37 ;;Quote: computers should be as secure as real-world systems, and people believe it; real-world systems are not very secure
|
38 ;;Quote: real-world security balances value, locks, and punishment; e.g., use locks to prevent casual intrusion
|
38 ;;Quote: perfect security is expensive and inconvenient; e.g., safe deposit box
|
38 ;;Quote: security setup constributes nothing to useful output; only noticed if audit or attack
|
38+;;Quote: security setup consists of folder structure, access control lists, group memberships, passwords, installed software, trusted machines
|
39 ;;Quote: security is needed for secrecy, integrity of resources, availability, and accountability
|
40 ;;Quote: use information-flow control for secrecy under bad programs; guards decide if information can flow to a principal
|
40 ;;Quote: the gold standard for security consists of authenticating principals, authorizing access, and auditing the guard's decisions
|
41 ;;Quote: simplify user security as my documents, shared documents, and public documents in separate directories; vendors and administrators handle everything else
|
41 ;;Quote: classify all programs as trusted or untrusted; by signature or explicit trust
|
41+;;Quote: sandbox untrusted programs in a completely separate world with separate folders, history, Web cache, etc.
|
41+;;Quote: only communication with untrusted domains by explicit copy or network file share
|
41 ;;Quote: apply security policies to groups of machines; e.g., private access to home folder, shared access to workgroup folders, vendor-approved releases, signed programs
|
41+;;Quote: report all exceptions to a security policy; report all changes to a previous set of exceptions
|
42 ;;Quote: a chain of trust by links of the form "Principal P speaks for principal Q about statements in set T"; e.g., key K_Tom speaks for Tom@Gov about everything
|
43 ;;Quote: a verifier, guard, or auditor establishes a link in the chain of trust
|
43+;;Quote: 'principal says delegation' is evidence for trust; why trust the principal?, who says?, why is the principal willing?
|
43+;;Quote: if Q is a key, 'Q says P=>Q' if Q signs P=>Q; requires a secure channel or a local key
|
43 ;;Quote: with hierarchical naming, it is an axiom that a parent speaks for the children; the child delegates authority to the parent
|
43 ;;Quote: every key is the root of a name space; by signing Q==>K/N, Q speaks for K/N
|
43 ;;Quote: can establish manually that K_intel==>Intel; allows K_intel to say K_Alice==>Alice@Intel
|
43+;;Quote: believe K_Alice==>Alice@intel.com by trusting that K_com==>com; e.g., as signed by Verisign
|
44 ;;Quote: a secure hash of a program image is a principal that can not make statements about trust; must be loaded by a trusted host
|
44 ;;Quote: a public-key certificate is a secure answer to a predetermined query; may broadcast via an untrusted systems; generate on a tightly secured system
|
45 ;;Quote: a capability is a signed delegation for a complete chain of trust; e.g., an open file descriptor; efficient; more complicated setup and revocation
|
45 ;;Quote: separation of duty is a conjunction of principals who make the same statement separately; helps prevent insider fraud
|
45 ;;Quote: a restricted token is a disjunction of principals who must receive access together; e.g., a flaky program can only touch objects that explicitly grant access to the program and another principal
|
45 ;;Quote: a chain of trust is a proof of an access control decision; store in a tamper-resistant log for auditing and accountability
|
45+;;Quote: detection and punishment are the primary instruments of security
|