From: Prasanna Kumar Jayapal (prasak_at_winse.microsoft.com)
Date: Sun Jan 11 2004 - 18:51:35 PST
This Multics paper by Saltzer very nicely describes the design of the
security mechanisms in a multi user operating system. I felt the paper
to be well structured and fascinating to read through. It starts with
the design principles, then goes on to explain the concepts of Storage
Systems, Access control lists, Protection Mechanism, etc and finally
ends with a discussion of the weaknesses in the system.
The paper opens by listing the five design principles that drove the
Multics project which gives a very good insight. The first four
principles namely the (1) Lack of access is default; (2) Every access is
checked; (3) Design is not secret; (4) The principle of least privilege;
are very impressive and are nicely taken care off in the Multics design,
although the last one (5) Ease of use; I felt was not given so much
emphasis and the system has ended up being a little complex.
Few points that I felt were interesting and note-worthy in this paper
are:
1. The "decentralization of the setting of protection specifications",
which indicates that users and supervisors can set permissions in their
respective protected subsystems in a similar way.
2. The three part Principal Identifier consisting of user, projects and
compartments which sounded very similar to user, groups and roles to me.
3. The design of the Access control lists not only for the segments, but
was generic enough to extend to other objects like the message queues,
directories, etc.
4. The discussion of the "traps", where the author discusses the
benefits of this extension and later explains why it was not implemented
with a good justification.
5. The talk about the authentication mechanisms such the proxy login,
anonymous user, password protection and encryption, etc indicates that
most of the scenarios were considered in the design.
6. The "gates" which are the designated entry points to the protected
subsystems and the "rings of protection" were exciting to read.
The weaknesses section was nicely described even though some of them
were outside the scope of the operating system design. I would have
really liked to see some comparison numbers on the performance with and
without the security system. However, I tend to agree with the author
that the protection system was so deeply integrated into the system and
could not be turned off for a performance experiment.
This archive was generated by hypermail 2.1.6 : Sun Jan 11 2004 - 18:51:35 PST