The Protection of Information in Computer Systems

Reference: Jerome H. Saltzer, Michael D. Schroeder (1975). Proceedings of the IEEE, 63(9):1278-1308. Source file: saltzer-schroeder-1975.pdf. URL

Summary

The foundational tutorial on information protection in computer systems, concentrating on the architectural structures (hardware and software) necessary to support protection. Organised as three sections: (I) basic principles, functions and elementary protection/authentication mechanisms; (II) descriptor-based protection architectures and the relation between capability systems and access-control-list systems; (III) state of the art and research projects.

The paper is most remembered for its eight design principles (economy of mechanism, fail-safe defaults, complete mediation, open design, separation of privilege, least privilege, least common mechanism, psychological acceptability). It gives precise definitions for principal, capability (“an unforgeable ticket”), access control list, domain, protected subsystem, confinement, and distinguishes discretionary from nondiscretionary controls. Saltzer and Schroeder frame the tension between capability-oriented (ticket-oriented) and list-oriented systems that still shapes modern access control.

Key Ideas

Three categories of violation: unauthorized information release, unauthorized modification, unauthorized denial of use
Eight design principles for protection mechanisms (least privilege, fail-safe defaults, complete mediation, etc.)
Functional taxonomy: unprotected / all-or-nothing / controlled sharing / user-programmed sharing
Capability (“ticket-oriented”) vs. access-control-list (“list-oriented”) as dual descriptor structures
Protected subsystems as encapsulated domains with controlled entry points
Authentication vs. authorization distinction; the notion of principal as the unit of accountability
Confinement problem: preventing a borrowed program from leaking the data it accesses

Connections

Conceptual Contribution

Claim: Protection is not a bag of techniques but an architectural discipline; a small set of design principles (especially least privilege, fail-safe defaults, complete mediation, economy of mechanism) together with the capability/ACL descriptor abstraction is sufficient to organise the design space of secure systems.
Mechanism: Descriptor-based protection: every access to a protected object passes through a descriptor (capability or ACL entry) managed by a reference monitor. Protected subsystems encapsulate data with domain-specific procedures callable only at designated entry points. Principals are authenticated once; authorization is then mediated per access.
Concepts introduced/used: Principle of Least Authority (least privilege), Capability Security, Object Capability Security, Ambient Authority (as an antipattern), Confused Deputy (implicit in the delegation discussion), access control list, protected subsystem, confinement, complete mediation, fail-safe defaults, separation of privilege, economy of mechanism, psychological acceptability.
Stance: engineering / systems — normative architectural guidance grounded in Multics experience.
Relates to: Provides the vocabulary used by Object Capability Security and Capability Security work (Dennis & Van Horn, Hydra, KeyKOS, EROS, Capsicum). Its least-privilege principle underlies Principle of Least Authority, and its critique of pervasive authority is the ancestor of Ambient Authority and Confused Deputy analyses. The architectural posture prefigures End-to-End Arguments in System Design (Saltzer again) and is philosophically aligned with LangSec’s call for narrow, verifiable interfaces. Fundamental to Distributed Security.

Tags

#security #capabilities #access-control #design-principles #systems

Summary

Saltzer, Reed, and Clark articulate a design principle for layered distributed systems that had long been used but rarely stated explicitly: functions requiring knowledge and action at the endpoints of a communication — such as reliable delivery, integrity checking, encryption, duplicate suppression — cannot be fully and correctly implemented at lower layers. Lower-layer implementations are at best performance optimizations; the end-to-end argument says they cannot substitute for the end-level check.

The canonical example is careful file transfer between two hosts. Even if the communication network offers reliable delivery, threats remain — disk errors at either host, memory corruption during buffering, software bugs in the file-transfer program itself. No amount of reliability layered into the network can defend against these; only an end-to-end checksum computed from the file on disk at host A and verified against the file on disk at host B closes the loop. The paper then iterates the argument through encryption (only the endpoints know the plaintext), duplicate suppression (only the application knows what “duplicate” means at the transaction level), delivery acknowledgements, and crash recovery.

The principle is a design heuristic, not an absolute rule: performance sometimes justifies redundant lower-layer mechanisms (e.g., per-hop error correction in a very noisy link). But it inverts the naïve “make the network as reliable as possible” instinct, provides the intellectual backbone for the Internet’s dumb-network / smart-edges architecture, and underwrites TCP’s placement in the hosts rather than the routers. Its influence extends to REST’s principled avoidance of server-side session state, to security architectures that refuse to trust intermediaries, and to the “fate-sharing” style of protocol design.

Key Ideas

End-to-end argument: a function that must be correct at endpoints cannot be completely implemented below the endpoints.

Lower layers as optimization: partial lower-level help is only a performance enhancement, never a correctness substitute.

Careful file transfer: the worked example — only an end-to-end checksum protects against all failure modes.

Dumb core, smart edges: Internet architecture as the principle’s canonical application.

Encryption placement: true confidentiality requires endpoint encryption; network-level encryption is not enough.

Acknowledgements: application-meaningful acks (e.g., “request served”) require endpoint involvement.

Cost-benefit nuance: redundancy below is justified when error rate or cost of retry makes it worthwhile.

Connections

Principled Design Of The Modern Web Architecture — Fielding’s REST thesis formalizes many end-to-end commitments.

REST

LangSec — input parsing at the application boundary is itself an end-to-end verification.

Actor Model — supervisor-style recovery relies on end-to-end state ownership.

Impossibility of Distributed Consensus with One Faulty Process — endpoints cannot delegate liveness to lower layers either.

The Protection of Information in Computer Systems

Summary

Key Ideas

Connections

Conceptual Contribution

Tags

Backlinks