From: Steve Arnold (stevearn_at_microsoft.com)
Date: Wed Jan 07 2004 - 16:29:14 PST
This paper gives an in-depth description of the logical implementation
of the protection system in Multics. They begin by laying out their
design principles: 1) Base on permission rather than exclusion, 2) check
permissions for every access, 3) don't depend on the design being
secret, 4) principle of least privilege, and 5) usability.
The first section described is the storage system. This is much like the
protection scheme in UNIX today. It is based on the principle of a
principal being responsible for its own security, being able to set
read, write, and execute permissions on segments and streams. It has the
ability to set permission based on a hierarchy of identifiers, groups,
and compartments. It does not have a hierarchy of directories.
The next section explains authentication, how you determine who is
operating the machine. This takes an 8 character password with one-way
encryption. There are no rules on how the password must be formed (other
than 8 characters). It includes advanced logging to try to detect
break-in attempts.
The third area of protection is in primary memory, where everything is
tied to virtual memory. It is possible for different users to have
different permission on the same shared memory. This is because of the
way that the VM is stored with descriptors. It utilizes hardware to
enforce this protection scheme.
The author then goes on to describe candidly several weaknesses of the
system (as identified by them). This includes weak IO communication
links, poor operator interface, weak passwords, and storage residues.
As with the UNIX paper, it was interesting to see how much of these
early ideas have withstood the test of time. The author was
straightforward in pointing out what he though were weaknesses of the
system. One of the biggest trade-offs he makes the allowing of each user
to have full control over his or her own space (although he gives
suggestions on how to better handle this). It is interested to see that
people were thinking of security like this at an early stage. (One poor
foresight, though, was the justification for simple passwords,
explaining that it would take too long to break in, not accounting for
much faster computers that we have today.)
Overall, I enjoyed the paper. There were a couple of terms that went
undefined, but overall it was easy to read.
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 16:31:18 PST