PDF《Usable Security》

6 April

2011 Lampson:

9 10 Access Control: The Gold Standard ? Authenticate principals: Who made a request ? Mainly people, but also channels, servers, programs (encryption implements channels, so key is a principal) ? Authorize access: Who is trusted with a resource ? Group principals or resources, to simplify management ? Can define by a property, e.g. Dtype-safe‖ or Dsafe for scripting‖ ? Audit: Who did what when? Lock = Authenticate + Authorize Deter = Authenticate + Audit Object / Resource Guard/ Ref mon Request Agent / Principal Authorization Audit log Authentication 1. Isolation boundary 2. Access control Policy 3. Policy Sink Source

6 April

2011 Lampson:

10 Accountability ? Real world security is about deterrence, not locks ? On the net, can'

t find bad guys, so can'

t deter them ? Fix? End nodes enforce accountability ? Refuse messages that aren'

t accountable enough ? or strongly isolate those messages ? Senders are accountable if you can punish them ? With dollars, ostracism, firing, jail, ... ? All trust is local ? Need an ecosystem for ? Senders becoming accountable ? Receivers demanding accountability ? Third party intermediaries

6 April

2011 Lampson:

11 Accountability vs. Access Control ? DIn principle‖ there is no difference but ? Accountability is about punishment, not access ? Hence audit is critical ? But coarse-grained control is OK―fix errors later

6 April

2011 Lampson:

12 ? Partition world into two parts: ? Green: More safe/accountable ? Red : Less safe/unaccountable ? Red / green has two aspects, mostly orthogonal ? User experience ? Isolation mechanism ? Green world needs professional management Freedom with Accountability?

6 April

2011 Lampson:

13 Red | Green Less valuable assets My Red Computer N attacks/year on less valuable assets More valuable assets More valuable assets My Green Computer m attacks/year on more valuable assets N attacks/yr m attacks/yr (N >

>

m) Less trustworthy Less accountable entities More trustworthy More accountable entities Entities - Programs - Network hosts - Administrators

6 April

2011 Lampson:

14 Isolation Hosts and Channels ? Host runs Execution Environments (EEs) and channels between EEs ? Host itself is ........