From: Praveen Rao (psrao_at_windows.microsoft.com)
Date: Wed Jan 07 2004 - 17:27:54 PST
This paper discusses information access security model in Multics. This is a topic that is ever more relevant.
First it states the design principles:
1) Base the protection mechanism on permissions rather than exclusion
2) Check every access to every object for current authority
3) Do not rely on design secrets for security
4) Follow the principle of least privilege
5) Have a reasonable human interface to encourage usage of security system in the right way
These principles have been strengthened over time and it is refreshing to see them used so long back.
The paper then describes the access control lists and format of them. It argues about design choices following the principles described above. One thing isn't clear to me though is why the system can't sort the access list in a predictable manner instead of relying on the user to do that.
The paper discusses the hierarchical control of access specifications and argues why such a design is chosen vis-à-vis some alternatives that come to mind. I am still not clear on why access control list modification can't be one of the accesses. This IMO will provide greater flexibility.
The paper then discusses authentication of users and how passwords are used and protected. It wasn't clear to me how passwords are not transferred in clear n a remote access scenario (e.g. through a phone line). Weakness of communication links was described as one of the known weaknesses of the system.
The paper then discusses primary memory protection and makes a case for extending the same access control mechanism to primary memory protection. This uniformity IMO is a salient feature of the system.
The paper summarizes the weaknesses of the system citing that it is an evolving system and such improvements can be made over time.
This archive was generated by hypermail 2.1.6 : Wed Jan 07 2004 - 17:28:02 PST