From: Gail Rahn (gail_at_screaminggeek.com)
Date: Wed Jan 07 2004 - 16:29:15 PST
The Saltzar paper extends the progression of operating system complexity and
feature density in our historical readings by depicting MULTICS, a prototype
operating system that implements protection and information-sharing
mechanisms. Where in THE we saw no file protection, and in UNIX we saw a
file system and basic access control using six-bits of permissions, in the
MULTICS we discover initial cuts at access control lists, user
authentication, file and directory permissions, user-based permissions (in
users and superusers),
In the Saltzar paper we see the beginnings of the security obsession. When
can a file be accessedThe authors were able to do significant analysis on
the practical, everyday operation of MULTICS because it was an actual
computing system in daily use at MIT. No doubt, this usage and testing
displayed many of the design limitations encountered and described by the
authors.
While the design of MULTICS is by no means a complete secure-access system,
there are ingenious features that are probably offshoots of daily usage of
the system, and the considerations of user requests for advanced
functionality. I especially liked the privilege-trap idea - if a user is
authenticated for a particular resource, a procedure can be specified that
could enfore further privileges, like time-of-day use restrictions. An
interesting point of flexibility for an early system.
I am reading the Saltzar paper while wrapping up my own secure system design
(for something much smaller than an OS), and it's heartening to see some
foundational principles in early action - principle of least privilege,
avoidance of design obfuscation and no privilege caching.
However, the limitation of 8-character passwords, and the known
vulnerability of re-using usernames to workaround security limitations are
huge and undermine the basic functionality of the secure system. An
interesting distinction between a "securable" and a "secure" operating
system.
A fault in the Saltzar paper is the setting of physical storage limits as a
unit of access control. I'm not sure what happens when a file larger than
the segment size is attempted to be created or secured. Are the ACLs copied?
And then subject to independent change?
-- Gail.
grahn_at_cs.washington.edu
-------------
Gail Rahn
gail_at_screaminggeek.com
206.719.5563
Screaming Geek Software
www.screaminggeek.com
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 16:29:24 PST