The secure design principles of Saltzer and
Schroeder
Plagiarized from
https://sites.psu.edu/thedeepweb/2015/09/1
7/captain-crunch-and-his-toy-whistle/
Vulnerability vs. exploit
Vulnerability: Condition where there is a reachable
state where a security property is violated.
Exploit: The sequence of steps the attacker
carries out to reach that state.
Process?
Kernel
Process 1 Process 3Process 2
Separated by virtual memory, access system resources via system calls.
Hardware
Local exploit
Kernel
Process 1 Process 3Process 2
Privilege escalation
Hardware
Remote exploit across a network
Kernel
Process 1 Process 3Process 2
Remote shell
Hardware
Kernel
Process 1 Process 3Process 2
Hardware
What is a vulnerability?
● Management information stored in-band with
regular information?
● Programming the weird machine?
● A failure to properly sanitize inputs?
Remember: Information only has meaning in
that it is subject to interpretation.
(Also, information is inherently physical.)
(Also, the only laws on the Internet are
assembly and RFCs.)
Saltzer and Schroeder’s secure
design principles
● Originally published in 1973
● Amazingly prescient
● There’s a cool Star Wars version online, but not
everyone has seen Star Wars…
Economy of Mechanism
● “Keep the design as simple and small as
possible”
Fail-safe defaults
● “Base access decisions on permission rather
than exclusion”
Complete mediation
● “Every access to every object must be checked
for authority”
Open design
● “The design should not be secret.”
Separation of privilege
● “a protection mechanism that requires two keys
to unlock it is more robust and flexible than one
that allows access to the presenter of only a
single key”
Least privilege
● “Every program and every user of the system
should operate using the least set of privileges
necessary to complete the job”
Least common mechanism
● “Minimize the amount of mechanism common
to more than one user and depended on by all
users”
Plagiarized from http://i.imgur.com/uWIXA.png
Psychological acceptability
● “It is essential that the human interface be
designed for ease of use, so that users
routinely and automatically apply the protection
mechanisms correctly”
Resources
● http://www.cs.virginia.edu/~evans/cs551/saltzer
/
● http://emergentchaos.com/the-security-principle
s-of-saltzer-and-schroeder
● Matt Bishop’s Computer Security: Art and
Practice
● http://langsec.org/
● Gray Hat Hacking, 4th Edition by Harper et al.
● phrack.org
http://www.cs.virginia.edu/~evans/cs551/saltzer/
http://www.cs.virginia.edu/~evans/cs551/saltzer/
http://langsec.org/
Examples (this is my cheat sheet)
● LSASS, DACLs
● WebCT
● AS-400
● Voting machines
● Tor directory servers
● IIS in kernel
● Linking and loading
● Safety numbers
Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
Slide 6
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
Slide 14
Slide 15
Slide 16
Slide 17
Slide 18