Design Principles for Security Mechanisms
Falstaff: If I had a thousand sons, the first human principle I would teach them should be, to forswear thin potations and to addict themselves to sack.
The Second Part of King Henry the Fourth, IV, iii, 133136.
Specific design principles underlie the design and implementation of mechanisms for supporting security policies. These principles build on the ideas of simplicity and restriction. This chapter discusses those basic ideas and eight design principles.
Saltzer and Schroeder  describe eight principles for the design and implementation of security mechanisms. The principles draw on the ideas of simplicity and restriction.
Simplicity makes designs and mechanisms easy to understand. More importantly, less can go wrong with simple designs. Minimizing the interaction of system components minimizes the number of sanity checks on data being transmitted from one component to another.
The program sendmail reads configuration data from a binary file. System administrators generated the binary file by "freezing," or compiling, a text version of the configuration file. This created three interfaces: the mechanism used to edit the text file, the mechanism used to freeze the file, and the mechanism sendmail used to read the frozen file. The second interface required manual intervention and was often overlooked. To minimize this problem, sendmail checked that the frozen file was newer than the text file. If not, it warned the user to update the frozen configuration file.
The security problem lies in the assumptions that sendmail made. For example, the compiler would check that a particular option had an integer value. However, sendmail would not recheck; it assumed that the compiler had done the checking. Errors in the compiler checks, or sendmail's assumptions being inconsistent with those of the compiler, could produce security problems. If the compiler allowed the default UID to be a user name (say, daemon with a UID of 1), but sendmail assumed that it was an integer UID, then sendmail would scan the string "daemon" as though it were an integer. Most input routines would recognize that this string is not an integer and would default the return value to 0. Thus, sendmail would deliver mail with the root UID rather than with the desired daemon UID.
Simplicity also reduces the potential for inconsistencies within a policy or set of policies.
A college rule requires any teaching assistant who becomes aware of cheating to report it. A different rule ensures the privacy of student files. A TA contacts a student, pointing out that some files for a program were not submitted. The student tells the TA that the files are in the student's directory, and asks the TA to get the files. The TA does so, and while looking for the files notices two sets, one with names beginning with "x" and the other set not. Unsure of which set to use, the TA takes the first set. The comments show that they were written by a second student. The TA gets the second set, and the comments show that they were written by the first student. On comparing the two sets, the TA notes that they are identical except for the names in the comments. Although concerned about a possible countercharge for violation of privacy, the TA reports the student for cheating. As expected, the student charges the TA with violating his privacy by reading the first set of files. The rules conflict. Which charge or charges should be sustained?
Restriction minimizes the power of an entity. The entity can access only information it needs.
Government officials are denied access to information for which they have no need (the "need to know" policy). They cannot communicate that which they do not know.
Entities can communicate with other entities only when necessary, and in as few (and narrow) ways as possible.
All communications with prisoners are monitored. Prisoners can communicate with people on a list (given to the prison warden) through personal visits or mail, both of which are monitored to prevent the prisoners from receiving contraband such as files for cutting through prison bars or weapons to help them break out. The only exception to the monitoring policy is when prisoners meet with their attorneys. Such communications are privileged and so cannot be monitored.
"Communication" is used in its widest possible sense, including that of imparting information by not communicating.
Bernstein and Woodward, the reporters who broke the Watergate scandal, describe an attempt to receive information from a source without the source directly answering the question. They suggested a scheme in which the source would hang up if the information was inaccurate and remain on the line if the information was accurate. The source remained on the line, confirming the information .