CS262A Reading Summary 27

The Protection of Information in Computer Systems

J. H. Saltzer and M. D. Schroeder
Summary by Feng Zhou
11/5/2002

1. The key concert of the paper is multiple use. Because a system is supposed to be used by multiple people, information and resources have to be properly shared and/or isolated among different users. The authors list 3 potential security problems: 1. Unauthorized information release; 2. Unauthorized information modifcation; 3. Unauthorized denial of use.
2. Several useful principles of designing a secure system are discussed. Among them are: Keep it as simple and small as possible; Fail-safe defaults, which means the default should be no-access; Complete mediation, which means every access must be inspected; Open design, which means no "security through obscurity"; Separation of privileges, which means requiring physically separated parties to participate in the authorization process; Least privilege, which means grant only the needed privilege; psychological acceptability, which means the UI should be designed to minimize human errors.
3. Then techniques of implementing a secure sharing system are discussed. Descriptors and judicious use of privilaged state bit can be used to implement isolated virtual machines on top of a single physical machine. In order to authenticate users, we have several choices: passwords, unforgeable objects or both of them. A scheme to prevent eavesdropping of authentication information is discussed. Basically it encrypts the authentication data by a key specific to a certain user, which is known to both the machine and the communication system. This effectively authenticate both the user and the machine.

One problem with the authentication scheme is the single key cannot be leaked. How to transmit the key initially can be a problem. Thus the authentication process can be improve by using a public key encryption scheme.