Design Principles and Guidelines for Security

Abstract : This report provides a distillation, synthesis and organization of key principles for the construction of secure computing systems, and supports the analysis with examples where needed for clarity. Our conclusions reflect a broad range of previous related work including the landmark study by Saltzer and Schroeder and several subsequent reports. We found that some of the early design principles required re-examination due to, for example, advances in performance and extensibility as well as the effects of various new technologies. We focus on a concise summary articulation of the principles as they apply to the development of the most elemental components of a basic security system. The results are organized into several major categories: structure, logic and function, system lifecycle, and lessons learned.

[1]  Daniel F. Sterne,et al.  On the buzzword 'security policy' , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[3]  David Elliott Bell,et al.  Looking back at the Bell-La Padula model , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[4]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Philip Alan Myers Subversion : the neglected aspect of computer security. , 1980 .

[6]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[7]  Wei-Ming Hu,et al.  Lattice scheduling and covert channels , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Daryl McCullough,et al.  A Hookup Theorem for Multilevel Security , 1990, IEEE Trans. Software Eng..

[9]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.

[10]  B. Lampson,et al.  Protection 1 , 2022 .

[11]  Mary Shaw,et al.  Global variable considered harmful , 1973, SIGP.

[12]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[13]  James P Anderson,et al.  Computer Security Technology Planning Study , 1972 .

[14]  Cynthia E. Irvine A multilevel file system for high assurance , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[15]  K. G. Walter,et al.  Primitive Models for Computer Security , 1974 .

[16]  C.E. Irvine,et al.  The Trusted Computing Exemplar project , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[17]  Edsger W. Dijkstra,et al.  The structure of the “THE”-multiprogramming system , 1968, CACM.

[18]  Paolo Falcarin,et al.  1 Developing secure software and systems , 2004 .

[19]  J. K. Millen,et al.  The cascading problem for interconnected networks , 1988, [Proceedings 1988] Fourth Aerospace Computer Security Applications.

[20]  Carleen Maitland,et al.  Trust in cyberspace , 2000 .

[21]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[22]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[23]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[24]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[25]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[26]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[27]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[28]  M. Conrad The geometry of evolution. , 1990, Bio Systems.

[29]  Peter G. Neumann,et al.  Principled assuredly trustworthy composable architectures , 2003 .

[30]  Dorothy E. Denning,et al.  Element-level classification with A1 assurance , 1988, Comput. Secur..

[31]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[32]  M A Padlipsky,et al.  Limitations of End-to-End Encryption in Secure Computer Networks , 1978 .

[33]  Peter Neumann,et al.  Safeware: System Safety and Computers , 1995, SOEN.

[34]  Jerome H. Saltzer,et al.  The Multics kernel design project , 1977, SOSP '77.

[35]  Philippe A. Janson Using type-extension to organize virtual-memory mechanisms , 1981, OPSR.