Saltzer and Schroeder 8 Design Principles
Fail-Safe Defaults
Definition: Base decisions on permissions rather than exclusions Example: Firewall protecting a small business
Complete Mediation
Definition: Every access to every object must be checked for authority Informally: We don't want any back doors into the system Implications: * Need a foolproof method for origin authentication * Caching should be viewed skeptically (cf. DNS poisoning)
Least Privilege
Definition: Every program and every user of the system should operate using the least set of privileges necessary. * Often violated! (Window users with administrator accounts, Unix servers running as root)
Psychological Acceptability
Definition: It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly Implications: People who don't know how it works won't use it, or use it improperly Example: Digitally-signed email, a spoofed email could be prevented this way
Economy of Mechanism
Definition: Keep the design as simple and as small as possible. Importance: * Errors resulting in unwanted access probably won't be found during normal operation of a system * To check for these errors, line-by-line verification is important * This type of check is likely to fail with overly-complicated systems
Least Common Mechanism
Definition: Minimize the amount of mechanism common to more than one user and depended on by all users Most common interpretation: Minimize shared channels Other examples: Memory protection, Base/bounds memory, Virtual memory, Virtual machines, VPN Why? Confidentiality/integrity protection, Information flow, side channels
Open Design
Definition: The design of a system should not be secret. Security should not be dependent on the ignorance of attackers. * Instead, use public algorithms with secret parameters (Kerckhoffs's principle, Shannon's Maxim)
Separation of Privilege
Definition: Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key Example: Need two keys to launch a missile * Most common example of this principle is in separation of duty. For example, employees who create payment authorizations cannot issue checks