Protection and the Control of Information Sharing in Multics

From: Greg Green (ggreen_at_cs.washington.edu)
Date: Wed Jan 07 2004 - 15:06:05 PST

  • Next message: Nathan Dire: "Multics Review"

    This paper covered the design of the protection mechanisms in Multics
    circa 1974. The root design principle was that everything that needed
    to be protected resided on mass storage, and therefore almost all of
    the protection mechanisms were predicated on the access to mass
    storage. A unit on storage was called a segment, and had an access
    control list attached to it. The access control was split into 3
    partitions, user, group and compartment. A compartment was a type of
    named group. The access control allowed read, write, execute, and some
    combinations of the those (not all allowed combinations). The default
    permission was no access. When a new segment was created in a
    directory, a default acl associated with that directory was attached
    to the segment.

    Authentication was done with a login and password system. Extensions
    could be made to the system so that one-time passwords,
    challenge/response systems, or other methods could be used as
    well. This is similar to the PAM system used on modern
    UNIXES. Passwords were stored with one-way hashes.

    Memory was also protected using a scheme that took the acl from the
    memory segment on disk, mapped it to some bits in hardware. Therefore
    every reference to a virtual memory page was checked against these
    bits. This was also done in kernel mode (they called it the
    supervisor).

    It ended with a summary of the current weaknesses of the system and
    how they could be improved.

    I found the design principles for security interesting. They were base
    protection on permission instead of exclusion. In other words fail
    with no access instead of full access. Secondly, check every access to
    an object for authority. Third, do not look for security by
    obscurity. THe code should be open and widely reviewed and the
    security is from possession of keys or passwords. Finally, the
    principle of least privilige. Use the most limited level of authority
    needed to accomplish the task needed. All of these principles are
    still relevant and widely ignored.

    Another interesting thing was how complicated an access control
    system is. I have never dealt with one myself and can see that it
    would be quite a chore to administer.

    The analysis of weaknesses seemed quite exhaustive. I see these
    weaknesses exploited in modern operating systems even now. It doesn't
    appear that we have made much progress in protection mechanisms.

    --Greg Green


  • Next message: Nathan Dire: "Multics Review"

    This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 15:07:59 PST