Papers
Topics
Authors
Recent
Search
2000 character limit reached

COMMAND: Certifiable Open Measurable Mandates

Published 9 Mar 2022 in cs.CR | (2203.05015v1)

Abstract: Security mandates today are often in the form of checklists and are generally inflexible and slow to adapt to changing threats. This paper introduces an alternate approach called open mandates, which mandate that vendors must dedicate some amount of resources (e.g. system speed, energy, design cost, etc.) towards security but unlike checklist security does not prescribe specific controls that must be implemented. The goal of open mandates is to provide flexibility to vendors in implementing security controls that they see fit while requiring all vendors to commit to a certain level of security. In this paper, we first demonstrate the usefulness of open security mandates: for instance, we show that mandating 10% of resources towards security reduces defenders losses by 8% and forestalls attackers by 10%. We then show how open mandates can be implemented in practice. Specifically, we solve the problem of identifying a system's overhead due to security, a key problem towards making such an open mandate enforceable in practice. As examples we demonstrate our open mandate system -- COMMAND -- for two contemporary software hardening techniques and show that our methodology can predict security overheads to a very high degree of accuracy (<1% mean and median error) with low resource requirements. We also present experiments that quantify, in terms of dollars, how much end users value the performance lost to security, which help determine the costs of such a program. Taken together -- the usefulness of mandates, their enforceability, and their quantifiable costs -- make the case for an alternate resource-based mandate.

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.