Secureum Book
  • 🛡️Secureum Bootcamp
    • 🛡️Secureum Bootcamp
    • 🙌Participate
    • 📜History
  • 📚LEARN
    • Introduction
      • 🔷1. Ethereum Basics
        • 1.1 Ethereum: Concept, Infrastructure & Purpose
        • 1.2 Properties of the Ethereum Infrastructure
        • 1.3 Ethereum vs. Bitcoin
        • 1.4 Ethereum Core Components
        • 1.5 Gas Metering: Solving the Halting Problem
        • 1.6 web2 vs. web3: The Paradigm Shift
        • 1.7 Decentralization
        • 1.8 Cryptography, Digital Signature & Keys
        • 1.9 Ethereum State & Account Types
        • 1.10 Transactions: Properties & Components
        • 1.11 Contract Creation
        • 1.12 Transactions, Messages & Blockchain
        • 1.13 EVM (Ethereum Virtual Machine) in Depth
        • 1.14 Transaction Reverts & Data
        • 1.15 Block Explorer
        • 1.16 Mainnet & Testnets
        • 1.17 ERCs & EIPs
        • 1.18 Legal Aspects in web3: Pseudonymity & DAOs
        • 1.19 Security in web3
        • 1.20 web2 Timescales vs. web3 Timescales
        • 1.21 Test-in-Prod. SSLDC vs. Audits
        • Summary: 101 Keypoints
      • 🌀2. Solidity
        • 2.1 Solidity: Influence, Features & Layout
        • 2.2 SPDX & Pragmas
        • 2.3 Imports
        • 2.4 Comments & NatSpec
        • 2.5 Smart Contracts
        • 2.6 State Variables: Definition, Visibility & Mutability
        • 2.7 Data Location
        • 2.8 Functions
        • 2.9 Events
        • 2.10 Solidity Typing
        • 2.11 Solidity Variables
        • 2.12 Address Type
        • 2.13 Conversions
        • 2.14 Keywords & Shorthand Operators
        • 2.15 Solidity Units
        • 2.16 Block & Transaction Properties
        • 2.17 ABI Encoding & Decoding
        • 2.18 Error Handling
        • 2.19 Mathematical & Cryptographic Functions
        • 2.20 Control Structures
        • 2.21 Style & Conventions
        • 2.22 Inheritance
        • 2.23 EVM Storage
        • 2.24 EVM Memory
        • 2.25 Inline Assembly
        • 2.26 Solidity Version Changes
        • 2.27 Security Checks
        • 2.28 OpenZeppelin Libraries
        • 2.29 DAppSys Libraries
        • 2.30 Important Protocols
        • Summary: 201 Keypoints
      • 🔏3. Security Pitfalls & Best Practices
        • 3.1 Solidity Versions
        • 3.2 Access Control
        • 3.3 Modifiers
        • 3.4 Constructor
        • 3.5 Delegatecall
        • 3.6 Reentrancy
        • 3.7 Private Data
        • 3.8 PRNG & Time
        • 3.9 Math & Logic
        • 3.10 Transaction Order Dependence
        • 3.11 ecrecover
        • 3.12 Unexpected Returns
        • 3.13 Ether Accounting
        • 3.14 Transaction Checks
        • 3.15 Delete Mappings
        • 3.16 State Modification
        • 3.17 Shadowing & Pre-declaration
        • 3.18 Gas & Costs
        • 3.19 Events
        • 3.20 Unary Expressions
        • 3.21 Addresses
        • 3.22 Assertions
        • 3.23 Keywords
        • 3.24 Visibility
        • 3.25 Inheritance
        • 3.26 Reference Parameters
        • 3.27 Arbitrary Jumps
        • 3.28 Hash Collisions & Byte Level Issues
        • 3.29 Unicode RTLO
        • 3.30 Variables
        • 3.31 Pointers
        • 3.32 Out-of-range Enum
        • 3.33 Dead Code & Redundant Statements
        • 3.34 Compiler Bugs
        • 3.35 Proxy Pitfalls
        • 3.36 Token Pitfalls
        • 3.37 Special Token Pitfalls
        • 3.38 Guarded Launch Pitfalls
        • 3.39 System Pitfalls
        • 3.40 Access Control Pitfalls
        • 3.41 Testing, Unused & Redundand Code
        • 3.42 Handling Ether
        • 3.43 Application Logic Pitfalls
        • 3.44 Saltzer & Schroeder's Design Principles
        • Summary: 201 Keypoints
      • 🗜️4. Audit Techniques & Tools
        • 4.1 Audit
        • 4.2 Analysis Techniques
        • 4.3 Specification, Documentation & Testing
        • 4.4 False Positives & Negatives
        • 4.5 Security Tools
        • 4.6 Audit Process
        • Summary: 101 Keypoints
      • ☝️5. Audit Findings
        • 5.1 Criticals
        • 5.2 Highs
        • 5.3 Mediums
        • 5.4 Lows
        • 5.5 Informationals
        • Summary: 201 Keypoints
  • 🌱CARE
    • CARE
      • CARE Reports
  • 🚩CTFs
    • A-MAZE-X CTFs
      • Secureum A-MAZE-X
      • Secureum A-MAZE-X Stanford
      • Secureum A-MAZE-X Maison de la Chimie Paris
Powered by GitBook
On this page
  • Principle 1
  • Principle 2
  • Principle 3
  • Principle 4
  • Principle 5
  • Principle 6
  • Principle 7
  • Principle 8
  • Principle 9
  • Principle 10
  1. LEARN
  2. Introduction
  3. 3. Security Pitfalls & Best Practices

3.44 Saltzer & Schroeder's Design Principles

We will now discuss the 10 principles from Saltzer and Schroeder's secure design principles, which were proposed by them in 1975 and have been widely cited and used in various aspects of information security ever since.

Principle 1

The first one is that of least privilege which states that every program and every user of the system should operate using the least set of privileges necessary to complete the job which means that we should ensure that various system actors have the least amount of privilege granted as required by their roles to execute their specific tasks. Because granting excess privilege that what is absolutely required is prone to misuse or abuse when trusted actors misbehave or their access is hijacked by malicious entities privileges. Therefore should be need-based.

Principle 2

The second principle is about separation of privileges which states that where feasible a protection mechanism that requires two keys to unlock it is more robust and flexible than one that allows access to the presenter of only a single key.

This means that we should ensure critical privileges are separated across multiple actors, so that, there are no single points of failure or abuse. A good example of this is the use of a multisigs address versus an EOA for privileged actors such as contract Owner, admin or governance who control key contract functionalities such as pause and pause shutdown, emergency fund, drain, upgradability of contracts, allow, deny lists and critical parameters.

The multisig address should be composed of entities that are different and mutually distrusting or verifying because such a privilege separation prevents single points of failure.

Principle 3

The third principle is that of least common mechanism. Which states that we should minimize the amount of mechanism common to more than one user and depended on by all users.

This means that we should ensure that only the least number of security critical modules or paths as required, are shared amongst the different actors of code, so that impact from any vulnerability or compromise and shared components is limited and contained to the smallest possible subset.

In other words common points or parts of failure are minimized, there are pros and cons of this approach that need to be made in depending on the context.

Principle 4

The fourth principle is that of fail-safe defaults which states that we need to base access decisions on permission rather than exclusion, so we need to ensure that variables or permissions are initialized to fail-safe default values which deny access by default, but can later be made more inclusive or permissive, if and when necessary.

Instead of opening up the system to everyone by default which may include untrusted actors. We have discussed this in the context of guarded launch for assets actors and actions. Such fail-safe initial defaults could apply to function visibility critical parameter, initializations and permissions of assets actors and actions, there are again pros and cons of this approach that need to be considered as it applies to open or closed systems given the emphasis of web3 on aspects of openness permissionless participation and composability among other things.

Principle 5

The fifth principle is that of complete mediation which states that every access to every object must be checked for authority. Which means that we should ensure that any required access control is enforced along all access paths to the object or function being protected. Examples are missing modifiers, permissive visibility or missing authorization flows. Complete mediation, therefore requires access control enforcement on every asset after action along all paths and at all times.

Principle 6

The sixth principle is that of economy of mechanism, which says keep the design as simple and small as possible. Which in this context can be applied to ensure that contracts and functions are not overly complex or large, so as to reduce readability maintainability or even auditability. This embodies the keep it simple and stupid or KISS Principle in some ways because complexity typically leads to insecurity and hence should be kept as low as possible.

Principle 7

The seventh principle is that of open design which states that the design should not be secret. This is especially relevant to the web3 space as we have discussed earlier because smart contracts are expected to be open-sourced, verified and accessible to everyone for permissionless participation and composability. Security by obscurity of code or underlying algorithms is not an option. Security should be derived from the strength of the design and implementation under the assumption that Byzantine attackers will study their details and try to exploit them in arbitrary ways.

Principle 8

The eighth principle is that of psychological acceptability which states that it is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Which in our context means that we need to ensure that security aspects of smart contract interfaces and system designs flows are human friendly and in queue them, so that we can program them or use them with ease and with minimal risk. This is a significant challenge in the web3 space today where, there is a lot of early and experimental software undergoing rapid changes, but something to be kept in mind from a security perspective as things evolve and systems get more mass adoption.

Principle 9

The ninth principle is work factor, which recommends to compare the cost of circumventing the mechanism with the resources of a potential attacker. Which is very relevant and perhaps at an extreme in the case of smart contracts in web3 because given the magnitude of value managed by smart contracts it is safe to assume that Byzantine attackers will risk the greatest amounts of the resources possible across intellectual social and financial capital to support such systems. And given the general state of current smart contracts the cost of circumventing is not very high, relative to hardened software or systems in the Web2 space for various reasons that we have discussed earlier.

The rewards from exploiting them are in tens or even hundreds of millions of dollars in some cases, so the risk versus reward is extremely skewed here. Therefore the mitigation mechanisms must appropriately factor in the highest levels of threat and risk.

Principle 10

The final tenth principle is about compromise recording which states that mechanisms that reliably record that a compromise of information has occurred can be used in place of more elaborate mechanisms that completely prevent loss.

One way to interpret this is to say that achieving improving bug-free code is theoretically and practically impossible for real world smart contracts. Therefore one should strive for the best in performing all security due diligence and reduce the attack surface as much as possible. While in the same time, anticipate residual risk to exist in the deployed system. Anticipate that there will be potential incidents that exploit them and therefore have an instant response plan ready for that.

For doing that we can ensure that smart contracts and their accompanying operational infrastructure can be monitored and analyzed at all times for minimizing loss from any compromise due to vulnerabilities and exploits. As a concrete example critical operations in contracts should emit events to facilitate off-chain monitoring at runtime, where the available monitoring tools are used on smart contracts of interest to analyze not only such events, but also transactions interacting with them their Side-effects and potential security impacts.

Previous3.43 Application Logic PitfallsNextSummary: 201 Keypoints

Last updated 1 year ago

📚
🔏