From: shearerje_at_comcast.net
Date: Sat Jan 10 2004 - 17:57:54 PST
“Protection and the Control of Information Sharing in Multics” (Saltzer, 1974) provides a wonderfully detailed look at the origins of many of the protection schemes that have found their way into later systems such as UNIX, VMS, and NT, including its implementation of read/write/execute privileges and access control hierarchy. But it also includes some surprisingly powerful capability that I am unaware of in the later systems. For example, it uses hardware implemented segment security enforcement (or at least is capable of using one – the paper is somewhat non-committal on this point).
The design principles section could easily be a checklist for the design of any shared system, not just general purpose computers. The key points Saltzer addressed that have plagued projects that I have personally worked on include (1) Security must be designed into the core of the system from the beginning, not added on to the outside after the system is finished, (2) Security should not depend on the ignorance of the attacker, (3) It must be easier for users to do things the way you want them to then to go around the intended security.
I found the extensive discussion of protection via password to be less satisfactory, however. In particular, it asserts “Associated with each process is an unforgeable character string identifier”, but I found nothing “unforgeable about the password scheme. To be truly unforgeable, the authentication must be irrevocably tied to the data as, for example, an RSA signature is build from an encrypted hash of the data. Passwords, no matter how carefully guarded, simply do not achieve this, and I feel that Saltzer put way too much trust in them. Temporal authentication could still be a weakness, for example through absentee job requests. I have no answers, but I though it was not adequately addressed. I was also disappointed that certain access mode combinations were prohibited “because there is no widely useful interpretation”. It is difficult to predict what someone in the future may find useful.
I found the abstraction of “objects” cataloged by the storage system to be interesting and would like to know more about how the team settled on the final list of object types. I also thought it interesting that read/write/execute privileges are attributes of the access and not of the object. Yes, I know UNIX also works this way, but I though the paper conveyed the significance of this very well. The rules of precedence on the other hand were a revelation to me. Precedence often sneaks in as a side effect and it is very interesting that Saltzer ET all addressed its many traps early and explicitly. I was also impressed that the full life cycle of data and user access was addressed, including the non-reuse of login names and the recognition of storage residues.
I was perhaps most enlightened by the parts of the discussion where Saltzer compared what they did do with ideas they rejected. Some of the rejected ideas are illuminating in how subtly bad they were. The “trap extension” discussion comes to mind.
Overall, the paper is an excellent presentation of concepts to make system security a friend of the user rather than a hindrance.
James E. Shearer
This archive was generated by hypermail 2.1.6 : Sat Jan 10 2004 - 17:58:02 PST