to as a subject or a principal) is granted exactly those rights needed to perform its job. In spy movies, following the Principle of Least Privilege is equivalent to operating on a need-to-know basis.

To create a system that follows the Principle of Least Privilege, you must determine what the subjects are, what set of privileges should be given to each subject, and how/when should the set change. Often, a set of privileges will change based on the corresponding subject's previous actions (such as file accesses) or on the context (such as which machine is being used.)

Every real-world system violates the Principle of Least Privilege, since regulating every bit and every instruction is not reasonable. Real systems, however, do practice the Principle of Least Privilege at a higher level. For example, if complete mediation is done, then every access to every object is checked.

In accordance with the Principle of Least Privilege, failsafe defaults require explicit permission before an access is granted. This method detects permission errors automatically, since denial of legitimate access will cause complaints.

Separation of Privilege facilitates the Principle of Least Privilege by requiring each privilege to have a distinct key/means of access.

Ways to Build Secure Systems


Definitions: Goals:

Designing cryptosystems is difficult to get right. There are only handful of good cryptographers in the world.