Saltzer and Schroeder 8 Design Principles

Fail-Safe Defaults

Definition: Base decisions on permissions rather than exclusions Example: Firewall protecting a small business

Complete Mediation

Definition: Every access to every object must be checked for authority Informally: We don't want any back doors into the system Implications: * Need a foolproof method for origin authentication * Caching should be viewed skeptically (cf. DNS poisoning)

Least Privilege

Definition: Every program and every user of the system should operate using the least set of privileges necessary. * Often violated! (Window users with administrator accounts, Unix servers running as root)

Psychological Acceptability

Definition: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly Implications: People who don't know how it works won't use it, or use it improperly Example: Digitally-signed email, a spoofed email could be prevented this way

Economy of Mechanism

Definition: Keep the design as simple and as small as possible. Importance: * Errors resulting in unwanted access probably won't be found during normal operation of a system * To check for these errors, line-by-line verification is important * This type of check is likely to fail with overly-complicated systems

Least Common Mechanism

Definition: Minimize the amount of mechanism common to more than one user and depended on by all users Most common interpretation: Minimize shared channels Other examples: Memory protection, Base/bounds memory, Virtual memory, Virtual machines, VPN Why? Confidentiality/integrity protection, Information flow, side channels

Open Design

Definition: The design of a system should not be secret. Security should not be dependent on the ignorance of attackers. * Instead, use public algorithms with secret parameters (Kerckhoffs's principle, Shannon's Maxim)

Separation of Privilege

Definition: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key Example: Need two keys to launch a missile * Most common example of this principle is in separation of duty. For example, employees who create payment authorizations cannot issue checks