{"_self":{"principle":"Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.","widget":"article_topology","feature":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","contains":"claims, sources, anecdotes, question_graph slice","slug":"thinker-saltzer-schroeder","urls":{"read":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/topology"},"how_to_use":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","write":null,"imessage":null,"router_tag":null,"proof_chain":[{"step":1,"claim":"Articles are voxel graphs of tiered claims, not prose blobs.","verify":"https://miscsubjects.com/api/articles/constitution"},{"step":2,"claim":"Claims link to hash-chained sources via source_ids.","verify":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/sources"},{"step":3,"claim":"Ask reads topology; ingest/claim append to ledger.","verify":"https://miscsubjects.com/api/protocol"},{"step":4,"claim":"Models queue growth: populate → collaborate → repair → reflex.","verify":"https://miscsubjects.com/api/protocol/grow"},{"step":5,"claim":"Graph proves its own shape (reflex) and $/claim (yield).","verify":"https://miscsubjects.com/graph.html?layer=reflex"},{"step":6,"claim":"Full feature index + _explain on every API response.","verify":"https://miscsubjects.com/api/articles/system-map"}],"related_features":[{"id":"ask","name":"Ask protocol","what":"Answer only from topology; creates question_node with gaps and ingest_hint.","urls":{"read":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/prompts","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"graph_topology","name":"Cross-article graph","what":"Merged claims/sources across condition+stack slugs for one question.","urls":{"read":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/graph-topology?question=..."}},{"id":"question_graph","name":"Question graph","what":"Ask nodes (questions + gaps) and evidence_ingest nodes (pasted model output).","urls":{"read":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/question-graph","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"voxels","name":"Voxel graph","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance.","urls":{"read":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/voxels","write":"https://miscsubjects.com/api/protocol/claim"}}],"system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","not_medical_advice":true},"_explain":{"feature":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","why":"Every feature is auditable collective intelligence","how":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","model":null,"verifies":null,"urls":{"read":"https://miscsubjects.com/api/articles/thinker-saltzer-schroeder/topology"},"imessage":null,"router":null,"related":[{"id":"ask","what":"Answer only from topology; creates question_node with gaps and ingest_hint."},{"id":"graph_topology","what":"Merged claims/sources across condition+stack slugs for one question."},{"id":"question_graph","what":"Ask nodes (questions + gaps) and evidence_ingest nodes (pasted model output)."},{"id":"voxels","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance."}],"not_medical_advice":true},"slug":"thinker-saltzer-schroeder","title":"Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems","register":"standard","tags":["oip","kimi-import","self-explaining","voxel","thinkers","thinker-saltzer-schroeder"],"updated_at":"2026-07-15T04:20:46.587Z","body_excerpt":"<!-- hierarchy:nav -->\n> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Thinkers](https://miscsubjects.com/a/oip-thinkers) › **Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems**\n>\n> **Shelf:** Thinkers · **Traversal:** self-explaining · hierarchical · voxel-ready\n> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)\n\n# Jerome Saltzer and Michael Schroeder — The Protection of Information in Computer Systems\n\n## §SELF — thinker-saltzer-schroeder\n\n**What this page is:** A summary of the eight security design principles defined by Saltzer and Schroeder in their 1974 paper.\n**What it explains:** How to design a computer system so that it protects information by default, and why eight specific principles make the difference between a secure system and an insecure one.\n**Why read it:** To understand the rules that every secure system follows, and to see how a single paper written in 1974 still defines security architecture today.\n\n### What Saltzer and Schroeder Is\n\nJerome Saltzer (born 1939) is a computer scientist at MIT. Michael Schroeder is a computer scientist at Xerox PARC and later at DEC Systems Research Center. In 1974 they published \"The Protection of Information in Computer Systems\" in the *Proceedings of the IEEE*. This paper is the most cited publication in the field of computer security. It lists eight design principles for building systems that protect information from unauthorized access.\n\n### Why It Matters\n\nEvery security breach that makes the news happens because one or more of these eight principles was violated. When a system defaults to allowing access, that is a violation of fail-safe defaults. When a system checks permission once and never again, that is a violation of complete mediation. When a system's security depends on keeping its source code secret, that is a violation of open design. Saltzer and Schroeder did not invent these principles out of nothing — they extracted them from studying which systems failed and which systems survived. Their paper is a checklist. Violate it at your own risk.\n\n### The Key Idea\n\nSecurity is not a feature you add to a system after you build it. Security is a property of how the system is designed. Saltzer and Schroeder distilled this into eight principles:\n\n1. **Economy of mechanism.** The security mechanism should be as simple and small as possible. A small mechanism has fewer bugs, is easier to verify, and is easier to understand. Complexity is the enemy of security.\n2. **Fail-safe defaults.** The default state of the system should be \"no access.\" Access should be granted only by explicit permission. If the permission check fails or is missing, the result should be denial, not access.\n3. **Complete mediation.** Every access to every resource must be checked for authorization. Not just the first access. Every access. If a program checks permission on Monday and never checks again, an attacker who gains access on Tuesday wins.\n4. **Open design.** The security of the system should not depend on the secrecy of its design or implementation. The design should be public. The keys should be secret, not the mechanism. This is the opposite of \"security through obscurity.\"\n5. **Separation of privilege.** Access to a sensitive resource should require more than one condition. For example, a bank vault should require two keys held by different people. A single compromised credential should not be enough.\n6. **Least privilege.** Every program and every user should operate using the minimum permissions needed to complete their task. No more. If a program is compromised while holding excess permissions, the attacker gets those excess permissions too.\n7. **Least common mechanism.** Minimize the amount of mechanism shared by different users. Shared mechanisms are single points o","ranking":"safety-first (interaction_risk/limitations), then quote-gated effective_weight","claims":[],"sources":[],"anecdotal_sources":[],"scientific_sources":[],"user_reports":[],"related_articles":[],"question_graph":{"slug":"thinker-saltzer-schroeder","questions":[],"evidence":[],"edges":[],"counts":{"questions":0,"evidence":0,"edges":0}},"honesty":{"active_claims":0,"retracted_claims":0,"cut_claims":0,"challenges":0,"scrub_events":0,"note":"Retracted/cut claims stay on ledger but are excluded from ask unless ?include_inactive=1"},"counts":{"claims":0,"claims_total":0,"sources":0,"anecdotal":0,"scientific":0,"user_reports":0,"questions":0,"evidence_ingests":0}}