ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Digital Library logoTake a look at the new version of this page: [ beta version ]. Tell us what you think.
Protection and the control of information sharing in multics
Full text PdfPdf (1.75 MB)
Source
Communications of the ACM archive
Volume 17 ,  Issue 7  (July 1974) table of contents
Pages: 388 - 402  
Year of Publication: 1974
ISSN:0001-0782
Author
Jerome H. Saltzer  Massachusetts Institute of Technology, Cambridge
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 44,   Downloads (12 Months): 384,   Citation Count: 62
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/361011.361067
What is a DOI?

Warning: The download time has expired please click on the item to try again.


ABSTRACT

The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
William B. Ackerman , William W. Plummer, An implementation of a multiprocessing computer system, Proceedings of the first ACM symposium on Operating System Principles, p.5.1-5.10, January 1967  [doi>10.1145/800001.811666]
 
2
Baran, P. Security, secrecy, and tamper-free considerations. In On Distributed Communications 9, Rand Corp. Techn. Rep. RM-3765-PR.
 
3
Beardsley, C.W. ls your computer insecure? IEEE Spectrum 9, 1 (Jan. 1972), 67-78.
4
A. Bensoussan , C. T. Clingen , R. C. Daley, The Multics virtual memory: concepts and design, Communications of the ACM, v.15 n.5, p.308-318, May 1972  [doi>10.1145/355602.361306]
 
5
Branstad, D.K. Privacy and protection in operating systems. Computer 6, (1973), 43-47.
 
6
The Compatible Time-Sharhtg System: A Programmer's Guide. M.I.T. Press, 1966.
 
7
Corbato, F.J., Saltzer, J.H., and Clingen, C.T. Multics: the first seven years. Proc. AFIPS 1972 SJCC, Vol. 40, AFIPS Press, Montvale, N.J., pp. 571-583.
 
8
Daley, R.C., and Neumann, P.G. A general-purpose file system for secondary storage. Proc. AFIPS 1965 FJCC, vol. 27, AFIPS Press, Montvale, N.J., pp. 213-229.
 
9
The Descriptor--A Definition of the B5000 blJbrmation Processhtg System. Burroughs Corporation, Bus. Mach. Gr., Sales Tech. Serv., Syst. Doc., Detroit, Mich., 1961.
 
10
Evans, D.C., and LeClerc, J.Y. Address mapping and the control of access in an interactive computer, Proc. A FIPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 23-30.
11
R. S. Fabry, The case for capability based computers (Extended Abstract), Proceedings of the fourth ACM symposium on Operating system principles, p.120, January 1973
 
12
Glaser, E.L. A brief description of privacy measures in the Multics operating system, Proc. AFIPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 303-304.
13
Robert M. Graham, Protection in an information processing utility, Communications of the ACM, v.11 n.5, p.365-369, May 1968  [doi>10.1145/363095.363146]
 
14
Hoffman, L.J. The formulary model for access control and privacy in computer systems. Rep. 117, Stanford Linear Accelerator Center, Stanford, Calif., 1970.
 
15
Holland, S.A., and Purcell, C.J. The CDC Star-100 A large scale network oriented computer system. IEEE lnternat. Comput. Soc. Conf., Sept. 1971, pp. 55-56.
 
16
Hollingworth, Dennis. Enhancing computer system security. Rand Paper P-5064, Rand Corp., Aug. 1973.
 
17
Hsiao, D.K., A File System for a Problem Solving Facility, Ph.D. Diss., Dep. of Elec. Eng., U. of Pennsylvania, Philadelphia, Penn., 1968.
 
18
Lampson, B.W. An overview of the CAL time-sharing system Comput. Center, U. of California, Berkeley, Sept. 1969.
 
19
Lampson, B.W. Protection. Proc. 5th Princeton Conf. on Inform. Sci. and Syst., Mar. 1971, pp. 437-443.
 
20
Molho, L.M. Hardware aspects of secure computing, Proc. AFIPS 1970 SJCC, Vol. 36, AFIPS Press, Montvale, N.J., pp. 135-141.
 
21
Elliott I. Organick, The Multics System: An Examination of Its Structure, The MIT Press, 1972
 
22
Needham, R.M. Protection systems and protection implementations, Proc. AFIPS 1972 FJCC, Vol. 41, AFIPS Press, Montvale, N.J., pp. 572-578.
 
23
OS/MVTwith Resource Security, General Information and Planning Manual, IBM Appl. Prog. Man., File no. GH20-1058-0, IBM Corp., Dec. 1971.
 
24
Peters, B. Security considerations in a multi-programmed computer system. Proc. AFPS 1967 SJCC, Vol. 30, AFIPS Press, Montvale, N.J., pp. 283-286.
25
Dennis M. Ritchie , Ken Thompson, The UNIX time-sharing system, Proceedings of the fourth ACM symposium on Operating system principles, p.27, January 1973
 
26
Rotenberg, L. Making computers keep secrets. Ph.D. Th., M.I.T., Dept. of Elec. Eng., Sept. 1973. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-116.)
 
27
M. D. Schroeder, COOPERATION OF MUTUALLY SUSPICIOUS SUBSYSTEMS IN A COMPUTER UTILITY, Massachusetts Institute of Technology, Cambridge, MA, 1972
28
Michael D. Schroeder , Jerome H. Saltzer, A hardware architecture for implementing protection rings, Communications of the ACM, v.15 n.3, p.157-170, March 1972  [doi>10.1145/361268.361275]
29
J. L. Smith , W. A. Notz , P. R. Osseck, An experimental application of cryptography to a remotely accessed data system, Proceedings of the ACM annual conference, August 01-01, 1972, Boston, Massachusetts, United States  [doi>10.1145/800193.569930]
 
30
System 370 Principles of Operation, IBM Sys. Ref. Lib. File no. GA22-7000-3, IBM Corp., 1973.
 
31
Third party ID aided program theft. Computer World V, 14 (Apr. 7, 1971).
 
32
Ware, W., et al. Security controls for computer systems. Rand Corp. Tech. Rep. R-609, 1970. (Classified Confidential.)
 
33
Weissman, C. Security controls in the ADEPT-50 time-sharing system. Proc. AFIPS 1969 FJCC, Vol. 35, AFIPS Press, Montvale, N.J., pp. 119-133.
 
34
M. V. Wilkes, Time Sharing Computer Systems, Elsevier Science Inc., New York, NY, 1975
 
35
Wulf, W.A., et al. HYDRA: The kernel of a multiprocessor operating system. Comput. Sci. Dep. Rep., Carnegie-Mellon U., June 1973.

CITED BY  62
Joel Richardson , Peter Schwarz , Luis-Felipe Cabrera, CACL: efficient fine-grained protection for objects, ACM SIGPLAN Notices, v.27 n.10, p.263-275, Oct. 1992
Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976
Michael D. Schroeder, Engineering a security kernel for Multics, ACM SIGOPS Operating Systems Review, v.9 n.5, p.25-32, November 1975
Tomás Lang , Eduardo B. Fernández , Rita C. Summers, A system architecture for compile-time actions in databases, Proceedings of the 1977 annual conference, p.11-15, January 1977
Prasun Dewan , Honghai Shen, Controlling access in multiuser interfaces, ACM Transactions on Computer-Human Interaction (TOCHI), v.5 n.1, p.34-62, March 1998
Robert H. Bonczek , James I. Cash , Andrew B. Whinston, A transformational grammar-based query processor for access control in a planning system, ACM Transactions on Database Systems (TODS), v.2 n.4, p.326-338, Dec. 1977
Ravinderpal S. Sandhu, The NTree: a two dimension partial order for protection groups, ACM Transactions on Computer Systems (TOCS), v.6 n.2, p.197-222, May 1988
Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, On protection in operating systems, ACM SIGOPS Operating Systems Review, v.9 n.5, p.14-24, November 1975
Gregory R. Andrews, Partitions and principles for secure operating systems, Proceedings of the 1975 annual conference, p.177-180, January 1975
K. G. Walter , S. I. Schaen , W. F. Ogden , W. C. Rounds , D. G. Shumway , D. D. Schaeffer , K. J. Biba , F. T. Bradshaw , S. R. Ames , J. M. Gilligan, Structured specification of a Security Kernel, ACM SIGPLAN Notices, v.10 n.6, p.285-293, June 1975
HongHai Shen , Prasun Dewan, Access control for collaborative environments, Proceedings of the 1992 ACM conference on Computer-supported cooperative work, p.51-58, November 01-04, 1992, Toronto, Ontario, Canada
Santosh Chokhani, Trusted products evaluation, Communications of the ACM, v.35 n.7, p.64-76, July 1992
M. Satyanarayanan, Integrating security in a large distributed system, ACM Transactions on Computer Systems (TOCS), v.7 n.3, p.247-280, Aug. 1989
Douglas Cook, Measuring memory protection, Proceedings of the 3rd international conference on Software engineering, p.281-287, May 10-12, 1978, Atlanta, Georgia, United States
David Rine, Possibility theory: As a means for modeling computer security and protection, Proceedings of the eighth international symposium on Multiple-valued logic, p.276-286, January 1978, Rosemont, Illinois, United States
Alfred Z. Spector , Dean Daniels , Daniel Duchamp , Jeffrey L. Eppinger , Randy Pausch, Distributed transactions for reliable systems, ACM SIGOPS Operating Systems Review, v.19 n.5, p.127-146, Dec. 1-4, 1985
Theodore A. Linden, Operating System Structures to Support Security and Reliable Software, ACM Computing Surveys (CSUR), v.8 n.4, p.409-445, Dec. 1976
Wm A. Wulf , Chenxi Wang , Darrell Kienzle, A new model of security for distributed systems, Proceedings of the 1996 workshop on New security paradigms, p.34-43, September 17-20, 1996, Lake Arrowhead, California, United States
Christie D. Michelsen , Wayne D. Dominick , Joseph E. Urban, A methodology for the objective evaluation of the user/system interfaces of the MADAM system using software engineering principles, Proceedings of the 18th annual Southeast regional conference, March 24-26, 1980, Tallahassee, Florida
Ravi Sandhu, Engineering authority and trust in cyberspace: the OM-AM and RBAC way, Proceedings of the fifth ACM workshop on Role-based access control, p.111-119, July 26-28, 2000, Berlin, Germany
Li Gong, Java Security: Present and Near Future, IEEE Micro, v.17 n.3, p.14-19, May 1997
Jason Gait, Easy entry: the password encryption problem, ACM SIGOPS Operating Systems Review, v.12 n.3, p.54-60, July 1978
Michael M. Swift , Brian N. Bershad , Henry M. Levy, Improving the reliability of commodity operating systems, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
J. D. Bagley , E. R. Floto , S. C. Hsieh , V. Watson, Sharing data and services in a virtual machine system, ACM SIGOPS Operating Systems Review, v.9 n.5, p.82-88, November 1975
Emmett Witchel , Josh Cates , Krste Asanović, Mondrian memory protection, ACM SIGPLAN Notices, v.37 n.10, October 2002
Prasun Dewan , HongHai Shen, Flexible meta access-control for collaborative applications, Proceedings of the 1998 ACM conference on Computer supported cooperative work, p.247-256, November 14-18, 1998, Seattle, Washington, United States
Jonathan D. Moffett , Morris S. Sloman, The Source of Authority for Commercial Access Control, Computer, v.21 n.2, p.59-69, February 1988
C. K. Chang , T. M. Jiang, A Binary Single-Key-Lock System for Access Control, IEEE Transactions on Computers, v.38 n.10, p.1462-1466, October 1989
Computer Security in the Real World, Computer, v.37 n.6, p.37-46, June 2004
Gerald J. Popek , Charles S. Kline, A verifiable protection system, ACM SIGPLAN Notices, v.10 n.6, p.294-304, June 1975
Prasun Dewan, An Integrated Approach to Designing and Evaluating CollaborativeApplications and Infrastructures, Computer Supported Cooperative Work, v.10 n.1, p.75-111, Jan. 2001
Chavdar Botev , Hubert Chao , Theodore Chao , Yim Cheng , Raymond Doyle , Sergey Grankin , Jon Guarino , Saikat Guha , Pei-Chen Lee , Dan Perry , Christopher Re , Ilya Rifkin , Tingyan Yuan , Dora Abdullah , Kathy Carpenter , David Gries , Dexter Kozen , Andrew Myers , David Schwartz , Jayavel Shanmugasundaram, Supporting workflow in a course management system, ACM SIGCSE Bulletin, v.37 n.1, 2005
Michael M. Swift , Brian N. Bershad , Henry M. Levy, Improving the reliability of commodity operating systems, ACM Transactions on Computer Systems (TOCS), v.23 n.1, p.77-110, February 2005
R. S. Sandhu, Recognizing Immediacy in an N-Tree Hierarchy and its Application to Protection Groups, IEEE Transactions on Software Engineering, v.15 n.12, p.1518-1525, December 1989
Barton Miller , David Presotto, XOS: an operating system for the X-tree architecture, ACM SIGOPS Operating Systems Review, v.15 n.2, p.21-32, April 1981
Volker Roth , Tobias Straub , Kai Richter, Security and usability engineering with particular attention to electronic mail, International Journal of Human-Computer Studies, v.63 n.1-2, p.51-73, July 2005
Ravi Sandhu , Xinwen Zhang, Peer-to-peer access control architecture using trusted computing technology, Proceedings of the tenth ACM symposium on Access control models and technologies, June 01-03, 2005, Stockholm, Sweden
Emmett Witchel , Junghwan Rhee , Krste Asanović, Mondrix: memory isolation for linux using mondriaan memory protection, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
S. S. Yau , R. C. Cheung , D. C. Cochrane, An approach to error-resistant software design, Proceedings of the 2nd international conference on Software engineering, p.429-436, October 13-15, 1976, San Francisco, California, United States
Klaas Sikkel, A group-based authorization model for cooperative systems, Proceedings of the fifth conference on European Conference on Computer-Supported Cooperative Work, p.345-360, September 07-11, 1997, Lancaster, UK
Niels Provos , Markus Friedl , Peter Honeyman, Preventing privilege escalation, Proceedings of the 12th conference on USENIX Security Symposium, p.16-16, August 04-08, 2003, Washington, DC
Niels Provos, Improving host security with system call policies, Proceedings of the 12th conference on USENIX Security Symposium, p.18-18, August 04-08, 2003, Washington, DC
Michael Kaminsky , Eric Peterson , Daniel B. Giffin , Kevin Fu , David Mazières , M. Frans Kaashoek, REX: secure, extensible remote execution, Proceedings of the USENIX Annual Technical Conference 2004 on USENIX Annual Technical Conference, p.16-16, June 27-July 02, 2004, Boston, MA
Jonathon T. Giffin , Somesh Jha , Barton P. Miller, Detecting Manipulated Remote Call Streams, Proceedings of the 11th USENIX Security Symposium, p.61-79, August 05-09, 2002
Mark Vroblefski , Andrew Chen , Benjamin Shao , Matthew Swinarski, Managing user relationships in hierarchies for information system security, Decision Support Systems, v.43 n.2, p.408-419, March, 2007
Li Gong , Marianne Mueller , Hemma Prafullchandra , Roland Schemers, Going beyond the sandbox: an overview of the new security architecture in the javaTM development Kit 1.2, Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems, p.10-10, December 08-11, 1997, Monterey, California
Jacob Gorm Hansen , Eske Christiansen , Eric Jul, Evil twins: two models for TCB reduction in HPC clusters, ACM SIGOPS Operating Systems Review, v.41 n.4, July 2007
Deborah Downs , Gerald J. Popek, Data base management systems security and INGRES, Proceedings of the fifth international conference on Very Large Data Bases, p.280-290, October 03-05, 1979, Rio de Janeiro, Brazil
Peter S. Browne, Computer security: a survey, Proceedings of the June 7-10, 1976, national computer conference and exposition, June 07-10, 1976, New York, New York
Ted Huffmire , Brett Brotherton , Nick Callegari , Jonathan Valamehr , Jeff White , Ryan Kastner , Tim Sherwood, Designing secure systems on reconfigurable hardware, ACM Transactions on Design Automation of Electronic Systems (TODAES), v.13 n.3, p.1-24, July 2008
Paul G. Comba, Needed: distributed control, Proceedings of the 1st International Conference on Very Large Data Bases, September 22-24, 1975, Framingham, Massachusetts
Sabrina De Capitani di Vimercati , Sara Foresti , Sushil Jajodia , Stefano Paraboschi , Pierangela Samarati, A data outsourcing architecture combining cryptography and access control, Proceedings of the 2007 ACM workshop on Computer security architecture, November 02-02, 2007, Fairfax, Virginia, USA
Bryan D. Payne , Reiner Sailer , Ramón Cáceres , Ron Perez , Wenke Lee, A layered approach to simplified access control in virtualized systems, ACM SIGOPS Operating Systems Review, v.41 n.4, July 2007
Jisoo Yang , Kang G. Shin, Using hypervisor to provide data secrecy for user applications on a per-page basis, Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments, March 05-07, 2008, Seattle, WA, USA
Steven B. Lipner , William A. Wulf , Roger R. Schell , Gerald J. Popek , Peter G. Neumann , Clark Weissman , Theodore A. Linden, Security kernels, Proceedings of the May 6-10, 1974, national computer conference and exposition, May 06-10, 1974, Chicago, Illinois
Prince Mahajan , Ramakrishna Kotla , Catherine C. Marshall , Venugopalan Ramasubramanian , Thomas L. Rodeheffer , Douglas B. Terry , Ted Wobber, Effective and efficient compromise recovery for weakly consistent replication, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany
Heather Crawford , John Aycock, Kwyjibo: automatic domain name generation, Software—Practice & Experience, v.38 n.14, p.1561-1567, November 2008
Ram Krishnan , Ravi Sandhu , Jianwei Niu , William H. Winsborough, Foundations for group-centric secure information sharing models, Proceedings of the 14th ACM symposium on Access control models and technologies, June 03-05, 2009, Stresa, Italy
C. S. Chandersekaran , K. S. Shankar, On virtual machine integrity, IBM Systems Journal, v.15 n.3, p.264-278, September 1976
R. C. Summers, An overview of computer security, IBM Systems Journal, v.23 n.4, p.309-325, December1984
G. F. Heyne , C. J. Daniel, Design techniques for a user controlled DB/DC system, IBM Systems Journal, v.16 n.4, p.344-362, December 1977
C. R. Attanasio, Virtual control storage: security measures in VM/370, IBM Systems Journal, v.18 n.1, p.93-110, March 1979

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.0 General

          Nouns: MULTICS

Additional Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.2 Storage Management
          Subjects: Virtual memory

  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS


General Terms:
Management, Performance, Security


Keywords:
Multics, access control, authentication, computer utilities, descriptors, privacy, proprietary programs, protected subsystems, protection, security, time-sharing systems, virtual memory

Collaborative Colleagues:
Jerome H. Saltzer: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player