Principle 5:Compartmentalization Break the system up into as many isolated units as possible -Simplicity -Containing attacker in case of failure Example:submarines are built with many chambers,each separately sealed Example:prison. Counterexample:Famous violations of this principle exist standard UNIX privilege model -A program with root privilege can do everything(including erase logs) A few operating systems,such as Trusted Solaris,do compartmentalize. Tradeoff with manageability. Counterexample:OS that crashes if an application crashes. -CSE825 13CSE825 13 Principle 5: Compartmentalization Break the system up into as many isolated units as possible ─ Simplicity ─ Containing attacker in case of failure Example: submarines are built with many chambers, each separately sealed Example: prison. Counterexample: Famous violations of this principle exist standard UNIX privilege model ─ A program with root privilege can do everything (including erase logs) A few operating systems, such as Trusted Solaris, do compartmentalize. Tradeoff with manageability. Counterexample: OS that crashes if an application crashes