From: Brian Milnes (brianmilnes_at_qwest.net)
Date: Wed Jan 14 2004 - 09:42:52 PST
Protection and the control of information sharing in MULTICS - Jerome
Saltzer
The author discusses the protection mechanism in MULTICS circa
1973. The five principles of protection are: permission rather than
exclusion, check every time, no security through obscurity, run with least
privilege and ease of use. They also decentralized authority and allowed
the user to construct their own protection domains.
The core way they build this is with access control lists that can protect
segments, directories and removable media descriptors. The access control
lists have patterns, which I wish Unix had, and the standard combinations of
read, write and execute.
Memory protection is implemented using a descriptor which has a pointer into
a segment, r/w/e bits, entry point control and something called protected
system control. Each process gets a private address space. Designated entry
points are called gates and access is controlled by hardware; which must be
slow. A rings of protection system is created by using the entry point
control bits to build a 0-7 layer protection system. The supervisor uses
these descriptors so it can be built with the same compilers and if it
accidentally transfers out to a user procedure, it gets the user's
protection.
The paper is difficult to understand, some of this is its age, but much more
of it is the clarity of the writing. Although the ideas presented are
fundamental, MULTICs was reputed to be very slow. Some of this might be the
hardware but much of it was likely their complicated access control lists
and memory protection.
This archive was generated by hypermail 2.1.6 : Wed Jan 14 2004 - 09:43:02 PST