From: Jeff Duzak (jduzak_at_exchange.microsoft.com)
Date: Wed Jan 07 2004 - 17:05:21 PST
In this paper, Saltzer discusses the mechanisms used in Multics to implement information protection (aka
security). In addition, Saltzer describes five principles adhered to during the development of Multics, and
discusses known weaknesses of the system.
The five principles of protection that Saltzer describes are very familiar. They are the same as the security
principles that have, in the past two or three years, begun to be inculcated by management into Microsoft
developers. It is surprising and also disturbing to find out that these principles were already enumerated in
1974, and yet they have only been emphasized at Microsoft over the past two or three years.
It is also interesting that Saltzer recognized that security involves more than simply implementing security
features within an operating system. The paper recognizes that security features must be easy to use and
understand, otherwise the user will not use them correctly and therefore security will be breached. This is
another idea that seems to be only recently recognized at Microsoft. For example, the idea of having secure
settings turned on by default seems to be a fairly recent one at MS.
However, Saltzer does seem to gloss over the consideration of performance. He mentions that a security system
such as the one he describes would integrate nicely with a highly structure naming system. However, this doesn't answer the question of how much performance would be impacted by these security features. Saltzer frequently makes references to government and military security requirements, which makes it seem that the security mechanisms he describes are designed for a system in which security is of much higher importance than performance. It is open to argument what balance of security and performance is required for most consumer software. For example, the counter-intelligence techniques that he describes in his description of the weaknesses of the Multics system would be overkill in most consumer applications.
The fact that Saltzer describes existing weaknesses in the Multics system is a sign that he adheres to the
security principles that he enumerates. That is, he does not pretend that obscuring the weaknesses of the system make the system more secure.
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 17:05:22 PST