e170.exsimson.net/ref/2004/csci_e-170/handouts/l14.pdf• disclosure control is hard to get right....

Lecture 14: Aligning Usability and Security

Simson L. Garfinkel

CSCI E-170

http://e170.ex.com

c©2004 Simson L. Garfinkel

http://e170.ex.com

Administrivia

December 21 Today — Last full lecture.December 28 No class — Eat Turkey.January 4 Lecture 15 — Open for presentations.January 11 Lecture 16 — Open for presentations. Final projects due.

Administrivia

December 21 Today — Last full lecture.December 28 No class — Eat Turkey.January 4 Lecture 15 — Open for presentations.January 11 Lecture 16 — Open for presentations. Final projects due.

ps: I figured out how to do slides with LATEX!

c©2004 Simson L. Garfinkel 1

Projects?

How are things going?

Plans for presentations?

Anybody want to go on January 4th?


January 4th?

Extra topics?


CSCI E-170: Computer Security, Privacy, and Usability

“Security” has been viewed at odds with Privacy and Usability.



CSCI E-170 argues that they must go together.



CSCI E-170 argues that they must go together. CSCI E-170 presents a frameworkfor understanding these properties.


Bluetooth

Quick follow-up to how Bluetooth is running on the Mac.


L1 — Introduction to Security, Privacy and Usability

The role of policy:

• Security requires a policy that defines what is to be secured.

• Privacy requires a policy of how information is to be treated.


WIMP is more usable than the command-line.

Visiblity and direct manipulation are the breakthrough concepts that made WIMPmore usable than the command-line.


Usability: What is it?

• satisfaction Interfaces we enjoy using

• efficiency Interfaces we are fast at using

• learnability Interfaces that we can use without asking for help

• accuracy Interfaces we can use without making errors.

• memorability Interfaces we can use after a long time.


Usability: How do we do it?

• Observe existing work practices

• Be consistent

• Employ iterative design

• Expose necessary information, not junk data

• Avoid confirmations, use undo instead.

• Design for responsiveness


Why is this so hard?

Whitten & Tygar: It is Inherently difficult to create interfaces for computersecurity applications.

Lots of reasons:

• The Secondary Goal Property

• The Hidden Failure Property

• The Abstraction Property1

• The Barn Door Property

• The Weakest Link Property1Security rules are easily understood by programmers but “alien and unintuitive” to everybody else.


This really feels like “blame the user.”


Why not make it invisible?

Whitten: Because you can’t!

If the user of the application depends on a security protection being enabled, andthe possibility exists of it being disabled, then the user action must be completelydisallowed —

Why not make it invisible?

Whitten: Because you can’t!

If the user of the application depends on a security protection being enabled, andthe possibility exists of it being disabled, then the user action must be completelydisallowed —

— or the lack of the protection must be made visible to the user and tools forremedying the problem should be made available.


Alternative Theory


Universe of software developers

expertise in usability

expertise in security

usable securityoverlap area


Perhaps Usability and Security are seen as antagonistic because:

• Our Definition of “Security” precludes creating systems that are usable.


Clark-Wilson Security Model

“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.



• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).




• CDI must be protected.





• Transformation procedures (TPs) change CDIs with well-formed transactions.





• Transformation procedures (TPs) change CDIs with well-formed transactions.

• Integrity verification procedures (IVPs) ensure that CDIs work as advertised.c©2004 Simson L. Garfinkel 16

➔ Clark-Wilson is a model in which integrity is more important than disclosurecontrol.


What’s wrong with disclosure control?

• Disclosure control is hard to get right.

• Screw-ups can’t be reversed (“Barn Door.”)

• No clue how far data leaks.

It may be that Usability and Disclosure Control are difficult, but Usability andother security is easier.


Other factors complicating HCI-SEC


• “Security is like a chain”



• “Humans are the weakest link”




• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)





• Emphasis on cryptography.






• Researcher disinterest.







• Difficulty of performing user tests.







• Difficulty of performing user tests.

• Authentication is an attractive rathole. (Passwords, PKI, biometrics)


Psychological basis

• People exaggerate minor risks

• Unknown risks are perceived to be more risky than known.

• Involuntary risks are perceived as more risky than voluntary risks.


Computer Security at Crossroads

We must do better!

• Systems are now always-on

• Very powerful systems are connected.

• Viruses can do a lot of damage


AOL 2004 Survey

• Experts sent to 329 homes.

• 20% were currently infected by a virus.

• 63% said that they had been infected in the past.

• 80% had spyware or adware.

. . .

AOL 2004 Survey





. . . Yet 70% believed they were safe from viruses and other online threats.

AOL 2004 Survey






Why? 85% had some kind of anti-virus. . .

AOL 2004 Survey






Why? 85% had some kind of anti-virus. . .

Yet 67% of those machines were not up-to-date. “AOL survey finds rampantc©2004 Simson L. Garfinkel 22

online threats, clueless users,”

Computerworld, October 23, 2004. http://www.computerworld.com/securitytopics/security/story/0,10801,96918,00.html


http://www.computerworld.com/securitytopics/security/story/0,10801,96918,00.html

http://www.computerworld.com/securitytopics/security/story/0,10801,96918,00.html

Ideas for aligning security and usability

• A workable threat model.

• Improved Visiblity

• Decreased Functionality

• Admonitions — security co-pilots.


A workable threat model

• Decreased emphasis on disclosure control — a hard sell in this era of identitytheft.

• Attackers that are active, but who do not control the infrastructure.

➔ Digital signatures, not message encryption.


Improved Visiblity

• The Forensics work we did was really about visiblity.

• Outlook address book failures — also about visiblity.

• Other examples. . . ?


Decreased Functionality

• Don’t allow programs unrestricted access to files — Yee’s access by designation.


Admonitions — Security Co-Pilots


Yee’s No-Surprise condition

“Definition: Security software is usable if the people who are expected to use it:”

Yee’s No-Surprise condition

“Definition: Security software is usable if the people who are expected to use it:”

If:

actors A = {A0, A1, . . . , An}perceived abilities P = {P0, P1, . . . , Pn}

real abilities P = {R0, R1, . . . , Rn}

Then the no-surprise condition requires that:

P0 ⊆ R0 andc©2004 Simson L. Garfinkel 29

Pi ⊇ Ri for i > 0


Yee’s Guidelines for secure interaction design

General Principles:

• Path of least resistance — the most natural way to do a task should also be thesafest.


General Principles:


• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.


General Principles:



Maintaining the actor-ability state:


General Principles:




• Explicit Authorization — A user’s authority should only be granted to anotheractor through an explicit user action understood to imply granting.

• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.


• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible



• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.




Communicating with the user:





• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.






• Identifiability — The interface should ensure that identical objects or actionsappear identical and that distinct objects or actions appear different

• Expressiveness — The interface should provide enough expressive power to letusers easily express security policies that fit their goals.

• Expressiveness — The interface should provide enough expressive power to letusers easily express security policies that fit their goals.

• Clarity — The effect of any authority-manipulating user action should beclearly apparent to the user before the action takes effect.


“Safe Staging.

Whitten — what does it mean?

Can we find examples of Safe Staging?

“Software with training wheels” — why not just use this idea?


“Metaphor Tailoring”


HCI-SEC Enhancing Techniques


• Explicit Install



• Consistent Vocabulary




• Distinguish Taint





• User Audit





• User Audit

• No Kit





• User Audit

• No Kit

• RUn vs. Open





• User Audit

• No Kit

• RUn vs. Open

• Self-Signed Certs / Continuity of Identity

• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure


• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group



• Disable new features by default.




• Match Expectations — Match security expectations created in the user’s mindwith the security actually delivered by the tool.




• Match Expectations — Match security expectations created in the user’s mindwith the security actually delivered by the tool.

• Leverage authentication


Thompson — Reflections on Trusting Trust

You’ve got to trust something. . .


e170.exsimson.net/ref/2004/csci_e-170/handouts/l14.pdf• disclosure control is hard to get right....

Documents