•Exploitable bugs
•Bad
configuration
–TCB: Everything that security
depends on
• Hardware,
software, and configuration
–Does formal policy say what I
mean?
•Can I understand it? Can I
manage it?
•
•Why least privilege doesn’t
work
–Too complicated, can’t manage
it
•
•The
unavoidable price of reliability is simplicity
—Hoare