e170.exsimson.net/ref/2004/csci_e-170/handouts/l14.pdf• disclosure control is hard to get right....

84
Lecture 1 : Aligning Usability and Security Simson L. Garfinkel CSCI E-170 http://e170.ex.com c 2004 Simson L. Garfinkel

Upload: others

Post on 06-Jul-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Lecture 14: Aligning Usability and Security

Simson L. Garfinkel

CSCI E-170

http://e170.ex.com

c©2004 Simson L. Garfinkel

Page 2: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Administrivia

December 21 Today — Last full lecture.December 28 No class — Eat Turkey.January 4 Lecture 15 — Open for presentations.January 11 Lecture 16 — Open for presentations. Final projects due.

Page 3: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Administrivia

December 21 Today — Last full lecture.December 28 No class — Eat Turkey.January 4 Lecture 15 — Open for presentations.January 11 Lecture 16 — Open for presentations. Final projects due.

ps: I figured out how to do slides with LATEX!

c©2004 Simson L. Garfinkel 1

Page 4: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Projects?

How are things going?

Plans for presentations?

Anybody want to go on January 4th?

c©2004 Simson L. Garfinkel 2

Page 5: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

January 4th?

Extra topics?

c©2004 Simson L. Garfinkel 3

Page 6: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

CSCI E-170: Computer Security, Privacy, and Usability

“Security” has been viewed at odds with Privacy and Usability.

Page 7: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

CSCI E-170: Computer Security, Privacy, and Usability

“Security” has been viewed at odds with Privacy and Usability.

CSCI E-170 argues that they must go together.

Page 8: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

CSCI E-170: Computer Security, Privacy, and Usability

“Security” has been viewed at odds with Privacy and Usability.

CSCI E-170 argues that they must go together. CSCI E-170 presents a frameworkfor understanding these properties.

c©2004 Simson L. Garfinkel 4

Page 9: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Bluetooth

Quick follow-up to how Bluetooth is running on the Mac.

c©2004 Simson L. Garfinkel 5

Page 10: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

L1 — Introduction to Security, Privacy and Usability

The role of policy:

• Security requires a policy that defines what is to be secured.

• Privacy requires a policy of how information is to be treated.

c©2004 Simson L. Garfinkel 6

Page 11: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

WIMP is more usable than the command-line.

Visiblity and direct manipulation are the breakthrough concepts that made WIMPmore usable than the command-line.

c©2004 Simson L. Garfinkel 7

Page 12: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Usability: What is it?

• satisfaction Interfaces we enjoy using

• efficiency Interfaces we are fast at using

• learnability Interfaces that we can use without asking for help

• accuracy Interfaces we can use without making errors.

• memorability Interfaces we can use after a long time.

c©2004 Simson L. Garfinkel 8

Page 13: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Usability: How do we do it?

• Observe existing work practices

• Be consistent

• Employ iterative design

• Expose necessary information, not junk data

• Avoid confirmations, use undo instead.

• Design for responsiveness

c©2004 Simson L. Garfinkel 9

Page 14: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Why is this so hard?

Whitten & Tygar: It is Inherently difficult to create interfaces for computersecurity applications.

Lots of reasons:

• The Secondary Goal Property

• The Hidden Failure Property

• The Abstraction Property1

• The Barn Door Property

• The Weakest Link Property1Security rules are easily understood by programmers but “alien and unintuitive” to everybody else.

c©2004 Simson L. Garfinkel 10

Page 15: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks
Page 16: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

This really feels like “blame the user.”

c©2004 Simson L. Garfinkel 11

Page 17: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Why not make it invisible?

Whitten: Because you can’t!

If the user of the application depends on a security protection being enabled, andthe possibility exists of it being disabled, then the user action must be completelydisallowed —

Page 18: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Why not make it invisible?

Whitten: Because you can’t!

If the user of the application depends on a security protection being enabled, andthe possibility exists of it being disabled, then the user action must be completelydisallowed —

— or the lack of the protection must be made visible to the user and tools forremedying the problem should be made available.

c©2004 Simson L. Garfinkel 12

Page 19: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Alternative Theory

c©2004 Simson L. Garfinkel 13

Page 20: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Universe of software developers

expertise in usability

expertise in security

usable securityoverlap area

c©2004 Simson L. Garfinkel 14

Page 21: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Perhaps Usability and Security are seen as antagonistic because:

• Our Definition of “Security” precludes creating systems that are usable.

c©2004 Simson L. Garfinkel 15

Page 22: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Clark-Wilson Security Model

“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.

Page 23: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Clark-Wilson Security Model

“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.

• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).

Page 24: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Clark-Wilson Security Model

“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.

• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).

• CDI must be protected.

Page 25: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Clark-Wilson Security Model

“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.

• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).

• CDI must be protected.

• Transformation procedures (TPs) change CDIs with well-formed transactions.

Page 26: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Clark-Wilson Security Model

“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.

• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).

• CDI must be protected.

• Transformation procedures (TPs) change CDIs with well-formed transactions.

• Integrity verification procedures (IVPs) ensure that CDIs work as advertised.c©2004 Simson L. Garfinkel 16

Page 27: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks
Page 28: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

➔ Clark-Wilson is a model in which integrity is more important than disclosurecontrol.

c©2004 Simson L. Garfinkel 17

Page 29: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

What’s wrong with disclosure control?

• Disclosure control is hard to get right.

• Screw-ups can’t be reversed (“Barn Door.”)

• No clue how far data leaks.

It may be that Usability and Disclosure Control are difficult, but Usability andother security is easier.

c©2004 Simson L. Garfinkel 18

Page 30: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

Page 31: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

Page 32: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

• “Humans are the weakest link”

Page 33: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

• “Humans are the weakest link”

• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)

Page 34: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

• “Humans are the weakest link”

• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)

• Emphasis on cryptography.

Page 35: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

• “Humans are the weakest link”

• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)

• Emphasis on cryptography.

• Researcher disinterest.

Page 36: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

• “Humans are the weakest link”

• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)

• Emphasis on cryptography.

• Researcher disinterest.

• Difficulty of performing user tests.

Page 37: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Other factors complicating HCI-SEC

• “Security is like a chain”

• “Humans are the weakest link”

• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)

• Emphasis on cryptography.

• Researcher disinterest.

• Difficulty of performing user tests.

• Authentication is an attractive rathole. (Passwords, PKI, biometrics)

c©2004 Simson L. Garfinkel 19

Page 38: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Psychological basis

• People exaggerate minor risks

• Unknown risks are perceived to be more risky than known.

• Involuntary risks are perceived as more risky than voluntary risks.

c©2004 Simson L. Garfinkel 20

Page 39: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Computer Security at Crossroads

We must do better!

• Systems are now always-on

• Very powerful systems are connected.

• Viruses can do a lot of damage

c©2004 Simson L. Garfinkel 21

Page 40: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

AOL 2004 Survey

• Experts sent to 329 homes.

• 20% were currently infected by a virus.

• 63% said that they had been infected in the past.

• 80% had spyware or adware.

. . .

Page 41: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

AOL 2004 Survey

• Experts sent to 329 homes.

• 20% were currently infected by a virus.

• 63% said that they had been infected in the past.

• 80% had spyware or adware.

. . . Yet 70% believed they were safe from viruses and other online threats.

Page 42: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

AOL 2004 Survey

• Experts sent to 329 homes.

• 20% were currently infected by a virus.

• 63% said that they had been infected in the past.

• 80% had spyware or adware.

. . . Yet 70% believed they were safe from viruses and other online threats.

Why? 85% had some kind of anti-virus. . .

Page 43: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

AOL 2004 Survey

• Experts sent to 329 homes.

• 20% were currently infected by a virus.

• 63% said that they had been infected in the past.

• 80% had spyware or adware.

. . . Yet 70% believed they were safe from viruses and other online threats.

Why? 85% had some kind of anti-virus. . .

Yet 67% of those machines were not up-to-date. “AOL survey finds rampantc©2004 Simson L. Garfinkel 22

Page 44: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

online threats, clueless users,”

Computerworld, October 23, 2004. http://www.computerworld.com/securitytopics/security/story/0,10801,96918,00.html

c©2004 Simson L. Garfinkel 23

Page 45: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Ideas for aligning security and usability

• A workable threat model.

• Improved Visiblity

• Decreased Functionality

• Admonitions — security co-pilots.

c©2004 Simson L. Garfinkel 24

Page 46: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

A workable threat model

• Decreased emphasis on disclosure control — a hard sell in this era of identitytheft.

• Attackers that are active, but who do not control the infrastructure.

➔ Digital signatures, not message encryption.

c©2004 Simson L. Garfinkel 25

Page 47: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Improved Visiblity

• The Forensics work we did was really about visiblity.

• Outlook address book failures — also about visiblity.

• Other examples. . . ?

c©2004 Simson L. Garfinkel 26

Page 48: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Decreased Functionality

• Don’t allow programs unrestricted access to files — Yee’s access by designation.

c©2004 Simson L. Garfinkel 27

Page 49: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Admonitions — Security Co-Pilots

c©2004 Simson L. Garfinkel 28

Page 50: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s No-Surprise condition

“Definition: Security software is usable if the people who are expected to use it:”

Page 51: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s No-Surprise condition

“Definition: Security software is usable if the people who are expected to use it:”

If:

actors A = {A0, A1, . . . , An}perceived abilities P = {P0, P1, . . . , Pn}

real abilities P = {R0, R1, . . . , Rn}

Then the no-surprise condition requires that:

P0 ⊆ R0 andc©2004 Simson L. Garfinkel 29

Page 52: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Pi ⊇ Ri for i > 0

c©2004 Simson L. Garfinkel 30

Page 53: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s Guidelines for secure interaction design

General Principles:

• Path of least resistance — the most natural way to do a task should also be thesafest.

Page 54: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s Guidelines for secure interaction design

General Principles:

• Path of least resistance — the most natural way to do a task should also be thesafest.

• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.

Page 55: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s Guidelines for secure interaction design

General Principles:

• Path of least resistance — the most natural way to do a task should also be thesafest.

• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.

Maintaining the actor-ability state:

Page 56: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s Guidelines for secure interaction design

General Principles:

• Path of least resistance — the most natural way to do a task should also be thesafest.

• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.

Maintaining the actor-ability state:

• Explicit Authorization — A user’s authority should only be granted to anotheractor through an explicit user action understood to imply granting.

Page 57: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Yee’s Guidelines for secure interaction design

General Principles:

• Path of least resistance — the most natural way to do a task should also be thesafest.

• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.

Maintaining the actor-ability state:

• Explicit Authorization — A user’s authority should only be granted to anotheractor through an explicit user action understood to imply granting.

c©2004 Simson L. Garfinkel 31

Page 58: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

Page 59: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible

Page 60: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible

• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.

Page 61: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible

• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.

Communicating with the user:

Page 62: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible

• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.

Communicating with the user:

• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.

Page 63: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible

• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.

Communicating with the user:

• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.

• Identifiability — The interface should ensure that identical objects or actionsappear identical and that distinct objects or actions appear different

Page 64: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.

• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible

• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.

Communicating with the user:

• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.

• Identifiability — The interface should ensure that identical objects or actionsappear identical and that distinct objects or actions appear different

c©2004 Simson L. Garfinkel 32

Page 65: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Expressiveness — The interface should provide enough expressive power to letusers easily express security policies that fit their goals.

Page 66: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• Expressiveness — The interface should provide enough expressive power to letusers easily express security policies that fit their goals.

• Clarity — The effect of any authority-manipulating user action should beclearly apparent to the user before the action takes effect.

c©2004 Simson L. Garfinkel 33

Page 67: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

“Safe Staging.

Whitten — what does it mean?

Can we find examples of Safe Staging?

“Software with training wheels” — why not just use this idea?

c©2004 Simson L. Garfinkel 34

Page 68: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

“Metaphor Tailoring”

c©2004 Simson L. Garfinkel 35

Page 69: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

c©2004 Simson L. Garfinkel 36

Page 70: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

Page 71: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

Page 72: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

Page 73: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

• Distinguish Taint

Page 74: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

• Distinguish Taint

• User Audit

Page 75: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

• Distinguish Taint

• User Audit

• No Kit

Page 76: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

• Distinguish Taint

• User Audit

• No Kit

• RUn vs. Open

Page 77: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

• Distinguish Taint

• User Audit

• No Kit

• RUn vs. Open

• Self-Signed Certs / Continuity of Identity

Page 78: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

HCI-SEC Enhancing Techniques

• Explicit Install

• Consistent Vocabulary

• Distinguish Taint

• User Audit

• No Kit

• RUn vs. Open

• Self-Signed Certs / Continuity of Identityc©2004 Simson L. Garfinkel 37

Page 79: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure

Page 80: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure

• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group

Page 81: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure

• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group

• Disable new features by default.

Page 82: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure

• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group

• Disable new features by default.

• Match Expectations — Match security expectations created in the user’s mindwith the security actually delivered by the tool.

Page 83: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure

• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group

• Disable new features by default.

• Match Expectations — Match security expectations created in the user’s mindwith the security actually delivered by the tool.

• Leverage authentication

c©2004 Simson L. Garfinkel 38

Page 84: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks

Thompson — Reflections on Trusting Trust

You’ve got to trust something. . .

c©2004 Simson L. Garfinkel 39