Review of Multics

From: Honghai Liu (liu789_at_hotmail.com)
Date: Wed Jan 07 2004 - 16:28:59 PST

  • Next message: Gail Rahn: "Review of Saltzar's MULTICS paper (previous post was cut off)"

    Reviewer: Honghai Liu

     

    This is an interesting paper about the security issues in resource-sharing computer environment. Even though some of these issues are not well addressed, the author presented excellent guidelines and implemented effective mechanisms.

     

    The five principles of design principles were significant. "Permission rather than exclusion and least privilege" are obvious in minimizing the security holes in the system. "Checking for current authority" is an important however difficult one - for example, once a file or a socket is opened, it is hard deny the access to it when its ACL has been changed afterwards. Then "the design is not a secret" ensure the design of the system does not depend on the ignorance of potential attackers. And finally, the last principle of user-friendly simple interfaces suggests that any complicated mechanism which leads to complex policy to be followed the user are doom to fail.

     

    The Access Control List was one of the most effective and widely-used protection mechanisms. Image a Unix a file is an object whose access is controlled by owner, group and others with rights read, right and execution. Initial access control list gives a default, implicit and predefined permission to an object when it is created. This surely makes life of project administrator much more easier, and it has been widely used in Unix, windows and other systems.

     

    The feature of hierarchical Control of access is intriguing and appealing. It can be easily matched to a hierarchical organization. However, in my opinion, in reality, it may be not the case because the overlapping of functionalities and reporting structure is not uncommon. For example, a user normally can involve with multiple projects, so his position in the hierarchy is difficult to identify. To make things worse, he may not organize his objects or files based on project under his own hierarchy.

     

    Authentication of Multics are mainly based on passwords, most of the mechanism are widely used. Memory Protection is regarded as second level of protection behind ACL.

     

    The article would be more comprehensive if it had talked about the other security issues: such as virus and security on distributed system.


  • Next message: Gail Rahn: "Review of Saltzar's MULTICS paper (previous post was cut off)"

    This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 16:29:02 PST