From: Reid Wilkes (reidwilkes_at_verizon.net)
Date: Sun Jan 11 2004 - 23:10:28 PST
The basic outline of this paper seems to be… profound insights into computer
system security lead into about 14 pages of rather mundane implementation
details followed by an insightful description of the weaknesses of the
system described. The paper begins and almost immediately dives into a list
of five design principles for secure system design. As with all of the
papers read so far in this class, I am left wondering whether the ideas
presented were completely novel at the time or were already established
thoughts. This particular set of principles left a powerful impression on me
when I realized how absolutely pertinent – and in many ways unfulfilled –
they remain today. For instance, one of the principles is that the security
of a system comes from the use of security mechanisms which extend outside
of the system (such as a password or in today’s world an encryption key)
rather than the system being secured from the inside (which requires that
the inner workings of the system be a secret). This point takes on
particular relevance in today’s debate over open-source versus commercial
closed-source software. Another quite profound idea (and one which the
Multics system did not succeed in) is that for a security system to be
effective it must be easily usable. In my experience the biggest security
issue with major OS’s today is not the security mechanisms themselves but
rather the difficulty the average user has in doing the correct things to
keep their systems secure. The paper then describes in great detail the
actual implementation of the security mechanisms in Multics. These security
systems are essentially the familiar concept of Access Control Lists ACL’s
on resources – in this case the primary resource considered was the
“segment”, which appeared to be the basic unit of storage on the system.
Many of the ideas subsequently described sound relatively similar to modern
systems (particularly my experience is with Windows). The Multics system has
a concept of groups in which a user can belong and resource access can be
arbitrated at the group level rather than individual users. However, this
mechanism is substantially more primitive (only allowing one group
membership at a time for a user) than we see in more modern systems. The
paper also describes the low level mechanisms implemented to provide for the
implementation of the security checks performed at every segment access
(which is essentially every memory access!) I was quite impressed as the
reading progressed through the long descriptions of implementation details
at the hawkish approach the authors took in looking for any and every
possible place where security could be compromised. Not only was the
approach they took extremely detailed, but it was also highly comprehensive,
including even discussions of physical security measures surrounding the
actual hardware. It was eye opening to me to realize that the practice of
systems security was this mature this long ago. I think I had assumed that
computer security was really an advent of the last 15 years or so
(especially fed by the boom of networked systems).
This archive was generated by hypermail 2.1.6 : Sun Jan 11 2004 - 23:10:29 PST