This document discusses several key principles of information security: - The principle of least privilege states that a subject should only be given access privileges necessary to complete its task and no more. - The principle of economy of mechanism states that security mechanisms should be as simple as possible to minimize errors. - The principle of complete mediation requires that all access to objects be checked to ensure they are allowed. - Several other principles like open design, separation of privilege, least common mechanism, psychological acceptability, and fail-safe defaults are also discussed.

1. Information Security
Mamoona Jabbar

2. Security Principles
• Security refers to secure your information from any
unauthorized access or any kind of loss.
• To make any system, requirement gathering is important.
• Security is a system requirement just like performance,
capability, cost, etc. Therefore, it may be necessary to trade off
certain security requirements to gain others
• These requirements are directly proportional to each other.

3. Security Principles
• A trade off is a situational decision that involves diminishing or
losing one quality, quantity or property of a set or design in
return for gains in other aspects.
• A trade off is where one thing increases and another must
decrease.

4. Protection Mechanism

5. Design principles for protection Mechanisms
• Least privilege
• Economy of mechanism
• Complete mediation
• Open design
• Separation of privilege
• Least common mechanism
• Psychological acceptability
• Fail-safe defaults
Saltzer and Schroeder 1975

6. Least Privilege
• The Principle of Least Privilege states that a subject should be
given only those privileges needed for it to complete its task.
• “Need to know“ if the subject does not need access to an object
to perform its task, it should not have the right to access that
object.
• Should only have the rights necessary to complete your task.
• Default should be lack of access
• If access needed temporarily, then it should be rescinded right
after use

7. Least Privilege
Example: The UNIX operating system does not apply access
controls to the user root. That user can terminate any process and
read, write, or delete any file. Thus, users who create back-ups can
also delete files. The administrator account on Windows has the
same powers.

8. Economy of Mechanism
The principle of economy of mechanism states that security
mechanisms should be as simple as possible. If a design and
implementation are simple, fewer possibilities exist for errors. The
checking and testing process is less complex, because fewer
components and cases need to be tested.

9. Economy of Mechanism
• Sufficiently small and simple as to be verified and implemented
e.g., security kernel
• Simpler means less can go wrong
And when errors occur, they are easier to understand and fix
• Complex mechanisms may not be correctly:
• Understood
• Modeled
• Configured
• Implemented Used
• Keep it as simple as possible
• KISS Principle

10. Class Task
KISS Principle
Keep it Simple and Straight forward

11. Economy of Mechanism
The ident protocol sends the user name associated with a process
that has a TCP connection to a remote host. A mechanism on host A
that allows access based on the results of an ident protocol result
makes the assumption that the originating host is trustworthy. If
host B decides to attack host A, it can connect and then send any
identity it chooses in response to the ident request. This is an
example of a mechanism making an incorrect assumption about the
environment (specifically that host B can be trusted).

12. Complete Mediation
The principle of complete mediation requires that all accesses to
objects be checked to ensure they are allowed.
Whenever a subject attempts to read an object, the operating system
should mediate the action. First, it determines if the subject can
read the object. If so, it provides the resources for the read to occur.
If the subject tries to read the object again, the system should again
check that the subject can still read the object. Most systems would
not make the second check. They would cache the results of the
first check, and base the second access upon the cached results.

13. Complete Mediation
• Every access to every object must be checked
• Must be efficient
• In addition to normal runtime, must be done at:
• Initialization
• Shutdown
• restart

14. Complete Mediation
Example
When a UNIX process tries to read a file, the operating system
determines if the process is allowed to read the file. If so, the
process receives a file descriptor encoding the allowed access.
Whenever the process wants to read the file, it presents the file
descriptor to the kernel. The kernel then allows the access. If the
owner of the file disallows the process permission to read the file
after the file descriptor is issued, the kernel still allows access. This
scheme violates the principle of complete mediation, because the
second access is not checked. The cached value is used, resulting in
the denial of access being ineffective.

15. Open design
The principle of open design states that the security of a
mechanism should not depend on the secrecy of its design or
implementation.
Designers and implementers of a program must not depend on
secrecy of the details of their design and implementation to ensure
security
• “Security through obscurity” is a bad idea
• Should be open for scrutiny by the community
• Better to have a friend/colleague find an error than a foe

16. Open Design
Example:
The Content Scrambling System (CSS) is a cryptographic
algorithm that protects DVD movie disks from unauthorized
copying. The DVD disk has an authentication key, a disk key,
and a title key. The title key is enciphered with the disk key.

17. Diebold Voting Machines

18. Separation of privilege
• The principle of separation of privilege states that a system
should not grant permission based upon a single condition.
• Access to objects should depend on more than one condition
being satisfied
• Separation of duty
• Two person rule

19. Separation of privilege
This principle is equivalent to the separation of duty principle.
Company checks for over $75,000 must be signed by two officers
of the company. If either does not sign, the check is not valid. The
two conditions are the signatures of both officers.
Similarly, systems and programs granting access to resources
should do so when more than one condition is met. This provides a
fine grained control over the resource, and additional assurance that
the access is authorized.

20. Least Common Mechanism
• The principle of least common mechanism states that
mechanisms used to access resources should not be shared.
• Sharing resources provides a channel along which information
can be transmitted, and so such sharing should be minimized.
• Minimize the amount of mechanism common to more than one
user and depended on by all users
• Every shared mechanism is a potential information path

21. Least Common Mechanism
Example:
A web site provides electronic commerce services for a major
company. Attackers want to deprive the company of the revenue
they obtain from that web site. They flood the site with messages,
and tie up the electronic commerce services. Legitimate customers
are unable to access the web site and, as a result, take their business
elsewhere.

22. Psychological Acceptability
The principle of psychological acceptability states that security
mechanisms should not make the resource more difficult to access
than if the security mechanisms were not present.
• Configuring and executing a program should be as easy and as
intuitive as possible, and any output should be clear, direct, and
useful.
• User interface must be easy to use, so that users routinely and
automatically apply the mechanisms correctly. Otherwise, they
will be bypassed
• Security mechanisms should not add to difficulty of accessing
resource

23. Psychological Acceptability
Example:
When a user supplies the wrong password during login, the system
should reject the attempt with a message stating that the login
failed. If it were to say that the password was incorrect, the user
would know that the account name was legitimate. If the ?user?
were really an unauthorized attacker, she now knows an account for
which she can try to guess a password

24. Fail-Safe Defaults
The Principle of Fail-Safe Defaults states that, unless a subject is
given explicit access to an object, it should be denied access to that
object.
This principle requires that the default access to an object is none.
Even if the program fails, the system is still safe.
• The default is lack of access
• Need to argue why a user should have access. Do not argue
why a user should not have access
• If action fails, system as secure as when action began

25. REFERENCE
https://www.us-
cert.gov/bsi/articles/knowledge/principles/ps
ychological-
acceptability#:~:text=The%20principle%20of%
20psychological%20acceptability,clear%2C%20
direct%2C%20and%20useful.