Adding the responsibility for security enforcement to the already overloaded (as it performs multiple jobs and it a complex software) operating system substantially increases the difficulty of designing an operating system. Further good software engineering principles enumerate that it is better to design the security in at the beginning. A modern-day operating system supports both sharing and separating user domains.
Trusted System Design Elements: An operating system controls the interaction between subjects and objects hence security must be considered in every aspect of its design.

  1. It must include definitions how every object is to be protected and which subjects have access to it. There must be a clear mapping from the security requirements (objects vs subjects) to guide developers. System should be periodically checked during design to check the degree of security that it was supposed to enforce and what has been designed correctly.
  2. As the security appears in every part of an operating system hence its design and cannot be left vague until the rest of the system is working and tested. It is would be very difficult and costly to retrofit security features to the operating system later on.  

Several design principles are quite particular to security and essential for building a solid,
trusted operating system. These principles have been articulated well by Saltzer and Schroeder:

  1. Least privilegeEach user and each program should operate by using the fewest privileges possible. In this way, the damage from an inadvertent or malicious attack is minimized.
  2. Economy of mechanism: The design of the protection system should be small, simple, and straightforward. Such a protection system can be carefully analyzed, exhaustively, tested, perhaps verified, and relied on.
  3. Open design:The protection mechanism must not depend on the ignorance of potential attackers, the mechanism should be public, depending on secrecy of relatively few key items, such as a password table. An open design is also available for extensive public scrutiny, thereby providing independent confirmation of the design security.
  4. Complete mediation:Every access attempt must be checked. Both direct access attempts (requests) and attempts to circumvent the access checking mechanism should be considered, and the mechanism should be positioned so that it cannot be circumvented.
  5. Permission based:The default condition should be denial of access. A conservative designer identifies the items that should be accessible, rather than those that should not.
  6. Separation of privilege:Ideally, access to objects should depend on more than one condition, such as user authentication plus a cryptographic key. In this way, someone who defeats one protection system will not have complete access.
  7. Least common mechanism:Shared objects provide potential channels for information flow. Systems employing physical or logical separation reduce the risk from sharing.
  8. Ease of use:If a protection mechanism is easy to use, it is unlikely to be avoided.

Although these design principles were suggested several decades ago, they are as accurate now as they were when originally written. The principles have been used repeatedly and successfully in the design and implementation of numerous trusted systems. More importantly, when security problems have been found in operating systems in the past, they almost always derive from failure to abide by one or more of these principles.