Alright, time to discuss another classic computer security paper!
Today, it’s The Protection of Information in Computer Systems by Jerome H. Saltzer and Michael D. Schroeder. Written in 1975, this document outlines some fundamental security concepts. I suggest focusing on Section 1, Basic Principles of Information Protection. The 8 design principles start at Section 1.3.
As is apparent, these principles do not represent absolute rules–they serve best as warnings.
Economy of mechanism: Simple is best. Sometimes you have to go through code line by line.
Fail-safe defaults: Whitelist. It’s better to keep everyone out by default.
Complete mediation: Check that every access to every object is authorized.
Open design: Design shouldn’t be secret. You shouldn’t rely on your attacker’s ignorance. Also, more reviewers can examine your system for security.
Separation of privilege: Two keys to unlock is safer than one. They can prevent a single point of failure.
Least privilege: Every user and program should operate with the least amount of privileges to complete a job. An example is the military concept of “need-to-know.”
Lease common mechanism: Limit sharing resources that everyone is dependent on.
Psychological acceptability: An easy-to-use interface means routine and automatic applications of security mechanisms. Also, when a user’s mental model matches their options, they can avoid mistakes.
Two extras:
Work factor: “Compare the cost of circumventing a mechanism with the resources of a potential attacker.” This concept parallels threat modeling.
Compromise recording: Keep logs. They note this is not always the way to go since evidence of damage “can be undone by a clever attacker.”