From: Sellakumaran Kanagarathnam (sellak_at_windows.microsoft.com)
Date: Wed Jan 07 2004 - 16:15:54 PST
The author describes the design principles and functional objectives of
the Multics system, the various mechanisms used for the protection and
control of information (access control lists, hierarchical control of
access specifications, authentication system, memory protection,
supervisor-user protection) and discusses the various weaknesses as
perceived by him at that time of the system.
It is very interesting to note that the very first design principle talk
about lack of access by default. Decades down the line, we are talking
about following/enforcing this in newer OS. The principle of least
privilege is also in the same lines. The objectives of provisions of
decentralization of control and extensibility of default system options
(protection scheme here) are important considerations that is applicable
any system even today.
The access control list gives provision to grant access to group of
users which is very valuable. It is good to note that the same user can
be part of different groups/roles/projects.
But providing such a list for each object that we create could be a time
consuming process and it is good to note that there is a default initial
control list. It would be interesting to note how this default initial
control list is handled in the newer versions of Multics as it makes
more sense, at least to me, to consider this list to be a common
appendix from the storage point of view.
Access control list entries permitting backup and bulk I/O by default
seemed to contradict the design principle 1. In the procedure for the
bulk input of cards, I guess the concerned user alone is granted
permission to move.
The scheme that required all user names, once registered to be permanent
was a little bit strange.
The extra mechanisms involved around user authentication like forcing
interactive login, proxy login, turning off printer while entering
password, auto logout, all the logging techniques, anonymous login all
seem to highlight the careful thought given to increase security and
flexibility. However it would be interesting to find out if the
utility to create the password so that it is easy to remember and to
minimize the need for written copies of password was useful at all.
It is interesting to note the three fields in the descriptor extension
and how they are used for protection.
The author lists the weaknesses and one of the major weaknesses of
complex user interface will be impacting the user experience.
The author concludes that the system was designed to be basic and
extensible and that is evident in many a features in the system.
It is interesting to note how much attention is given to security and
attacks in this design 30 years back and still now we are dealing with
so many vulnerabilities in the new servers.
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 16:15:33 PST