Protection and the control of information sharing in multics

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Protection and the control of information sharing in multics

Full text

Pdf (1.75 MB)

Source

Communications of the ACM archive
Volume 17 , Issue 7 (July 1974) table of contents

Pages: 388 - 402

Year of Publication: 1974

ISSN:0001-0782

Author

Jerome H. Saltzer

Massachusetts Institute of Technology, Cambridge

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 164, Downloads (12 Months): 400, Citation Count: 58

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/361011.361067 What is a DOI?

ABSTRACT

The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	William B. Ackerman , William W. Plummer, An implementation of a multiprocessing computer system, Proceedings of the first ACM symposium on Operating System Principles, p.5.1-5.10, January 1967 [doi>10.1145/800001.811666]
	2	Baran, P. Security, secrecy, and tamper-free considerations. In On Distributed Communications 9, Rand Corp. Techn. Rep. RM-3765-PR.
	3	Beardsley, C.W. ls your computer insecure? IEEE Spectrum 9, 1 (Jan. 1972), 67-78.
	4	A. Bensoussan , C. T. Clingen , R. C. Daley, The Multics virtual memory: concepts and design, Communications of the ACM, v.15 n.5, p.308-318, May 1972 [doi>10.1145/355602.361306]
	5	Branstad, D.K. Privacy and protection in operating systems. Computer 6, (1973), 43-47.
	6	The Compatible Time-Sharhtg System: A Programmer's Guide. M.I.T. Press, 1966.
	7	Corbato, F.J., Saltzer, J.H., and Clingen, C.T. Multics: the first seven years. Proc. AFIPS 1972 SJCC, Vol. 40, AFIPS Press, Montvale, N.J., pp. 571-583.
	8	Daley, R.C., and Neumann, P.G. A general-purpose file system for secondary storage. Proc. AFIPS 1965 FJCC, vol. 27, AFIPS Press, Montvale, N.J., pp. 213-229.
	9	The Descriptor--A Definition of the B5000 blJbrmation Processhtg System. Burroughs Corporation, Bus. Mach. Gr., Sales Tech. Serv., Syst. Doc., Detroit, Mich., 1961.
	10	Evans, D.C., and LeClerc, J.Y. Address mapping and the control of access in an interactive computer, Proc. A FIPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 23-30.
	11	R. S. Fabry, The case for capability based computers (Extended Abstract), Proceedings of the fourth ACM symposium on Operating system principles, p.120, January 1973
	12	Glaser, E.L. A brief description of privacy measures in the Multics operating system, Proc. AFIPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 303-304.
	13	Robert M. Graham, Protection in an information processing utility, Communications of the ACM, v.11 n.5, p.365-369, May 1968 [doi>10.1145/363095.363146]
	14	Hoffman, L.J. The formulary model for access control and privacy in computer systems. Rep. 117, Stanford Linear Accelerator Center, Stanford, Calif., 1970.
	15	Holland, S.A., and Purcell, C.J. The CDC Star-100 A large scale network oriented computer system. IEEE lnternat. Comput. Soc. Conf., Sept. 1971, pp. 55-56.
	16	Hollingworth, Dennis. Enhancing computer system security. Rand Paper P-5064, Rand Corp., Aug. 1973.
	17	Hsiao, D.K., A File System for a Problem Solving Facility, Ph.D. Diss., Dep. of Elec. Eng., U. of Pennsylvania, Philadelphia, Penn., 1968.
	18	Lampson, B.W. An overview of the CAL time-sharing system Comput. Center, U. of California, Berkeley, Sept. 1969.
	19	Lampson, B.W. Protection. Proc. 5th Princeton Conf. on Inform. Sci. and Syst., Mar. 1971, pp. 437-443.
	20	Molho, L.M. Hardware aspects of secure computing, Proc. AFIPS 1970 SJCC, Vol. 36, AFIPS Press, Montvale, N.J., pp. 135-141.
	21	Elliott I. Organick, The Multics System: An Examination of Its Structure, The MIT Press, 1972
	22	Needham, R.M. Protection systems and protection implementations, Proc. AFIPS 1972 FJCC, Vol. 41, AFIPS Press, Montvale, N.J., pp. 572-578.
	23	OS/MVTwith Resource Security, General Information and Planning Manual, IBM Appl. Prog. Man., File no. GH20-1058-0, IBM Corp., Dec. 1971.
	24	Peters, B. Security considerations in a multi-programmed computer system. Proc. AFPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 283-286.
	25	Dennis M. Ritchie , Ken Thompson, The UNIX time-sharing system, Proceedings of the fourth ACM symposium on Operating system principles, p.27, January 1973
	26	Rotenberg, L. Making computers keep secrets. Ph.D. Th., M.I.T., Dept. of Elec. Eng., Sept. 1973. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-116.)
	27	M. D. Schroeder, COOPERATION OF MUTUALLY SUSPICIOUS SUBSYSTEMS IN A COMPUTER UTILITY, Massachusetts Institute of Technology, Cambridge, MA, 1972
	28	Michael D. Schroeder , Jerome H. Saltzer, A hardware architecture for implementing protection rings, Communications of the ACM, v.15 n.3, p.157-170, March 1972 [doi>10.1145/361268.361275]
	29	J. L. Smith , W. A. Notz , P. R. Osseck, An experimental application of cryptography to a remotely accessed data system, Proceedings of the ACM annual conference, August 01-01, 1972, Boston, Massachusetts, United States [doi>10.1145/800193.569930]
	30	System 370 Principles of Operation, IBM Sys. Ref. Lib. File no. GA22-7000-3, IBM Corp., 1973.
	31	Third party ID aided program theft. Computer World V, 14 (Apr. 7, 1971).
	32	Ware, W., et al. Security controls for computer systems. Rand Corp. Tech. Rep. R-609, 1970. (Classified Confidential.)
	33	Weissman, C. Security controls in the ADEPT-50 time-sharing system. Proc. AFIPS 1969 FJCC, Vol. 35, AFIPS Press, Montvale, N.J., pp. 119-133.
	34	M. V. Wilkes, Time Sharing Computer Systems, Elsevier Science Inc., New York, NY, 1975
	35	Wulf, W.A., et al. HYDRA: The kernel of a multiprocessor operating system. Comput. Sci. Dep. Rep., Carnegie-Mellon U., June 1973.

CITED BY 58

	Joel Richardson , Peter Schwarz , Luis-Felipe Cabrera, CACL: efficient fine-grained protection for objects, ACM SIGPLAN Notices, v.27 n.10, p.263-275, Oct. 1992
	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976
	Michael D. Schroeder, Engineering a security kernel for Multics, ACM SIGOPS Operating Systems Review, v.9 n.5, p.25-32, November 1975
	Tomás Lang , Eduardo B. Fernández , Rita C. Summers, A system architecture for compile-time actions in databases, Proceedings of the 1977 annual conference, p.11-15, January 1977
	Prasun Dewan , Honghai Shen, Controlling access in multiuser interfaces, ACM Transactions on Computer-Human Interaction (TOCHI), v.5 n.1, p.34-62, March 1998
	Robert H. Bonczek , James I. Cash , Andrew B. Whinston, A transformational grammar-based query processor for access control in a planning system, ACM Transactions on Database Systems (TODS), v.2 n.4, p.326-338, Dec. 1977
	Ravinderpal S. Sandhu, The NTree: a two dimension partial order for protection groups, ACM Transactions on Computer Systems (TOCS), v.6 n.2, p.197-222, May 1988
	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, On protection in operating systems, ACM SIGOPS Operating Systems Review, v.9 n.5, p.14-24, November 1975
	Gregory R. Andrews, Partitions and principles for secure operating systems, Proceedings of the 1975 annual conference, p.177-180, January 1975
	K. G. Walter , S. I. Schaen , W. F. Ogden , W. C. Rounds , D. G. Shumway , D. D. Schaeffer , K. J. Biba , F. T. Bradshaw , S. R. Ames , J. M. Gilligan, Structured specification of a Security Kernel, ACM SIGPLAN Notices, v.10 n.6, p.285-293, June 1975
	HongHai Shen , Prasun Dewan, Access control for collaborative environments, Proceedings of the 1992 ACM conference on Computer-supported cooperative work, p.51-58, November 01-04, 1992, Toronto, Ontario, Canada
	Santosh Chokhani, Trusted products evaluation, Communications of the ACM, v.35 n.7, p.64-76, July 1992
	M. Satyanarayanan, Integrating security in a large distributed system, ACM Transactions on Computer Systems (TOCS), v.7 n.3, p.247-280, Aug. 1989
	Douglas Cook, Measuring memory protection, Proceedings of the 3rd international conference on Software engineering, p.281-287, May 10-12, 1978, Atlanta, Georgia, United States
	David Rine, Possibility theory: As a means for modeling computer security and protection, Proceedings of the eighth international symposium on Multiple-valued logic, p.276-286, January 1978, Rosemont, Illinois, United States
	Alfred Z. Spector , Dean Daniels , Daniel Duchamp , Jeffrey L. Eppinger , Randy Pausch, Distributed transactions for reliable systems, ACM SIGOPS Operating Systems Review, v.19 n.5, p.127-146, Dec. 1-4, 1985
	Theodore A. Linden, Operating System Structures to Support Security and Reliable Software, ACM Computing Surveys (CSUR), v.8 n.4, p.409-445, Dec. 1976
	Wm A. Wulf , Chenxi Wang , Darrell Kienzle, A new model of security for distributed systems, Proceedings of the 1996 workshop on New security paradigms, p.34-43, September 17-20, 1996, Lake Arrowhead, California, United States
	Christie D. Michelsen , Wayne D. Dominick , Joseph E. Urban, A methodology for the objective evaluation of the user/system interfaces of the MADAM system using software engineering principles, Proceedings of the 18th annual Southeast regional conference, March 24-26, 1980, Tallahassee, Florida
	Ravi Sandhu, Engineering authority and trust in cyberspace: the OM-AM and RBAC way, Proceedings of the fifth ACM workshop on Role-based access control, p.111-119, July 26-28, 2000, Berlin, Germany
	Li Gong, Java Security: Present and Near Future, IEEE Micro, v.17 n.3, p.14-19, May 1997
	Jason Gait, Easy entry: the password encryption problem, ACM SIGOPS Operating Systems Review, v.12 n.3, p.54-60, July 1978
	Michael M. Swift , Brian N. Bershad , Henry M. Levy, Improving the reliability of commodity operating systems, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	J. D. Bagley , E. R. Floto , S. C. Hsieh , V. Watson, Sharing data and services in a virtual machine system, ACM SIGOPS Operating Systems Review, v.9 n.5, p.82-88, November 1975
	Emmett Witchel , Josh Cates , Krste Asanović, Mondrian memory protection, ACM SIGPLAN Notices, v.37 n.10, October 2002
	Prasun Dewan , HongHai Shen, Flexible meta access-control for collaborative applications, Proceedings of the 1998 ACM conference on Computer supported cooperative work, p.247-256, November 14-18, 1998, Seattle, Washington, United States
	Jonathan D. Moffett , Morris S. Sloman, The Source of Authority for Commercial Access Control, Computer, v.21 n.2, p.59-69, February 1988
	C. K. Chang , T. M. Jiang, A Binary Single-Key-Lock System for Access Control, IEEE Transactions on Computers, v.38 n.10, p.1462-1466, October 1989
	Computer Security in the Real World, Computer, v.37 n.6, p.37-46, June 2004
	Gerald J. Popek , Charles S. Kline, A verifiable protection system, ACM SIGPLAN Notices, v.10 n.6, p.294-304, June 1975
	Prasun Dewan, An Integrated Approach to Designing and Evaluating CollaborativeApplications and Infrastructures, Computer Supported Cooperative Work, v.10 n.1, p.75-111, Jan. 2001
	Chavdar Botev , Hubert Chao , Theodore Chao , Yim Cheng , Raymond Doyle , Sergey Grankin , Jon Guarino , Saikat Guha , Pei-Chen Lee , Dan Perry , Christopher Re , Ilya Rifkin , Tingyan Yuan , Dora Abdullah , Kathy Carpenter , David Gries , Dexter Kozen , Andrew Myers , David Schwartz , Jayavel Shanmugasundaram, Supporting workflow in a course management system, ACM SIGCSE Bulletin, v.37 n.1, 2005
	Michael M. Swift , Brian N. Bershad , Henry M. Levy, Improving the reliability of commodity operating systems, ACM Transactions on Computer Systems (TOCS), v.23 n.1, p.77-110, February 2005
	R. S. Sandhu, Recognizing Immediacy in an N-Tree Hierarchy and its Application to Protection Groups, IEEE Transactions on Software Engineering, v.15 n.12, p.1518-1525, December 1989
	Barton Miller , David Presotto, XOS: an operating system for the X-tree architecture, ACM SIGOPS Operating Systems Review, v.15 n.2, p.21-32, April 1981
	Volker Roth , Tobias Straub , Kai Richter, Security and usability engineering with particular attention to electronic mail, International Journal of Human-Computer Studies, v.63 n.1-2, p.51-73, July 2005
	Ravi Sandhu , Xinwen Zhang, Peer-to-peer access control architecture using trusted computing technology, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
	Emmett Witchel , Junghwan Rhee , Krste Asanović, Mondrix: memory isolation for linux using mondriaan memory protection, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
	S. S. Yau , R. C. Cheung , D. C. Cochrane, An approach to error-resistant software design, Proceedings of the 2nd international conference on Software engineering, p.429-436, October 13-15, 1976, San Francisco, California, United States
	Klaas Sikkel, A group-based authorization model for cooperative systems, Proceedings of the fifth conference on European Conference on Computer-Supported Cooperative Work, p.345-360, September 07-11, 1997, Lancaster, UK
	Niels Provos , Markus Friedl , Peter Honeyman, Preventing privilege escalation, Proceedings of the 12th conference on USENIX Security Symposium, p.16-16, August 04-08, 2003, Washington, DC
	Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
	Michael Kaminsky , Eric Peterson , Daniel B. Giffin , Kevin Fu , David Mazières , M. Frans Kaashoek, REX: secure, extensible remote execution, Proceedings of the USENIX Annual Technical Conference 2004 on USENIX Annual Technical Conference, p.16-16, June 27-July 02, 2004, Boston, MA
	Jonathon T. Giffin , Somesh Jha , Barton P. Miller, Detecting Manipulated Remote Call Streams, Proceedings of the 11th USENIX Security Symposium, p.61-79, August 05-09, 2002
	Mark Vroblefski , Andrew Chen , Benjamin Shao , Matthew Swinarski, Managing user relationships in hierarchies for information system security, Decision Support Systems, v.43 n.2, p.408-419, March, 2007
	Li Gong , Marianne Mueller , Hemma Prafullchandra , Roland Schemers, Going beyond the sandbox: an overview of the new security architecture in the java^TM development Kit 1.2, Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems, p.10-10, December 08-11, 1997, Monterey, California
	Jacob Gorm Hansen , Eske Christiansen , Eric Jul, Evil twins: two models for TCB reduction in HPC clusters, ACM SIGOPS Operating Systems Review, v.41 n.4, July 2007
	Deborah Downs , Gerald J. Popek, Data base management systems security and INGRES, Proceedings of the fifth international conference on Very Large Data Bases, p.280-290, October 03-05, 1979, Rio de Janeiro, Brazil
	Peter S. Browne, Computer security: a survey, Proceedings of the June 7-10, 1976, national computer conference and exposition, June 07-10, 1976, New York, New York
	Ted Huffmire , Brett Brotherton , Nick Callegari , Jonathan Valamehr , Jeff White , Ryan Kastner , Tim Sherwood, Designing secure systems on reconfigurable hardware, ACM Transactions on Design Automation of Electronic Systems (TODAES), v.13 n.3, p.1-24, July 2008
	Paul G. Comba, Needed: distributed control, Proceedings of the 1st International Conference on Very Large Data Bases, September 22-24, 1975, Framingham, Massachusetts
	Sabrina De Capitani di Vimercati , Sara Foresti , Sushil Jajodia , Stefano Paraboschi , Pierangela Samarati, A data outsourcing architecture combining cryptography and access control, Proceedings of the 2007 ACM workshop on Computer security architecture, November 02-02, 2007, Fairfax, Virginia, USA
	Bryan D. Payne , Reiner Sailer , Ramón Cáceres , Ron Perez , Wenke Lee, A layered approach to simplified access control in virtualized systems, ACM SIGOPS Operating Systems Review, v.41 n.4, July 2007
	Jisoo Yang , Kang G. Shin, Using hypervisor to provide data secrecy for user applications on a per-page basis, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA
	Steven B. Lipner , William A. Wulf , Roger R. Schell , Gerald J. Popek , Peter G. Neumann , Clark Weissman , Theodore A. Linden, Security kernels, Proceedings of the May 6-10, 1974, national computer conference and exposition, May 06-10, 1974, Chicago, Illinois
	Prince Mahajan , Ramakrishna Kotla , Catherine C. Marshall , Venugopalan Ramasubramanian , Thomas L. Rodeheffer , Douglas B. Terry , Ted Wobber, Effective and efficient compromise recovery for weakly consistent replication, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany
	Heather Crawford , John Aycock, Kwyjibo: automatic domain name generation, Software—Practice & Experience, v.38 n.14, p.1561-1567, November 2008
	Ram Krishnan , Ravi Sandhu , Jianwei Niu , William H. Winsborough, Foundations for group-centric secure information sharing models, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy