jump to navigation

Protection of Information in Computer Systems Analysis September 12, 2013

Posted by karlkaluzny in Security.

The tutorial paper titled “The Protection of Information in Computer Systems” by Jerome H. Saltzer and Michael D. Schroeder discusses the subject of protecting computer systems from unauthorized access.  The tutorial is divided into three sections.  Section I describes security functions and design principles and gives high-level descriptions of protection mechanisms.  Section II describes in detail modern (as of the 1970’s) protection mechanisms.  Section III reviews related research projects. [1] It is my opinion that despite the fact that the paper dates back to the 1970’s, the information presented in Section I is still applicable today.  In the following paragraphs, I will briefly present the information which I think is especially applicable.  I will also provide an example from my own experience where I used a protection mechanism as described in Section I as part of a school project.

Certainly a difference in computer usage today as compared to the date of this tutorial paper’s composition is that usage has increased.  There are more computers and more people are using and sharing them.  I think that this makes the information presented in the tutorial paper still applicable today.  In the first section of the paper, it is stated that “The key concern in this paper is multiple use.”[1] The protection mechanisms described in the paper are intended to address situations of multiple use and thus are applicable to today’s environment.

Section I also presents generic principles which should be employed when designing and implementing a protection mechanism.  For example, the tutorial paper presents eight design principles which should be followed when using a protection mechanism.  The eight principles along with a short description of each are presented below.  The descriptions are taken from [1].  Each of these design practices are useful and apply today.

  1. Economy of mechanism – Keep the design as simple and as small as possible.
  2. Fail-safe defaults – Base access decisions on permission rather than exclusion.
  3. Complete mediation – Every access to every object must be checked for authority.
  4. Open design – the design should not be a secret.
  5. Separation of privilege – Where feasible, a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.
  6. Least privilege – Every program and every user of the system should operate using the least set of privileges necessary to complete the job.
  7. Least common mechanism – Minimize the amount of mechanism common to more than one user and depended on by all users.
  8. Psychological acceptability – It is essential that the human interface be designed for ease of use so that users routinely and automatically apply the protection mechanisms correctly.

Additionally in Section I, models of protection mechanisms are described.  For example, a multiuser system is described in which each user is completely isolated from the others.  The basic idea behind this method was to use the concept of virtual processors.  This means that a single processor with a linearly addressed memory system is used to simulate multiple virtual processors.  Each of the processors is oblivious to the existence of the others.  This is carried out through the use of a descriptor register.  Each virtual processor has a descriptor register which contains two components (a base value and a bound value) which dictate where in memory that particular processor has access.  The descriptor registers are protected from being modified by using what is called a privileged state bit.  In theory only a supervisor program will operate in privileged mode (the privileged state bit equal to ON) and thus can modify the descriptor register.

I gained experience using a similar architecture during an undergrad course that I took at Grand Valley State University.  For the course, titled Microcontroller Applications, it was required of the students to complete a course project.  The course project was to code a multi-threaded, preemptive, interrupt driven operating system for a Texas Instruments ARM cortex processor.  In order to create the multi-threaded environment, we used the principle of the descriptor register and the privileged state bit.  The descriptor register was used to set up separate memory access for each thread.  The privileged state bit was used to only allow the supervisor to make system changes.

I think this is a good example of how the information presented in the tutorial paper still applies today.  Has anyone also gained experience using the protection mechanisms as described in the paper as I have?


[1] Saltzer, Jerome H. and Schroeder, Michael D. The Protection of Information in Computer Systems



No comments yet — be the first.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: