Jerome H. Saltzer
Skip Abstract Section
Abstract
The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.
- 1 Ackerman, W.B., and Plummer, W.W. An implementation of a multiprocessing computer system. ACM Symp. on Oper. Syst. Princ., Oct. 1967, Gatlinburg, Tenn. Google Scholar
Digital Library
- 2 Baran, P. Security, secrecy, and tamper-free considerations. In On Distributed Communications 9, Rand Corp. Techn. Rep. RM-3765-PR.Google Scholar
- 3 Beardsley, C.W. ls your computer insecure? IEEE Spectrum 9, 1 (Jan. 1972), 67-78.Google ScholarDigital Library
- 4 Bensoussan, A., Clingen, C.T., and Daley, R.C. The Multics virtual memory: concepts and design. Comm. ACM 15, 4 (May 1972), 308-318. Google ScholarDigital Library
- 5 Branstad, D.K. Privacy and protection in operating systems. Computer 6, (1973), 43-47.Google ScholarDigital Library
- 6 The Compatible Time-Sharhtg System: A Programmer's Guide. M.I.T. Press, 1966.Google Scholar
- 7 Corbato, F.J., Saltzer, J.H., and Clingen, C.T. Multics: the first seven years. Proc. AFIPS 1972 SJCC, Vol. 40, AFIPS Press, Montvale, N.J., pp. 571-583.Google Scholar
- 8 Daley, R.C., and Neumann, P.G. A general-purpose file system for secondary storage. Proc. AFIPS 1965 FJCC, vol. 27, AFIPS Press, Montvale, N.J., pp. 213-229.Google Scholar
- 9 The Descriptor--A Definition of the B5000 blJbrmation Processhtg System. Burroughs Corporation, Bus. Mach. Gr., Sales Tech. Serv., Syst. Doc., Detroit, Mich., 1961.Google Scholar
- 10 Evans, D.C., and LeClerc, J.Y. Address mapping and the control of access in an interactive computer, Proc. A FIPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 23-30.Google Scholar
- 11 Fabry, R.S. The case for capability based computers presented at Fourth Symposium on Operating System Principles, Oct. 1973. Comm. ACM 17, 7 (July 1974), 403-412. Google ScholarDigital Library
- 12 Glaser, E.L. A brief description of privacy measures in the Multics operating system, Proc. AFIPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 303-304.Google Scholar
- 13 Graham, R.M. Protection in an information processing utility. Comm. ACM 11, 4 (May 1968), 365-369. Google ScholarDigital Library
- 14 Hoffman, L.J. The formulary model for access control and privacy in computer systems. Rep. 117, Stanford Linear Accelerator Center, Stanford, Calif., 1970.Google Scholar
- 15 Holland, S.A., and Purcell, C.J. The CDC Star-100 A large scale network oriented computer system. IEEE lnternat. Comput. Soc. Conf., Sept. 1971, pp. 55-56.Google Scholar
- 16 Hollingworth, Dennis. Enhancing computer system security. Rand Paper P-5064, Rand Corp., Aug. 1973.Google Scholar
- 17 Hsiao, D.K., A File System for a Problem Solving Facility, Ph.D. Diss., Dep. of Elec. Eng., U. of Pennsylvania, Philadelphia, Penn., 1968.Google Scholar
- 18 Lampson, B.W. An overview of the CAL time-sharing system Comput. Center, U. of California, Berkeley, Sept. 1969.Google Scholar
- 19 Lampson, B.W. Protection. Proc. 5th Princeton Conf. on Inform. Sci. and Syst., Mar. 1971, pp. 437-443.Google Scholar
- 20 Molho, L.M. Hardware aspects of secure computing, Proc. AFIPS 1970 SJCC, Vol. 36, AFIPS Press, Montvale, N.J., pp. 135-141.Google Scholar
- 21 Organick, E.I. TIw Multics System: An Examination of lts Structure. M.I.T. Press, 1972. Google ScholarDigital Library
- 22 Needham, R.M. Protection systems and protection implementations, Proc. AFIPS 1972 FJCC, Vol. 41, AFIPS Press, Montvale, N.J., pp. 572-578.Google Scholar
- 23 OS/MVTwith Resource Security, General Information and Planning Manual, IBM Appl. Prog. Man., File no. GH20-1058-0, IBM Corp., Dec. 1971.Google Scholar
- 24 Peters, B. Security considerations in a multi-programmed computer system. Proc. AFPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 283-286.Google Scholar
- 25 Ritchie, D.M., and Thompson, K. The UNIX time-sharing system presented at Fourth Symposium on Operating System Principles, Oct. 1973. Comm. ACM 17, 7 (July 1974), 365-375. Google ScholarDigital Library
- 26 Rotenberg, L. Making computers keep secrets. Ph.D. Th., M.I.T., Dept. of Elec. Eng., Sept. 1973. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-116.)Google Scholar
- 27 Schroeder, M.D. Cooperation of mutually suspicious subsystems in a computer utility. Ph.D. Th., M.I.T. Dep. of Elec. Eng., Sept. 1972. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-104.) Google ScholarDigital Library
- 28 Schroeder, M.D., and Saltzer, J.H. A hardware architecture for implementing protection rings. Comm. ACM 15, 3 (Mar. 1972), 157-170. Google ScholarDigital Library
- 29 Smith, J.L., Notz, W.A., and Osseck, P.R. An experimental application of cryptography to a remotely accessed data system. Proc. ACM 1972 Conf., pp. 282-297. Google ScholarDigital Library
- 30 System 370 Principles of Operation, IBM Sys. Ref. Lib. File no. GA22-7000-3, IBM Corp., 1973.Google Scholar
- 31 Third party ID aided program theft. Computer World V, 14 (Apr. 7, 1971).Google Scholar
- 32 Ware, W., et al. Security controls for computer systems. Rand Corp. Tech. Rep. R-609, 1970. (Classified Confidential.)Google Scholar
- 33 Weissman, C. Security controls in the ADEPT-50 time-sharing system. Proc. AFIPS 1969 FJCC, Vol. 35, AFIPS Press, Montvale, N.J., pp. 119-133.Google Scholar
- 34 Wilkes, M.V. Time-Sharing Computer Systems. American Elsevier, New York, 1968. Google ScholarDigital Library
- 35 Wulf, W.A., et al. HYDRA: The kernel of a multiprocessor operating system. Comput. Sci. Dep. Rep., Carnegie-Mellon U., June 1973.Google Scholar
Index Terms
- Protection and the control of information sharing in multics
Recommendations
A hardware architecture for implementing protection rings
Protection of computations and information is an important aspect of a computer utility. In a system which uses segmentation as a memory addressing scheme, protection can be achieved in part by associating concentric rings of decreasing access privilege ...
An authenticated access control framework for digital right management system
AbstractWith the growing development in digital content distribution, researchers focus on the construction of an access right enabled digital content distribution framework for the legal user. Digital rights management (DRM) is the system which tries to ...
Impossibility results for RFID privacy notions
Transactions on computational science XIRFID systems have become increasingly popular and are already used in many real-life applications. Although very useful, RFIDs introduce privacy risks since they carry identifying information that can be traced. Hence, several RFID privacy models have ...
Comments