QuoteRef: lampBW6_2004

topics > all references > ThesaHelp: references i-l

security leaks and weaknesses
security by audit trail
security by access rights
security by secure domains
hierarchical naming
one-way hash function
public key encryption
file input/output
security by capabilities


Lampson, B.W., "Computer security in the real world", Computer, June 2004, pp. 37-46. Google

37 ;;Quote: computers should be as secure as real-world systems, and people believe it; real-world systems are not very secure
38 ;;Quote: real-world security balances value, locks, and punishment; e.g., use locks to prevent casual intrusion
38 ;;Quote: perfect security is expensive and inconvenient; e.g., safe deposit box
38 ;;Quote: security setup constributes nothing to useful output; only noticed if audit or attack
38+;;Quote: security setup consists of folder structure, access control lists, group memberships, passwords, installed software, trusted machines
39 ;;Quote: security is needed for secrecy, integrity of resources, availability, and accountability
40 ;;Quote: use information-flow control for secrecy under bad programs; guards decide if information can flow to a principal
40 ;;Quote: the gold standard for security consists of authenticating principals, authorizing access, and auditing the guard's decisions
41 ;;Quote: simplify user security as my documents, shared documents, and public documents in separate directories; vendors and administrators handle everything else
41 ;;Quote: classify all programs as trusted or untrusted; by signature or explicit trust
41+;;Quote: sandbox untrusted programs in a completely separate world with separate folders, history, Web cache, etc.
41+;;Quote: only communication with untrusted domains by explicit copy or network file share
41 ;;Quote: apply security policies to groups of machines; e.g., private access to home folder, shared access to workgroup folders, vendor-approved releases, signed programs
41+;;Quote: report all exceptions to a security policy; report all changes to a previous set of exceptions
42 ;;Quote: a chain of trust by links of the form "Principal P speaks for principal Q about statements in set T"; e.g., key K_Tom speaks for Tom@Gov about everything
43 ;;Quote: a verifier, guard, or auditor establishes a link in the chain of trust
43+;;Quote: 'principal says delegation' is evidence for trust; why trust the principal?, who says?, why is the principal willing?
43+;;Quote: if Q is a key, 'Q says P=>Q' if Q signs P=>Q; requires a secure channel or a local key
43 ;;Quote: with hierarchical naming, it is an axiom that a parent speaks for the children; the child delegates authority to the parent
43 ;;Quote: every key is the root of a name space; by signing Q==>K/N, Q speaks for K/N
43 ;;Quote: can establish manually that K_intel==>Intel; allows K_intel to say K_Alice==>Alice@Intel
43+;;Quote: believe K_Alice==> by trusting that K_com==>com; e.g., as signed by Verisign
44 ;;Quote: a secure hash of a program image is a principal that can not make statements about trust; must be loaded by a trusted host
44 ;;Quote: a public-key certificate is a secure answer to a predetermined query; may broadcast via an untrusted systems; generate on a tightly secured system
45 ;;Quote: a capability is a signed delegation for a complete chain of trust; e.g., an open file descriptor; efficient; more complicated setup and revocation
45 ;;Quote: separation of duty is a conjunction of principals who make the same statement separately; helps prevent insider fraud
45 ;;Quote: a restricted token is a disjunction of principals who must receive access together; e.g., a flaky program can only touch objects that explicitly grant access to the program and another principal
45 ;;Quote: a chain of trust is a proof of an access control decision; store in a tamper-resistant log for auditing and accountability
45+;;Quote: detection and punishment are the primary instruments of security

Related Topics up

Group: security   (23 topics, 874 quotes)
Topic: security leaks and weaknesses (67 items)
Topic: authentication (93 items)
Topic: security by audit trail (18 items)
Topic: security by access rights (38 items)
Topic: security by secure domains (45 items)
Topic: hierarchical naming (28 items)
Topic: one-way hash function (24 items)
Topic: public key encryption (30 items)
Topic: file input/output (21 items)
Topic: security by capabilities (65 items)

Collected barberCB 6/04
Copyright © 2002-2008 by C. Bradford Barber. All rights reserved.
Thesa is a trademark of C. Bradford Barber.