From: Manish Mittal (manishm_at_microsoft.com)
Date: Fri Jan 09 2004 - 16:22:22 PST
This paper from Jerome Saltzer describes the design principles and the
various mechanisms used for the protection and control of information in
the Multics system. The key mechanisms described include access control
lists, hierarchical control of access specification, authentication of
users and memory protection. Paper ends with a discussion of certain
known weaknesses in the current system.
I found the five design priciples for protection of information really
interesting. Even in today's system, these principles are not followed
properly. Most of the current systems cannot run under least
priviledges. Also, we tend to keep design secret from the attackers and
fear that once it is known, system would be hacked in no time.
Protection mechanisms should not be coupled with protection of keys.
These principles are the basic premises for security. It is really
surprising to see emphasis on these same principles for present systems.
The paper then describes the primary memory protection . The multics
virtual memory is segmented to permit sharing of objects in the virtual
memory and to simplify address space management for the programmer.
Addressing to the segments are done using descriptors. Protection
information in Multics is associated with this descriptors rather than
with the data itself. I found the concept of segment table, dynamic
linking and descriptors quite interesting .
The 'Authentication of users' in Multics is very interesting. Some of
the features such as proxy login, timeouts, one way encryption reminds
me of the kerb/digest protocol. Password protection techniques are also
very noteworthy. Several logging and penetration detection techniques
described in this paper are very similar to what we use in our
Authentication system today. Logging incorrect login attempts, locking
out accounts after 10 retries, introducing delays to frustate hackers,
time/location of previous login attempts shown during the next login and
monthly login reports are some of the features that are still very much
prevalent.
The author then describes several weaknesses of the system as perceived
by him. This includes weak IO communication links, poor operator
interface, weak passwords, supervisor interface and storage residues
Overall, this paper is very interesting read. Author has described
principles and mechanisms with good explanation and examples. Multics
system is designed from security standpoint. Current systems tends to
give precedence to usabilty & performance over security. Multics is an
extreme example of an attempt at sharing while maintaining moduler
flexibility. It ends up being too
complicated, but it is an important example to study.
This archive was generated by hypermail 2.1.6 : Fri Jan 09 2004 - 16:22:29 PST