Hi,
So, I was just looking over George Lebl's desktop security paper for
GUADEC[1] and I realised that when talking about desktop security we
make a lot of assumptions about what we mean by security.
Given that designing secure applications/systems is all about trade
offs between the risks to the application and the cost of the possible
countermeasures, you need some sort of basic framework for making those
tradeoffs.
Here's the kind of thing I'm thinking of:
* What can go wrong/what are we trying to prevent/risks?
* Loss of data
* Disclosure of private data/loss of privacy
* Denial of service
* Interruption of work/reduced productivity
* ...
* What may cause the above to come about/threats?
* Escalation of privileges to an attacker
* Execution of arbitrary commands specified by an attacker
* Ability for an attacker to force the program into
monopolising system resources (cpu, memory, file
descriptors, ports, hard disk space)
* Ability for an attacker to cause a program to abort in
an unrecoverable way
* Ability for an attacker to snoop a user's actions
* ...
* What are our assumptions?
* The attacker can not have root access (i.e. any
countermeasures to this threat would be futile)
* Our user is not technical and does not need to
understand the threats to the system (although they do
implicitly understand the risks)
* (Deployment environment assumptions)
* ...
* What are our goals?
* Provide a system whereby the user can easily and safely
get their work done
* Ensure the privacy and integrity of a user's data
* ...
Any thoughts? Useful or not? Feel free to expand[2] the "..." bits.
Cheers,
Mark.
[1] - See
http://2004.guadec.org/schedule/profiles.html
[2] - Red Hat people edit the SecureDesktopQuestions wiki page, everyone
else just reply to the list (yes, that sucks and, yes, we'd really
like to have an external wiki)