Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems
<!-- hierarchy:nav -->
Path: OIP › Thinker Reference › Thinkers › Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems
Shelf: Thinkers · Traversal: self-explaining · hierarchical · voxel-ready
Machine root: OIP tree · Registry
Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems
§SELF — thinker-saltzer-schroeder
What this page is: A summary of the eight security design principles defined by Saltzer and Schroeder in their 1974 paper. What it explains: How to design a computer system so that it protects information by default, and why eight specific principles make the difference between a secure system and an insecure one. Why read it: To understand the rules that every secure system follows, and to see how a single paper written in 1974 still defines security architecture today.
What Saltzer and Schroeder Is
Jerome Saltzer (born 1939) is a computer scientist at MIT. Michael Schroeder is a computer scientist at Xerox PARC and later at DEC Systems Research Center. In 1974 they published "The Protection of Information in Computer Systems" in the Proceedings of the IEEE. This paper is the most cited publication in the field of computer security. It lists eight design principles for building systems that protect information from unauthorized access.
Why It Matters
Every security breach that makes the news happens because one or more of these eight principles was violated. When a system defaults to allowing access, that is a violation of fail-safe defaults. When a system checks permission once and never again, that is a violation of complete mediation. When a system's security depends on keeping its source code secret, that is a violation of open design. Saltzer and Schroeder did not invent these principles out of nothing — they extracted them from studying which systems failed and which systems survived. Their paper is a checklist. Violate it at your own risk.
The Key Idea
Security is not a feature you add to a system after you build it. Security is a property of how the system is designed. Saltzer and Schroeder distilled this into eight principles:
- Economy of mechanism. The security mechanism should be as simple and small as possible. A small mechanism has fewer bugs, is easier to verify, and is easier to understand. Complexity is the enemy of security.
- Fail-safe defaults. The default state of the system should be "no access." Access should be granted only by explicit permission. If the permission check fails or is missing, the result should be denial, not access.
- Complete mediation. Every access to every resource must be checked for authorization. Not just the first access. Every access. If a program checks permission on Monday and never checks again, an attacker who gains access on Tuesday wins.
- Open design. The security of the system should not depend on the secrecy of its design or implementation. The design should be public. The keys should be secret, not the mechanism. This is the opposite of "security through obscurity."
- Separation of privilege. Access to a sensitive resource should require more than one condition. For example, a bank vault should require two keys held by different people. A single compromised credential should not be enough.
- Least privilege. Every program and every user should operate using the minimum permissions needed to complete their task. No more. If a program is compromised while holding excess permissions, the attacker gets those excess permissions too.
- Least common mechanism. Minimize the amount of mechanism shared by different users. Shared mechanisms are single points of failure. If one user's action can affect a shared resource, that shared resource becomes a channel for attack.
- Psychological acceptability. Security mechanisms must be usable. If a security mechanism is too hard to use, people will bypass it. A perfect security system that nobody uses is an insecure system.
What They Got Right
- They identified that security is a design problem, not an implementation problem. You cannot bolt security onto a badly designed system.
- They proved that simplicity beats complexity. Economy of mechanism is the first principle for a reason.
- They defined fail-safe defaults, which means the system is secure when it fails. This inverts the usual engineering assumption that a failure should produce a harmless output. In security, a failure should produce a denial.
- They separated the secret (the key) from the mechanism (the design). Open design means the security community can audit the system. A secret mechanism cannot be audited.
- They recognized that human behavior matters. Psychological acceptability acknowledges that security is a human problem as much as a technical one.
What They Got Wrong or Left Unfinished
- The paper predates distributed systems, the internet, and cloud computing. The principles apply to distributed systems, but Saltzer and Schroeder did not address the specific problems of authentication across networks, key distribution, or Byzantine failures.
- They did not address capabilities or object-capability security. Their model assumes an access control matrix or ACL model. Capability-based systems implement these principles differently — for example, least privilege in a capability system means holding only the capabilities you need, not having a broad identity with restricted permissions.
- They did not provide a method for measuring or verifying whether a system follows the principles. The principles are guidelines, not formal specifications.
How It Connects to Other Ideas
- OIP (Open Invocation Protocol). OIP implements all eight principles: (1) Economy: one dispatch door endpoint. (2) Fail-safe: default is no access; tokens grant explicitly. (3) Complete mediation: every invocation checks the token. (4) Open design: the OIP specification is public. (5) Separation: the owner gate requires both a valid token AND owner approval. (6) Least privilege: tokens are scoped to specific objects. (7) Least common: tenant isolation prevents shared mechanisms between users. (8) Psychological: Tap & Go requires one copy action.
- Butler Lampson's "Protection." Lampson (1971) provided the theoretical model of access control matrices and protection domains. Saltzer and Schroeder (1974) extracted the design principles that make those models work in practice. The two papers are complementary: Lampson described the what; Saltzer and Schroeder described the how.
- Capability-based security. Capability systems implement least privilege by construction — a process can only use the capabilities it holds. Saltzer and Schroeder's principles are independent of any specific mechanism, but capability-based security is one of the cleanest implementations of them.
Sources
- Saltzer, J. H. and Schroeder, M. D. "The Protection of Information in Computer Systems." Proceedings of the IEEE, Vol. 63, No. 9, pp. 1278–1308, September 1974.
---
Up the tree
- OIP root — protocol root, zero-context entry
- Thinker Reference hub — full hierarchy map
- Thinkers shelf — siblings on this shelf
- Voxel graph article — how pages link as voxels
- Self-describing protocol
Related on this shelf
- Alan Kay — The Big Idea Is Messaging
- Alfred North Whitehead — Process and Reality
- J.L. Austin and John Searle — Speech Acts
- Barbara Liskov — Abstract Data Types and Distributed Consensus
- Bram Cohen — BitTorrent and Content-Addressed Protocol Design
- Butler Lampson — Protection and Access Control
- Carl Hewitt — The Actor Model
- Charles Sanders Peirce — Signs, Abduction, and Pragmatism
Machine surfaces
- Public page:
https://miscsubjects.com/a/thinker-saltzer-schroeder - JSON article:
https://miscsubjects.com/api/articles/thinker-saltzer-schroeder - OIP ask:
https://miscsubjects.com/api/dispatch?ask=Jerome%20Saltzer%20and%20Michael%20Schroeder%20%E2%80%94%20The%20Protection%20of%20Information%20in%20Computer%20Systems
Ask this article · 2 suggested prompts
Text the build (+14245134626) or WhatsApp — slug|question creates a question node. Paste evidence with ingest slug|q:NODE_ID|your paste.