Saltzer's and Schroeder's Design Principles

Principle of Economy of Mechanism

The protection mechanism should have a simple and small design.

Principle of Fail-safe Defaults

The protection mechanism should deny access by default, and grant access only when explicit permission exists.

Principle of Complete Mediation

The protection mechanism should check every access to every object.

Principle of Open Design

The protection mechanism should not depend on attackers being ignorant of its design to succeed. It may however be based on the attacker's ignorance of specific information such as passwords or cipher keys.

Principle of Separation of Privilege

The protection mechanism should grant access based on more than one piece of information.

Principle of Least Privilege

The protection mechanism should force every process to operate with the minimum privileges needed to perform its task.

Principle of Least Common Mechanism

The protection mechanism should be shared as little as possible among users.

Principle of Psychological Acceptability

The protection mechanism should be easy to use (at least as easy as not using it).

Matt Bishop Office: 3059 Engineering Unit II Phone: +1 (530) 752-8060 Fax: +1 (530) 752-4767 Email: bishop@cs.ucdavis.edu

Copyright Matt Bishop, 2000. All federal and state copyrights reserved for all original material presented in this course through any medium, including lecture or print.