From: Nathan Dire (ndire_at_cs.washington.edu)
Date: Wed Jan 07 2004 - 15:09:43 PST
Saltzer's paper "Protection and the Control of Information Sharing in Multics"
describes an impressive security structure for a multi-user system . The
paper includes everything from the design principles to a discussion of the
weaknesses in the system.
The five design principles outlined by the author appear to have been chosen
wisely as they all remain quite relevant today. It seems even modern systems
struggle to adhere to those principles; the secrecy of design, for example, is
a major criticism of current electronic voting systems. The functional
objectives he names, "decentralization of the setting of protection
specifications" and ability to created a custom "protection environment", seem
to have remained an important part of security system, I see them reflected
strongly in enterprise directory services products, such as Microsoft's Active
Directory.
In addition, there's much to admire in the implementation of the system. The
system uses Access Control Lists, which seem quite similar to their modern
counterparts, which are now part of the POSIX standard. The system even
anticipates mechanical brute-force attacks by introducing a delay after 10
failed logins "to frustrate systematic penetration attempts." With regards to
the primary memory protection, the measures taken to "protect against
accidental overuse of supervisor privileges" suggest an approach to the
supervisor that I had not anticipated.
I'm not an expert on security by any means, so I find it very difficult to
find many faults with the system that's presented in this paper. Two of the
weaknesses which the author lists stand out in my mind. The first is that
there is no restriction on user passwords to make them difficult to crack.
Even the system-generated passwords seem relatively weak.
The second weakness I would draw attention too is the usability. While the
"initial access control list" in directories removes the burden of specifying
an ACL for each new object, I think some form of inheritance would make it
significantly easier to maintain a larger directory structure. In addition,
users are forced to specify a single project and compartment to use for the
duration of a session, in addition to their personal name, for creation of the
user's "principle identifier."
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 15:09:44 PST