安全系统的用户界面设计

UserInteractionDesignforSecureSystemsKa-PingYee@zesty.caAbstract.Thesecurityofanycomputersystemthatisconguredorop-eratedbyhumanbeingscriticallydependsontheinformationconveyedbytheuserinterface,thedecisionsoftheusers,andtheinterpretationoftheiractions.Thispaperestablishessomestartingpointsforreasoningaboutsecurityfromauser-centredpointofview:itproposestomodelsystemsintermsofactorsandactions,andintroducestheconceptofthesubjectiveactor-abilitystate.Tenkeyprinciplesforsecureinteractiondesignareidentied;casestudiesillustrateandjustifytheprinciples,describingreal-worldproblemsandpossiblesolutions.Itishopedthatthisworkwillhelpguidethedesignandevaluationofsecuresystems.1IntroductionSecurityproblemsareoftenattributedtosoftwareerrorssuchasbueroverruns,raceconditions,orweakcryptosystems.Thishasfocusedagreatdealofattentiononassuringthecorrectnessofsoftwareimplementations.However,thecorrectuseofsoftwareisjustasimportantasthecorrectnessofthesoftwareitself.Forexample,thereisnothinginherentlyincorrectaboutaprogramthatdeletesles.Butwhensuchaprogramhappenstodeletelesagainstourwishes,weperceiveasecurityviolation.Inadierentsituation,theinabilitytocommandtheprogramtodeletelescouldalsobeaserioussecurityproblem.Itfollowsthatthesecuritypropertiesofanysystemcanonlybemeaningfullydiscussedinthecontextofthesystem'sexpectedbehaviour.GarnkelandSpaordgivethedenition:\Acomputerissecureifyoucandependonitanditssoftwaretobehaveasyouexpect[7].Noticethatthisdenitionisnecessarilydependentonthemeaningof\you,whichusuallyreferstotheuser.Itisimpossibletoevendescribesecuritywithoutaddressingtheuserperspective.Amongthemostspectacularofrecentsecurityproblemsaree-mailattach-mentviruses.Manyofthesearegoodreal-lifeexamplesofsecurityviolationsintheabsenceofsoftwareerrors:atnopointintheirpropagationdoesanyapplicationorsystemsoftwarebehavedierentlythanitsprogrammerswouldexpect.Thee-mailclientcorrectlydisplaysthemessageandcorrectlydecodestheattachment;thesystemcorrectlyexecutesthevirusprogramwhentheuseropenstheattachment.Rather,theproblemexistsbecausethefunctionallycorrectbehaviourisinconsistentwithwhattheuserwouldwant.Thispaperaimstomaketwomaincontributions:rst,itpresentsamodeltoguidethinkingaboutthistypeofissue;andsecond,itgivesspecicrecom-mendationsintheformofteninteractiondesignprinciplesforsecuresystems.Manydesignershabituallyassumethatimprovingsecuritynecessarilyde-gradesusability,andviceversa;thedecisionofwhethertofavouroneortheotheristypicallyseenasaregrettablecompromise.Forexample,acommonlysuggestedsecurityxistohavethecomputeraskforuserconrmation,yetwearealsooftenwarnedagainstannoyingtheuserbyaskingtoofrequently[14].Intheend,thesejudgementcallsareoftenmadearbitrarilybecausethereseemstobenogoodanswer.Acoherentmodelforsecureuserinteractioncanclarifythedesignprocessandhelpdesignersmakethesedecisionsconsistently.Itaketheapparentlyradicalpositionthatsecurityandusabilityarenotfundamentallyatoddswitheachother.Infact,itshouldbecomeclearuponreflectionthattheoppositemakesmoresense:asystemthatismoresecureismorecontrollable,morereliable,andhencemoreusable;amoreusablesystemreducesconfusionandisthusmorelikelytobesecure.Ingeneral,securityadvocatesandusabilityadvocatesbothwantthecomputertocorrectlydowhattheuserwants{nomoreandnoless1.Theresultspresentedherecomefromdiscussingdesignchallengesanduserexperiencesatlengthwithdesignersandusersofsoftwareintendedtobesecure.Aftermuchdebateandseveraliterationsofrenement,wehavetriedtodistillthemostproductivelinesofreasoningdowntoaconcisesetofdesignprinciplesthatcoversmanyoftheimportantandcommonfailuremodes.2RelatedWorkThereseemtoberelativelyfewdevelopmenteortsincomputersecurity[10][12][25]thathaveseriouslyemphasizeduserinteractionissues.TheAdageproject[25],auser-centredauthorizationservice,isprobablythelargestsucheorttodate.Therehavebeenseveralimportantusabilitystudiesofsecurityapplications[1][13][16][24],allofwhichhaveshownthedevastatingimpactthatignoringusabilityissuescanhaveontheeectivenessofsecuritymeasures.Tomyknowledge,thispaperistherstattempttoproposeastructuredframeworkfordesignthinkingandtosuggestwidelyapplicableguidelinesforsecureinteractiondesignasopposedtostudyingasingleapplicationormechanism.Simultaneouslyaddressingalltenofthedesignprinciplespresentedhereisadmittedlyasignicantdesignchallenge.Lesttheyseemtooidealistictobesatisablebyarealsystem,itisworthmentioningthatthereisanindependentlydevelopedworkingprototypeofasecuredesktopenvironment[3]thatlargelysucceedsinsatisfyingmostoftheprinciples.1Oftenadilemmastemsfromconflictsbetweenwhatdierentpeoplewant.Forexample,somedigitalrightsmanagementeortscurrentlyunderwaywouldmakemediacontenthardertouse.Theyaredescribedassecurityimprovements,buttheresultingconflictisnotoneofsecurityversususability:itisactuallyaconflictbetweenthedesiresofusersandcontentdistributors.Balancingsuchconflictsisindeedanimportantproblem,butitisoutsideofthescopeofthispaper.Althoughwewillnotaddressthedesignofsystemsthatservetwomasters,understandinghowtoserveon