From: James Welle (jwelle_at_Exchange.Microsoft.com)
Date: Wed Jan 07 2004 - 08:26:52 PST
This paper describes in detail the security mechanisms of
Multics. A lot of the ideas regarding security presented in this paper
are still prevalent in computing today.
Multics was a very sophisticated operating system in terms of
security. Many of today's mainstream operating systems do not have
security as strong as that found in Multics. In fact, the second level
of Multics security is implemented mostly in hardware, something that
Microsoft and others are only investigating today for desktop computer
systems.
The design principles presented initially in this paper are
still applicable today and yet Microsoft hasn't really followed these
principles. Permission is denied by default, the security mechanisms are
very open and available for review, and all processes run with least
privilege. These are all standards that Microsoft is starting to adhere
to today given all the security problems of late.
The first level of security of Multics is centered on access
control lists. These lists permit or deny access to segments. A segment
is just a unit of storage. Access can be denied or granted to a user,
project, or compartment in the system. Different modes of access (read,
write, execute) are also supported by the system. The second level of
security is centered on descriptors which live in memory. Every process
has a set of descriptors that contain the locations of segments in
storage and also whether or not the process has access to that segment.
The descriptor also has the ability to protect subsystems which are
accessible through the segment. These are called "gates" and can be
enforced in hardware. The paper finishes with a list of weaknesses of
the system. All of the reasons for taking security shortcuts; time
constraints, performance, and lack of understanding are still big
problems today.
I found the idea of "traps" very appealing. Today, some systems
allow a parent to control the hours of the day his/her child can access
the Internet or some other resource, which is one of the presented uses
of traps. Being able to determine arbitrary access constraints seems
like a very powerful security feature.
User authentication in Multics was also advanced. Threat
monitoring logs remind me of current firewall software. The discussion
of the security weaknesses in Multics shows how much the authors have
thought about security in the system. Security is clearly one of the top
priorities in the Multics system.
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 08:28:10 PST