@@ -215,7 +215,89 @@ such old ideas as network firewalls and virtual private networks,
215215along with more modern approaches such as microsegmentation and
216216zero-trust architectures. We will discuss these developments in a later chapter.
217217
218-
218+ 2.2.5 Least Common Mechanism
219+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
220+
221+ This principle states that the amount of mechanism that is common to
222+ more than one user should be minimized. In operating systems, this
223+ would imply that a piece of mechanism should not be baked into the
224+ kernel if it could be provided in some other way, e.g., as a
225+ library. This principle, applied in the context of network security,
226+ shows up in the end-to-end argument: we avoid putting functions such
227+ as encryption into the network when the user is likely to need
228+ end-to-end encryption anyway.
229+
230+
231+ 2.2.6 Design for Iteration
232+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
233+
234+ Given what we have said about the difficulty of knowing that a system
235+ is secure, a useful design principle is to accept that we will need to
236+ iterate, and design for it. A good example of this is in the choice of
237+ particular cryptographic algorithms for integrity protection or
238+ encryption. These algorithms are often found to be insufficiently
239+ strong after some number of years, perhaps due to a weakness in the
240+ underlying mathematics, or breakthroughs in algorithms, or just the
241+ steady improvement in computing power that happens over time. Thus,
242+ any protocol that is developed that depends on such an algorithm
243+ should be designed such that a change of algorithm is an expected
244+ behavior. We see this in protocols such as Transport Layer Security
245+ (TLS) which includes a set of procedures by which two participants
246+ negotiate the cryptographic algorithms to be used.
247+
248+ Recent developments in quantum computing have raised the issue that
249+ many existing forms of cryptographic algorithm may need to be
250+ replaced. While the timeframe in which such a change will be needed
251+ remains a subject of debate, the safe choice is to accept that
252+ cryptographic algorithms will periodically need to be replaced.
253+
254+ 2.2.7 Audit Trails
255+ ~~~~~~~~~~~~~~~~~~
256+
257+ Part of dealing with the impossibility of covering all possible
258+ security threats is to accept that sometimes we need to analyze what
259+ has gone wrong. This leads to the idea that security needs to be
260+ auditable. For example, it will be easier to conduct a post-mortem of
261+ a breach involving compromised login credentials if every login
262+ attempt is logged, along with information such as whether the login
263+ came over a VPN, what IP address was used, and so on. Similarly it is
264+ very hard to prevent insider attacks, but suitable logging might both
265+ make it easier to detect such attacks quickly and to deter those who
266+ might undertake them.
267+
268+ In a different vein, consider the design of secure protocols. The
269+ specification for TLS (transport layer security) describes a large
270+ number of error conditions that may trigger alerts, and recommends the
271+ logging of all such alerts. Such logging would help in understanding
272+ if the protocol was subject to an attack that involved incorrect or
273+ unexpected messages. Given the complexity of negotiations that go on
274+ in security protocols (to establish cryptographic algorithms and
275+ parameters, for example) it is wise to assume that these may have
276+ subtle bugs, and a good set of audit tools will enable any such bugs
277+ to be detected and then remedied.
278+
279+ Of course, the audit mechanisms themselves must be designed to be
280+ secure. A determined attacker will, in all likelihood, try to erase their tracks,
281+ so logging for audit purposes cannot just be an afterthought; it has
282+ to be part of the design of a secure system.
283+
284+
285+
286+
287+ 2.3 Summary
288+ -----------
289+
290+
291+ Just as we can never be quite sure that we have covered all possible
292+ vectors of attack against a system, there is no hard limit to the set of
293+ principles that can be applied to developing secure systems. The
294+ principles covered above include several that were drawn from the
295+ influential paper by Saltzer and Schroeder from 1975. That is the same
296+ Saltzer whose book (with Kaashoek) we referred to in Chapter 1. The
297+ fact that many of the principles from the 1975 paper reappear in the
298+ 2009 is probably a sign that Saltzer had some confidence that these
299+ principles have stood the test of time. We recommend reading the
300+ entire paper.
219301
220302.. admonition :: Further Reading
221303
@@ -226,18 +308,7 @@ zero-trust architectures. We will discuss these developments in a later chapter
226308
227309
228310
229- .. working list of ideas
230-
231-
232- Be Explicit
233-
234- Design for Iteration
235-
236- Audit
237-
238-
239311
240- economy of mechanism
241312
242313
243314
0 commit comments