Skip to content

Saltzer and Schroeder Principles

The Protection of Information in Computer Systems. Saltzer and Schroeder, Communications of the ACM 17, 7 (July 1974).

This paper is a masterpiece.

In practice, producing a system at any level of functionality ... that actually does prevent all ... unauthorized acts has proved to be extremely difficult. ... Even in systems designed and implemented with security as an important objective, design and implementation flaws provide paths that circumvent the intended access constraints. Design and construction techniques that systematically exclude flaws are the topic of much research activity, but no complete method applicable to the construction of large general-purpose systems exists yet....

In the absence of such methodical techniques, experience has provided some useful principles that can guide the design and contribute to an implementation without security flaws. Here are eight examples of design principles that apply particularly to protection mechanisms.

I encourage everyone to read Section I-A-3: Design principles.

Design principle 'C' is the core of access control today:

Complete mediation: Every access to every object must be checked for authority.

Design principle 'F' is an essential tool for understanding many topics in cybersecurity:

Least privilege: Every program and every user of the system should operate using the least set of privileges necessary to complete the job.

50 years later

A superstar team of security and privacy experts has published in January 2024 an extremely insightful paper for analyzing (and strongly criticizing) a technology being advocated by many police and intelligence agencies around the world for combating crime.

They built many of their criticisms precisely on the fact that the proposed technology is in contrast with several of the design principles by Saltzer and Schroeder (first subsection of "CSS cannot be deployed safely").

Bugs in our pockets: the risks of client-side scanning Journal of Cybersecurity, January 2024.

Several other topics covered in our course are mentioned in their analysis. A really wonderful read also for everyone interested in privacy.