From: Greg Green (ggreen_at_cs.washington.edu)
Date: Wed Jan 07 2004 - 15:06:05 PST
This paper covered the design of the protection mechanisms in Multics
circa 1974. The root design principle was that everything that needed
to be protected resided on mass storage, and therefore almost all of
the protection mechanisms were predicated on the access to mass
storage. A unit on storage was called a segment, and had an access
control list attached to it. The access control was split into 3
partitions, user, group and compartment. A compartment was a type of
named group. The access control allowed read, write, execute, and some
combinations of the those (not all allowed combinations). The default
permission was no access. When a new segment was created in a
directory, a default acl associated with that directory was attached
to the segment.
Authentication was done with a login and password system. Extensions
could be made to the system so that one-time passwords,
challenge/response systems, or other methods could be used as
well. This is similar to the PAM system used on modern
UNIXES. Passwords were stored with one-way hashes.
Memory was also protected using a scheme that took the acl from the
memory segment on disk, mapped it to some bits in hardware. Therefore
every reference to a virtual memory page was checked against these
bits. This was also done in kernel mode (they called it the
supervisor).
It ended with a summary of the current weaknesses of the system and
how they could be improved.
I found the design principles for security interesting. They were base
protection on permission instead of exclusion. In other words fail
with no access instead of full access. Secondly, check every access to
an object for authority. Third, do not look for security by
obscurity. THe code should be open and widely reviewed and the
security is from possession of keys or passwords. Finally, the
principle of least privilige. Use the most limited level of authority
needed to accomplish the task needed. All of these principles are
still relevant and widely ignored.
Another interesting thing was how complicated an access control
system is. I have never dealt with one myself and can see that it
would be quite a chore to administer.
The analysis of weaknesses seemed quite exhaustive. I see these
weaknesses exploited in modern operating systems even now. It doesn't
appear that we have made much progress in protection mechanisms.
--Greg Green
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 15:07:59 PST