e170.exsimson.net/ref/2004/csci_e-170/handouts/l14.pdf• disclosure control is hard to get right....
TRANSCRIPT
![Page 1: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/1.jpg)
Lecture 14: Aligning Usability and Security
Simson L. Garfinkel
CSCI E-170
http://e170.ex.com
c©2004 Simson L. Garfinkel
![Page 2: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/2.jpg)
Administrivia
December 21 Today — Last full lecture.December 28 No class — Eat Turkey.January 4 Lecture 15 — Open for presentations.January 11 Lecture 16 — Open for presentations. Final projects due.
![Page 3: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/3.jpg)
Administrivia
December 21 Today — Last full lecture.December 28 No class — Eat Turkey.January 4 Lecture 15 — Open for presentations.January 11 Lecture 16 — Open for presentations. Final projects due.
ps: I figured out how to do slides with LATEX!
c©2004 Simson L. Garfinkel 1
![Page 4: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/4.jpg)
Projects?
How are things going?
Plans for presentations?
Anybody want to go on January 4th?
c©2004 Simson L. Garfinkel 2
![Page 5: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/5.jpg)
January 4th?
Extra topics?
c©2004 Simson L. Garfinkel 3
![Page 6: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/6.jpg)
CSCI E-170: Computer Security, Privacy, and Usability
“Security” has been viewed at odds with Privacy and Usability.
![Page 7: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/7.jpg)
CSCI E-170: Computer Security, Privacy, and Usability
“Security” has been viewed at odds with Privacy and Usability.
CSCI E-170 argues that they must go together.
![Page 8: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/8.jpg)
CSCI E-170: Computer Security, Privacy, and Usability
“Security” has been viewed at odds with Privacy and Usability.
CSCI E-170 argues that they must go together. CSCI E-170 presents a frameworkfor understanding these properties.
c©2004 Simson L. Garfinkel 4
![Page 9: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/9.jpg)
Bluetooth
Quick follow-up to how Bluetooth is running on the Mac.
c©2004 Simson L. Garfinkel 5
![Page 10: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/10.jpg)
L1 — Introduction to Security, Privacy and Usability
The role of policy:
• Security requires a policy that defines what is to be secured.
• Privacy requires a policy of how information is to be treated.
c©2004 Simson L. Garfinkel 6
![Page 11: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/11.jpg)
WIMP is more usable than the command-line.
Visiblity and direct manipulation are the breakthrough concepts that made WIMPmore usable than the command-line.
c©2004 Simson L. Garfinkel 7
![Page 12: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/12.jpg)
Usability: What is it?
• satisfaction Interfaces we enjoy using
• efficiency Interfaces we are fast at using
• learnability Interfaces that we can use without asking for help
• accuracy Interfaces we can use without making errors.
• memorability Interfaces we can use after a long time.
c©2004 Simson L. Garfinkel 8
![Page 13: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/13.jpg)
Usability: How do we do it?
• Observe existing work practices
• Be consistent
• Employ iterative design
• Expose necessary information, not junk data
• Avoid confirmations, use undo instead.
• Design for responsiveness
c©2004 Simson L. Garfinkel 9
![Page 14: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/14.jpg)
Why is this so hard?
Whitten & Tygar: It is Inherently difficult to create interfaces for computersecurity applications.
Lots of reasons:
• The Secondary Goal Property
• The Hidden Failure Property
• The Abstraction Property1
• The Barn Door Property
• The Weakest Link Property1Security rules are easily understood by programmers but “alien and unintuitive” to everybody else.
c©2004 Simson L. Garfinkel 10
![Page 15: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/15.jpg)
![Page 16: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/16.jpg)
This really feels like “blame the user.”
c©2004 Simson L. Garfinkel 11
![Page 17: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/17.jpg)
Why not make it invisible?
Whitten: Because you can’t!
If the user of the application depends on a security protection being enabled, andthe possibility exists of it being disabled, then the user action must be completelydisallowed —
![Page 18: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/18.jpg)
Why not make it invisible?
Whitten: Because you can’t!
If the user of the application depends on a security protection being enabled, andthe possibility exists of it being disabled, then the user action must be completelydisallowed —
— or the lack of the protection must be made visible to the user and tools forremedying the problem should be made available.
c©2004 Simson L. Garfinkel 12
![Page 19: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/19.jpg)
Alternative Theory
c©2004 Simson L. Garfinkel 13
![Page 20: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/20.jpg)
Universe of software developers
expertise in usability
expertise in security
usable securityoverlap area
c©2004 Simson L. Garfinkel 14
![Page 21: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/21.jpg)
Perhaps Usability and Security are seen as antagonistic because:
• Our Definition of “Security” precludes creating systems that are usable.
c©2004 Simson L. Garfinkel 15
![Page 22: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/22.jpg)
Clark-Wilson Security Model
“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.
![Page 23: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/23.jpg)
Clark-Wilson Security Model
“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.
• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).
![Page 24: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/24.jpg)
Clark-Wilson Security Model
“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.
• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).
• CDI must be protected.
![Page 25: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/25.jpg)
Clark-Wilson Security Model
“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.
• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).
• CDI must be protected.
• Transformation procedures (TPs) change CDIs with well-formed transactions.
![Page 26: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/26.jpg)
Clark-Wilson Security Model
“A comparison of commercial and military computer security models,” IEEESymposium on Security and Privacy, 1987.
• Each datum in the system is a constrained data item (CDI) or an unconstraineddata item (UDI).
• CDI must be protected.
• Transformation procedures (TPs) change CDIs with well-formed transactions.
• Integrity verification procedures (IVPs) ensure that CDIs work as advertised.c©2004 Simson L. Garfinkel 16
![Page 27: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/27.jpg)
![Page 28: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/28.jpg)
➔ Clark-Wilson is a model in which integrity is more important than disclosurecontrol.
c©2004 Simson L. Garfinkel 17
![Page 29: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/29.jpg)
What’s wrong with disclosure control?
• Disclosure control is hard to get right.
• Screw-ups can’t be reversed (“Barn Door.”)
• No clue how far data leaks.
It may be that Usability and Disclosure Control are difficult, but Usability andother security is easier.
c©2004 Simson L. Garfinkel 18
![Page 30: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/30.jpg)
Other factors complicating HCI-SEC
![Page 31: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/31.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
![Page 32: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/32.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
• “Humans are the weakest link”
![Page 33: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/33.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
• “Humans are the weakest link”
• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)
![Page 34: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/34.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
• “Humans are the weakest link”
• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)
• Emphasis on cryptography.
![Page 35: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/35.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
• “Humans are the weakest link”
• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)
• Emphasis on cryptography.
• Researcher disinterest.
![Page 36: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/36.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
• “Humans are the weakest link”
• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)
• Emphasis on cryptography.
• Researcher disinterest.
• Difficulty of performing user tests.
![Page 37: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/37.jpg)
Other factors complicating HCI-SEC
• “Security is like a chain”
• “Humans are the weakest link”
• Emphasis on bug fixing, rather than correct design. (Similar to NTSB reports.)
• Emphasis on cryptography.
• Researcher disinterest.
• Difficulty of performing user tests.
• Authentication is an attractive rathole. (Passwords, PKI, biometrics)
c©2004 Simson L. Garfinkel 19
![Page 38: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/38.jpg)
Psychological basis
• People exaggerate minor risks
• Unknown risks are perceived to be more risky than known.
• Involuntary risks are perceived as more risky than voluntary risks.
c©2004 Simson L. Garfinkel 20
![Page 39: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/39.jpg)
Computer Security at Crossroads
We must do better!
• Systems are now always-on
• Very powerful systems are connected.
• Viruses can do a lot of damage
c©2004 Simson L. Garfinkel 21
![Page 40: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/40.jpg)
AOL 2004 Survey
• Experts sent to 329 homes.
• 20% were currently infected by a virus.
• 63% said that they had been infected in the past.
• 80% had spyware or adware.
. . .
![Page 41: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/41.jpg)
AOL 2004 Survey
• Experts sent to 329 homes.
• 20% were currently infected by a virus.
• 63% said that they had been infected in the past.
• 80% had spyware or adware.
. . . Yet 70% believed they were safe from viruses and other online threats.
![Page 42: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/42.jpg)
AOL 2004 Survey
• Experts sent to 329 homes.
• 20% were currently infected by a virus.
• 63% said that they had been infected in the past.
• 80% had spyware or adware.
. . . Yet 70% believed they were safe from viruses and other online threats.
Why? 85% had some kind of anti-virus. . .
![Page 43: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/43.jpg)
AOL 2004 Survey
• Experts sent to 329 homes.
• 20% were currently infected by a virus.
• 63% said that they had been infected in the past.
• 80% had spyware or adware.
. . . Yet 70% believed they were safe from viruses and other online threats.
Why? 85% had some kind of anti-virus. . .
Yet 67% of those machines were not up-to-date. “AOL survey finds rampantc©2004 Simson L. Garfinkel 22
![Page 44: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/44.jpg)
online threats, clueless users,”
Computerworld, October 23, 2004. http://www.computerworld.com/securitytopics/security/story/0,10801,96918,00.html
c©2004 Simson L. Garfinkel 23
![Page 45: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/45.jpg)
Ideas for aligning security and usability
• A workable threat model.
• Improved Visiblity
• Decreased Functionality
• Admonitions — security co-pilots.
c©2004 Simson L. Garfinkel 24
![Page 46: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/46.jpg)
A workable threat model
• Decreased emphasis on disclosure control — a hard sell in this era of identitytheft.
• Attackers that are active, but who do not control the infrastructure.
➔ Digital signatures, not message encryption.
c©2004 Simson L. Garfinkel 25
![Page 47: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/47.jpg)
Improved Visiblity
• The Forensics work we did was really about visiblity.
• Outlook address book failures — also about visiblity.
• Other examples. . . ?
c©2004 Simson L. Garfinkel 26
![Page 48: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/48.jpg)
Decreased Functionality
• Don’t allow programs unrestricted access to files — Yee’s access by designation.
c©2004 Simson L. Garfinkel 27
![Page 49: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/49.jpg)
Admonitions — Security Co-Pilots
c©2004 Simson L. Garfinkel 28
![Page 50: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/50.jpg)
Yee’s No-Surprise condition
“Definition: Security software is usable if the people who are expected to use it:”
![Page 51: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/51.jpg)
Yee’s No-Surprise condition
“Definition: Security software is usable if the people who are expected to use it:”
If:
actors A = {A0, A1, . . . , An}perceived abilities P = {P0, P1, . . . , Pn}
real abilities P = {R0, R1, . . . , Rn}
Then the no-surprise condition requires that:
P0 ⊆ R0 andc©2004 Simson L. Garfinkel 29
![Page 52: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/52.jpg)
Pi ⊇ Ri for i > 0
c©2004 Simson L. Garfinkel 30
![Page 53: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/53.jpg)
Yee’s Guidelines for secure interaction design
General Principles:
• Path of least resistance — the most natural way to do a task should also be thesafest.
![Page 54: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/54.jpg)
Yee’s Guidelines for secure interaction design
General Principles:
• Path of least resistance — the most natural way to do a task should also be thesafest.
• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.
![Page 55: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/55.jpg)
Yee’s Guidelines for secure interaction design
General Principles:
• Path of least resistance — the most natural way to do a task should also be thesafest.
• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.
Maintaining the actor-ability state:
![Page 56: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/56.jpg)
Yee’s Guidelines for secure interaction design
General Principles:
• Path of least resistance — the most natural way to do a task should also be thesafest.
• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.
Maintaining the actor-ability state:
• Explicit Authorization — A user’s authority should only be granted to anotheractor through an explicit user action understood to imply granting.
![Page 57: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/57.jpg)
Yee’s Guidelines for secure interaction design
General Principles:
• Path of least resistance — the most natural way to do a task should also be thesafest.
• Appropriate boundaries — The interface should draw distinctions amongobjects and actions along boundaries that matter to the user.
Maintaining the actor-ability state:
• Explicit Authorization — A user’s authority should only be granted to anotheractor through an explicit user action understood to imply granting.
c©2004 Simson L. Garfinkel 31
![Page 58: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/58.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
![Page 59: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/59.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible
![Page 60: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/60.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible
• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.
![Page 61: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/61.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible
• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.
Communicating with the user:
![Page 62: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/62.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible
• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.
Communicating with the user:
• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.
![Page 63: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/63.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible
• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.
Communicating with the user:
• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.
• Identifiability — The interface should ensure that identical objects or actionsappear identical and that distinct objects or actions appear different
![Page 64: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/64.jpg)
• Visibility — The interface should let the user easily review any active authorityrelationships that could affect security decisions.
• Recoverability - The interface should let the user easily revoke authority thatthe user has granted, whenever revocation is possible
• Expected ability — The interface should not give the user the impression ofhaving authority that the user does not actually have.
Communicating with the user:
• Trusted path — the user’s communication channel to any entity thatmanipulates authority on the user’s behalf must be unspoofable and free ofcorruption.
• Identifiability — The interface should ensure that identical objects or actionsappear identical and that distinct objects or actions appear different
c©2004 Simson L. Garfinkel 32
![Page 65: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/65.jpg)
• Expressiveness — The interface should provide enough expressive power to letusers easily express security policies that fit their goals.
![Page 66: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/66.jpg)
• Expressiveness — The interface should provide enough expressive power to letusers easily express security policies that fit their goals.
• Clarity — The effect of any authority-manipulating user action should beclearly apparent to the user before the action takes effect.
c©2004 Simson L. Garfinkel 33
![Page 67: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/67.jpg)
“Safe Staging.
Whitten — what does it mean?
Can we find examples of Safe Staging?
“Software with training wheels” — why not just use this idea?
c©2004 Simson L. Garfinkel 34
![Page 68: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/68.jpg)
“Metaphor Tailoring”
c©2004 Simson L. Garfinkel 35
![Page 69: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/69.jpg)
c©2004 Simson L. Garfinkel 36
![Page 70: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/70.jpg)
HCI-SEC Enhancing Techniques
![Page 71: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/71.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
![Page 72: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/72.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
![Page 73: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/73.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
• Distinguish Taint
![Page 74: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/74.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
• Distinguish Taint
• User Audit
![Page 75: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/75.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
• Distinguish Taint
• User Audit
• No Kit
![Page 76: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/76.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
• Distinguish Taint
• User Audit
• No Kit
• RUn vs. Open
![Page 77: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/77.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
• Distinguish Taint
• User Audit
• No Kit
• RUn vs. Open
• Self-Signed Certs / Continuity of Identity
![Page 78: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/78.jpg)
HCI-SEC Enhancing Techniques
• Explicit Install
• Consistent Vocabulary
• Distinguish Taint
• User Audit
• No Kit
• RUn vs. Open
• Self-Signed Certs / Continuity of Identityc©2004 Simson L. Garfinkel 37
![Page 79: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/79.jpg)
• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure
![Page 80: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/80.jpg)
• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure
• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group
![Page 81: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/81.jpg)
• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure
• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group
• Disable new features by default.
![Page 82: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/82.jpg)
• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure
• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group
• Disable new features by default.
• Match Expectations — Match security expectations created in the user’s mindwith the security actually delivered by the tool.
![Page 83: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/83.jpg)
• More Secure vs. Less Secure — Distinguish between similar operations that aremore secure and less-secure
• Access Analysis — Provide facility for reporting specific access rights andcapabilities of a user or group
• Disable new features by default.
• Match Expectations — Match security expectations created in the user’s mindwith the security actually delivered by the tool.
• Leverage authentication
c©2004 Simson L. Garfinkel 38
![Page 84: e170.exsimson.net/ref/2004/csci_e-170/handouts/L14.pdf• Disclosure control is hard to get right. • Screw-ups can’t be reversed (“Barn Door.”) • No clue how far data leaks](https://reader036.vdocument.in/reader036/viewer/2022081407/5f232113c25d8836fd42f64a/html5/thumbnails/84.jpg)
Thompson — Reflections on Trusting Trust
You’ve got to trust something. . .
c©2004 Simson L. Garfinkel 39