Back in the day, Emergent Chaos used to use examples from Star Wars to illustrate some of Saltzer and Schroeder's design principles. The Departed is a kind of present day Boston Irish mafia version of Scorsese's Goodfellas, and there are some analogs to security design principles. Especially if you look at things from the perspective of Frank Costello (loosely based on Whitey Bulger and played by Jack Nicholson), who has numerous secrets to protect.
.........
CAUTION:
SPOILERS
BELOW
.........
The main reason why the Departed is an interesting case study for computer security is that Frank Costello's crime gang is embedded with police informants and the police squad is riddled with informants for Costello. This contrasts sharply with the normal breakdown where it is a simple good guy versus bad guy in two monolithic groups. In computer security, architects typically breakdown the system into groups like internal, external, and DMZ which seem to logically divide the infrastructure. But then apps, data, identities, and users are layered across those boundaries so the resulting world looks more like the departed than black and white groups displayed in Visio.
Saltzer and Schroeder's Design Principles
a) Economy of mechanism: Keep the design as simple and small as possible.
Well, Costello fails in this from the standpoint of his criminal enterprise is pretty complicated with many stakeholders including the FBI, the Chinese government, and run of the mill bookies. D.
b) Fail-safe defaults: Base access decisions on permission rather than exclusion.
Costello does a decent job on this principle, for example no one in the larger group knew he would escape from the warehouse in a boat ("they didn't figure we had a navy"), so even though there were rats in his operation they could in this case inform on the locale (and even send cell signals out), but not the escape route. B.
c) Complete mediation: Every access to every object must be checked for authority.
Costello's operation lacked a reference monitor. Costello functioned as a reference monitor, but since he was protecting himself this does not count. D.
d) Open design: The design should not be secret
All of Costello's plans and relationships were secret. F.
e) Separation of privilege: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.
Costello used different crews for different jobs, including when he suspected a rat inventing a "new crew" that he revealed only to certain people to see who would inform on him. A.
f) Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
Costello does a number of things well in this regard. His knowledge of the under world is used selectively to reveal criminals to the FBI when those criminals downfall benefit Costello. So he is not an informant who blabs everything, but rather one who tells the FBI things that help him and uses the FBI as a wing in his criminal enterprise. A.
g) Least common mechanism: Minimize the amount of mechanism common to more than one user and depended on by all users [28].
Apparently, this is just as difficult in the crime as it is in computing. The biggest problem to solve remains sharing and by extension distribution. As Costello tells French, there is no one he can rely on except for French. This is so much the case that Costello ends up trusting the informant (Billy Costigan) because he has nowhere else to turn. F.
h) Psychological acceptability: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
Pass.
Great post. As I was watching this movie on Tuesday night I was wondering what your take on it would be.
Posted by: chris | October 13, 2006 at 08:53 AM