## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `article_bundle` — **LLM article bundle**
Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.
- **article slug:** `thinker-saltzer-schroeder`
- **contains:** body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest
- **how to use:** Reference block for Grok/GPT/Gemini. Section §SELF explains the system.
- **read:** https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/bundle?format=markdown

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **topology** — Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER. · https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/topology
- **voxels** — Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance. · https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/voxels
- **ask** — Answer only from topology; creates question_node with gaps and ingest_hint. · https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/prompts
- **ingest** — Parse pasted evidence → source ledger + claims + evidence_ingest node.
- **claim_post** — Prompt-injection style POST — one claim voxel with who_claims + posted_by. · https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/voxels
- **llm_manifest** — Machine-readable read/write contract for external LLMs. · https://miscsubjects.com/api/articles/llm-manifest

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*

---

# miscsubjects article bundle

> Reference bundle for Grok, GPT, Gemini, or a human reader. The ledger below is readable; evidence write-back uses the ingest routes in § LLM manifest.

## Article
- **slug:** `thinker-saltzer-schroeder`
- **title:** Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems
- **url:** https://miscsubjects.com/a/thinker-saltzer-schroeder
- **register:** standard
- **updated:** 2026-07-15T04:20:46.587Z
- **tags:** oip, kimi-import, self-explaining, voxel, thinkers, thinker-saltzer-schroeder

## Body

<!-- hierarchy:nav -->
> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Thinkers](https://miscsubjects.com/a/oip-thinkers) › **Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems**
>
> **Shelf:** Thinkers · **Traversal:** self-explaining · hierarchical · voxel-ready
> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)

# Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems

## §SELF — thinker-saltzer-schroeder

**What this page is:** A summary of the eight security design principles defined by Saltzer and Schroeder in their 1974 paper.
**What it explains:** How to design a computer system so that it protects information by default, and why eight specific principles make the difference between a secure system and an insecure one.
**Why read it:** To understand the rules that every secure system follows, and to see how a single paper written in 1974 still defines security architecture today.

### What Saltzer and Schroeder Is

Jerome Saltzer (born 1939) is a computer scientist at MIT. Michael Schroeder is a computer scientist at Xerox PARC and later at DEC Systems Research Center. In 1974 they published "The Protection of Information in Computer Systems" in the *Proceedings of the IEEE*. This paper is the most cited publication in the field of computer security. It lists eight design principles for building systems that protect information from unauthorized access.

### Why It Matters

Every security breach that makes the news happens because one or more of these eight principles was violated. When a system defaults to allowing access, that is a violation of fail-safe defaults. When a system checks permission once and never again, that is a violation of complete mediation. When a system's security depends on keeping its source code secret, that is a violation of open design. Saltzer and Schroeder did not invent these principles out of nothing — they extracted them from studying which systems failed and which systems survived. Their paper is a checklist. Violate it at your own risk.

### The Key Idea

Security is not a feature you add to a system after you build it. Security is a property of how the system is designed. Saltzer and Schroeder distilled this into eight principles:

1. **Economy of mechanism.** The security mechanism should be as simple and small as possible. A small mechanism has fewer bugs, is easier to verify, and is easier to understand. Complexity is the enemy of security.
2. **Fail-safe defaults.** The default state of the system should be "no access." Access should be granted only by explicit permission. If the permission check fails or is missing, the result should be denial, not access.
3. **Complete mediation.** Every access to every resource must be checked for authorization. Not just the first access. Every access. If a program checks permission on Monday and never checks again, an attacker who gains access on Tuesday wins.
4. **Open design.** The security of the system should not depend on the secrecy of its design or implementation. The design should be public. The keys should be secret, not the mechanism. This is the opposite of "security through obscurity."
5. **Separation of privilege.** Access to a sensitive resource should require more than one condition. For example, a bank vault should require two keys held by different people. A single compromised credential should not be enough.
6. **Least privilege.** Every program and every user should operate using the minimum permissions needed to complete their task. No more. If a program is compromised while holding excess permissions, the attacker gets those excess permissions too.
7. **Least common mechanism.** Minimize the amount of mechanism shared by different users. Shared mechanisms are single points of failure. If one user's action can affect a shared resource, that shared resource becomes a channel for attack.
8. **Psychological acceptability.** Security mechanisms must be usable. If a security mechanism is too hard to use, people will bypass it. A perfect security system that nobody uses is an insecure system.

### What They Got Right

- They identified that security is a design problem, not an implementation problem. You cannot bolt security onto a badly designed system.
- They proved that simplicity beats complexity. Economy of mechanism is the first principle for a reason.
- They defined fail-safe defaults, which means the system is secure when it fails. This inverts the usual engineering assumption that a failure should produce a harmless output. In security, a failure should produce a denial.
- They separated the secret (the key) from the mechanism (the design). Open design means the security community can audit the system. A secret mechanism cannot be audited.
- They recognized that human behavior matters. Psychological acceptability acknowledges that security is a human problem as much as a technical one.

### What They Got Wrong or Left Unfinished

- The paper predates distributed systems, the internet, and cloud computing. The principles apply to distributed systems, but Saltzer and Schroeder did not address the specific problems of authentication across networks, key distribution, or Byzantine failures.
- They did not address capabilities or object-capability security. Their model assumes an access control matrix or ACL model. Capability-based systems implement these principles differently — for example, least privilege in a capability system means holding only the capabilities you need, not having a broad identity with restricted permissions.
- They did not provide a method for measuring or verifying whether a system follows the principles. The principles are guidelines, not formal specifications.

### How It Connects to Other Ideas

- **OIP (Open Invocation Protocol).** OIP implements all eight principles: (1) Economy: one dispatch door endpoint. (2) Fail-safe: default is no access; tokens grant explicitly. (3) Complete mediation: every invocation checks the token. (4) Open design: the OIP specification is public. (5) Separation: the owner gate requires both a valid token AND owner approval. (6) Least privilege: tokens are scoped to specific objects. (7) Least common: tenant isolation prevents shared mechanisms between users. (8) Psychological: Tap & Go requires one copy action.
- **Butler Lampson's "Protection."** Lampson (1971) provided the theoretical model of access control matrices and protection domains. Saltzer and Schroeder (1974) extracted the design principles that make those models work in practice. The two papers are complementary: Lampson described the what; Saltzer and Schroeder described the how.
- **Capability-based security.** Capability systems implement least privilege by construction — a process can only use the capabilities it holds. Saltzer and Schroeder's principles are independent of any specific mechanism, but capability-based security is one of the cleanest implementations of them.

### Sources

- Saltzer, J. H. and Schroeder, M. D. "The Protection of Information in Computer Systems." *Proceedings of the IEEE*, Vol. 63, No. 9, pp. 1278–1308, September 1974.

---

## Up the tree

- [OIP root](https://miscsubjects.com/a/oip) — protocol root, zero-context entry
- [Thinker Reference hub](https://miscsubjects.com/a/oip-thinker-reference) — full hierarchy map
- [Thinkers shelf](https://miscsubjects.com/a/oip-thinkers) — siblings on this shelf
- [Voxel graph article](https://miscsubjects.com/a/what-is-voxel-graph) — how pages link as voxels
- [Self-describing protocol](https://miscsubjects.com/a/what-is-self-describing-protocol)

## Related on this shelf

- [Alan Kay — The Big Idea Is Messaging](https://miscsubjects.com/a/thinker-alan-kay)
- [Alfred North Whitehead — Process and Reality](https://miscsubjects.com/a/thinker-alfred-north-whitehead)
- [J.L. Austin and John Searle — Speech Acts](https://miscsubjects.com/a/thinker-austin-searle)
- [Barbara Liskov — Abstract Data Types and Distributed Consensus](https://miscsubjects.com/a/thinker-barbara-liskov)
- [Bram Cohen — BitTorrent and Content-Addressed Protocol Design](https://miscsubjects.com/a/thinker-bram-cohen)
- [Butler Lampson — Protection and Access Control](https://miscsubjects.com/a/thinker-butler-lampson)
- [Carl Hewitt — The Actor Model](https://miscsubjects.com/a/thinker-carl-hewitt)
- [Charles Sanders Peirce — Signs, Abduction, and Pragmatism](https://miscsubjects.com/a/thinker-charles-peirce)

## Machine surfaces

- Public page: `https://miscsubjects.com/a/thinker-saltzer-schroeder`
- JSON article: `https://miscsubjects.com/api/articles/thinker-saltzer-schroeder`
- OIP ask: `https://miscsubjects.com/api/dispatch?ask=Jerome%20Saltzer%20and%20Michael%20Schroeder%20%E2%80%94%20The%20Protection%20of%20Information%20in%20Computer%20Systems`


## Claims (0)


## Voxel graph (0 atoms · 0 edges)
- full graph: https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/voxels

## Article constitution

- full: https://miscsubjects.com/api/articles/constitution

## Source ledger (0)
- chain valid: yes · head: `genesis`

## Provenance (1 model passes)
- chain valid: yes · head: `f51632ab71d703c1`

- write · kimi-agent-import · 2026-07-15T04:20 · hash `f51632ab71d7`

## Question graph
- questions: 0 · evidence ingests: 0

## LLM manifest — how to communicate with this ledger

- system map: https://miscsubjects.com/api/articles/system-map?format=markdown
- topology (ranked): https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/topology
- ingest: POST https://miscsubjects.com/api/protocol/ingest
- claim: POST https://miscsubjects.com/api/protocol/claim

### Quick actions for this article
- **Read live:** https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/topology
- **Ask (API):** POST https://miscsubjects.com/api/protocol/ask `{"slug":"thinker-saltzer-schroeder","question":"..."}`
- **Ingest your findings:** POST https://miscsubjects.com/api/protocol/ingest or text `ingest thinker-saltzer-schroeder|your evidence`
- **Post one claim:** POST https://miscsubjects.com/api/protocol/claim or text `claim thinker-saltzer-schroeder|tier|assertion`
- **iMessage ask:** `thinker-saltzer-schroeder|your question`
- **System map:** https://miscsubjects.com/api/articles/system-map?format=markdown


---

## §SELF — miscsubjects portable reference

**Principle:** Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.

**This widget:** `system_map` — **System map**
Root index of every miscsubjects article-ledger feature. Start here if you have zero context.
- **article slug:** `thinker-saltzer-schroeder`
- **contains:** body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest
- **how to use:** Root index of every miscsubjects article-ledger feature. Start here if you have zero context.
- **read:** https://miscsubjects.com/api/articles/system-map

### Logical proof (verify each step)
1. Articles are voxel graphs of tiered claims, not prose blobs. → https://miscsubjects.com/api/articles/constitution
2. Claims link to hash-chained sources via source_ids. → https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/sources
3. Ask reads topology; ingest/claim append to ledger. → https://miscsubjects.com/api/protocol
4. Models queue growth: populate → collaborate → repair → reflex. → https://miscsubjects.com/api/protocol/grow
5. Graph proves its own shape (reflex) and $/claim (yield). → https://miscsubjects.com/graph.html?layer=reflex
6. Full feature index + _explain on every API response. → https://miscsubjects.com/api/articles/system-map

### Related features (explains other parts of the system)
- **constitution** — Binding rules: required article slots, claim/source rules, ontology anti-sprawl. · https://miscsubjects.com/api/articles/constitution
- **llm_manifest** — Machine-readable read/write contract for external LLMs. · https://miscsubjects.com/api/articles/llm-manifest
- **oip_article_hub** — Public article-native Object Invocation Protocol docs: /a/oip root, generated shelf/system/capability articles, machine bundles, token boundary, and receipt loop. · https://miscsubjects.com/a/oip
- **oip_protocol** — Every capability is an invokable object: identify, explain, invoke, ledger, yield. · https://miscsubjects.com/a/oip
- **bundle** — Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution. · https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/bundle?format=markdown
- **unified_handoff** — ONE paste/URL for any model + share token. Same self-explaining pattern as article bundle, but whole build. · https://miscsubjects.com/api/handoff?format=markdown

### Full index
- JSON: https://miscsubjects.com/api/articles/system-map
- Markdown: https://miscsubjects.com/api/articles/system-map?format=markdown

*Not medical advice. Tier-honest. Cite claim/source ids.*