@@ -258,14 +258,55 @@ zero-trust architectures. We will discuss these developments in a later chapter
258258~~~~~~~~~~~~~~~~~~~~~~~~~~~~
259259
260260This principle states that the amount of mechanism that is common to
261- more than one user should be minimized. In operating systems, this
262- would imply that a piece of mechanism should not be baked into the
263- kernel if it could be provided in some other way, e.g., as a
264- library. This principle, applied in the context of network security,
265- shows up in the end-to-end argument: we avoid putting functions such
266- as encryption into the network when the user is likely to need
267- end-to-end encryption anyway.
261+ more than one user should be minimized. The principle was originally
262+ articulated by Gerald Popek in 1974, where in the context of operating
263+ system design, he argued in favor of minimizing the number of
264+ mechanisms put in the OS kernel. A failure (or security breach) of
265+ such a shared mechanism would impact all users, and so it is better to
266+ provide it in some other way, such as a library running the user's
267+ address space. The failure of such a mechanism then negatively impacts
268+ only that user, and not all users.
269+
270+ The counter argument is that any mechanism that requires privileged
271+ access—e.g., accessing an I/O device or modifying a shared data
272+ structure—must be implemented in a common layer (i.e., the kernel),
273+ but even then, care should be taken to decompose the mechanism so as
274+ to minimize the sub-pieces that are common. Library OS designed during
275+ the 1990s took this argument to its logical conclusion, reducing the
276+ "kernel" to its bare minimum, with most functionality one typically
277+ expects from an OS running as a library co-located with the
278+ application.\ [# ]_
279+
280+ .. [# ] While strictly adhering to the principle of least common
281+ mechanism, Library OSes are not widely adopted in practice,
282+ illustrating that security is only one of many system requirements
283+ taken into consideration.
284+
285+ admonition :: Further Reading
268286
287+ G. Popek. `A Principle of Kernel Design
288+ <https://dl.acm.org/doi/pdf/10.1145/1500175.1500361> `__. Security
289+ Kernel Panel at the AFIPS '74 National Computer Security Conference
290+ and Exposition. May 1974.
291+
292+ D. Engler, F. Kaashoek, and J. O'Toole Jr. `Exokernel: an Operating
293+ System Architecture for Application-level Resource Management
294+ <https://dl.acm.org/doi/pdf/10.1145/224057.224076> `__. SIGOPS
295+ Symposium on Operating System Principles. December 1995.
296+
297+ J. Saltzer, D. Reed, and D. Clark. `End-to-End Arguments in System
298+ Design <https://dl.acm.org/doi/abs/10.1145/357401.357402> `__. ACM
299+ Transactions on Computer Systems. November 1984.
300+
301+ In an OS setting, the principle of least common mechanism is related to
302+ the principle of least privilege since the common platform (kernel)
303+ runs with greater privilege. This is because minimizing the number of
304+ mechanisms that require elevated kernel privilege also minimizes the
305+ privilege required across all mechanisms that make up a system. In a
306+ network setting, the principle is related to the
307+ end-to-end-argument. That is, it is best to avoid putting functions
308+ such as encryption into the network when the user is likely to need
309+ end-to-end encryption anyway.
269310
2703112.3.6 Design for Iteration
271312~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -320,8 +361,44 @@ secure. A determined attacker will, in all likelihood, try to erase their tracks
320361so logging for audit purposes cannot just be an afterthought; it has
321362to be part of the design of a secure system.
322363
364+ 2.4 Best Practices
365+ ---------------------
366+
367+ Design principles help guide how a system is architected to be secure,
368+ but an architecture has to be implemented by an engineering team and
369+ run on a day-to-day basis by an operations team. Mistakes in the
370+ implementation or operational practices render the best intentions
371+ impotent. To this end, software companies typically establish a set of
372+ best practices for the the entire software lifecycle, from design to
373+ coding, deployment, and operation.
374+
375+ These practices start by establishing the security metrics that the
376+ end result is to be judged by, along with the processes used to review
377+ designs and test compliance. On the development side, emphasis is
378+ placed on using cryptography standards and the best available
379+ protocols, platforms, and languages. It is **not ** an engineer's job
380+ to reinvent the security mechanisms described in this book, but
381+ rather, to know what mechanisms are available and how to use
382+ them. Once a system is deployed and operational, the emphasis is on
383+ proactively monitoring the system for anomalous behavior and
384+ establishing an incident response plan to deal with suspected attacks.
385+ Continuously collecting data about a running system is commonplace,
386+ and using AI/ML to respond to detect (and potentially respond to)
387+ attacks is becoming increasingly common.
388+
389+ The details of these procedures is beyond the scope of this book,
390+ except as we note, that they depend on engineers and operators being
391+ well-informed about available security mechanisms. For an example of
392+ industry practices, we recommend Microsoft's Security Development
393+ Lifecycle (SDL) practices.
394+
395+ .. admonition :: Further Reading
396+
397+ `Microsoft Security Development Lifecycle (SDL)
398+ <https://www.microsoft.com/en-us/securityengineering/sdl> `__.
399+
323400
324- 2.4 Summary
401+ 2.5 Summary
325402-----------
326403
327404Just as we can never be quite sure that we have covered all possible
0 commit comments