Edward Qiu

Computer Science Student

MIT 6.858 Computer Systems Security Fall 2014 - Lecture 1: Threat Models Notes

What is Security?

How do we accomplish a goal assuming there is opposition trying to prevent us you from accomplishing your goal?

A system is secure when you can accomplish the goal set regardless of what the opposition throws at you.

The power of this definition of security comes when we try to make a system secure. The definition gives us an easy way to formulate well-defined requirements for our system.

  1. What is our goal?
  2. Who is our adversary?
  3. What are some things the adversary can do to prevent us from reaching our goal?

Components of security

  1. Policy - the goal/abilities of your system
    Example: integrity - only the course staff can upload/edit grades
  2. Threat Model - set of assumptions about our attacker
    This is usually the tough part about security. It is impossible to have no assumptions and it is necessary to make assumptions in order to make progress
    Ideally the threat model should be as conservative as possible (a large set of only necessary assumptions - covering many assumptions and none of the assumptions are so unlikely/basic that it slows down the progress of building in order to plan to counter the attacker)
  3. Mechanism - software/hardware/system solution that ensures the policy is followed as long as the attacker fits our threat model.

With an accurate threat model and a mechanism that works as intended/designed, we achieve our goal/policy

Why is security difficult?

Security is a negative goal
We have to make sure our policy is followed, but our adversary has infinite ways of attacking. In other words, it is easier to build functionality than it is to make it secure. There are more things to consider when making something secure than there is when building something.
Your system is only as strong as it’s weakest link.
Question: Is security all-or-nothing? Is detrimental to think about security that way?

Testing systems

Every system has a breaking point, pushing the edge cases will allow us to find the breaking points

Design dangers

  • Violation of your own policy: Example: Allowing users to reset passwords with recovery questions - now there are two ways to log in:
    1. with password
    2. with answers to recovery questions


Security is a negative goal -> Security is all about the details

Security is about being proactive and not reactive

Security is a game about preemption with accurate assumptions (being proactive) to keep an attacker out.


Lecture Video
Official Lecture Notes

Similar Posts