Friday Star Wars and the Principle of Complete Mediation
This week in Friday Star Wars Security Blogging, we examine the principle of Complete Mediation:
Complete mediation:
Every access to every object must be checked for authority. This principle, when systematically applied, is the primary underpinning of the protection system. It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated.
(From “The Protection of Information in Computer Systems,” by Saltzer and Schroeder.) The key bit here is that every object is protected, not an amalgamation. So, for example, if you were to have a tractor beam controller pedestal in an out of the way air shaft, you might have a door in front of it, with some access control mechanisms. Maybe even a guard. I guess the guard budget got eaten up with the huge glowing blue lightning indicator. Maybe next time, they should have a status light on the bridge. But I digress.
The tractor beam controls were insufficiently mediated. There should have been guards, doors, and a response system. Such protections would have been a “primary underpinning of the protection system.”
But that was easy. Too easy, if you ask me. In start contrast to last week’s post, “Friday Star Wars: Principle of Fail-safe Defaults,” which, as certain ungrateful readers (yes, you, Mr. assistant to…) certain ungrateful readers did have the termacity to point out that we have high standards here, and so we offer up a second example of insufficient mediation.
After they get back to the ship, there’s nothing else to do. They simply fly away. The bay is open and the Falcon can fly out. Where’s the access control? (This is another example of why firewalls need to be bi-directional.) Is it an automated safety that anything can just fly out of a docking bay? Seems a poor safety to me.
Once again, a poor security decision, the lack of complete mediation, aids those rebel scum in getting away. Now, maybe someone decided to let them go, but still, they should have had to press one more button.
Termacity? Is that a newly discovered form of insect living space, an abbreviation of Termite City?
Perhaps you meant “temerity.”
You guys can run circles around me in computerese, but I only use big words if I”m sure they are the right big words.
Being sure and being right are two different things.
In this, I follow our fearless leader, and use big words about which I’m confident.