Multics Data Security

7 6 5 4 3 2 0 2 3 4 5 6 7

A---s---c~~~--o~~~--c---s---A

omputer security is Operating systems are a general term which prone to error because Ccan be used to they are composed of many describe defenses complex computer pro­ against everything from wire grams and, because they are tapping to sophisticated repeatedly altered to extend software attacks, like "Trojan the functions available to horses" and "trap doors:' the user and patched to cor­ Data security is concerned rect the problems discov­ with internal rather than ered in the software external attack, that is, with extensions. The complexity the mechanisms which pre­ of the system makes it vent users from obtaining impossible to predict all of unauthorized access to the the effects of a proposed data stored in the system. change with any degree of The consensus is that Honey­ accuracy, so the effective­ well's Multics system has the ness of the security mecha­ best data security of any nisms tends to decrease as large, general-purpose com­ the number of changes and puter system available today. patches increases. Data security is usually When Multics was devel­ enforced by the specialized oped, an attempt was made software called the operating to design a system, including system, which coordinates security mechanisms, which and oversees the sharing of could grow without system the computer's resources, reorganization. The design­ programs and data. On ers recognized that it would Multics, as on many systems, be impossible, at the design the first line of defense is a stage, to anticipate all the set of tables which lists users problems which would crop and their access rights to up when the software was data. These tables are written. Therefore, if prob­ scanned by the operating lems arose as a module of system on each user's refer­ the system was imple­ ence to a block of data. In mented, it was redesigned, a theory this is a simple and process which served to unbreachable defense. In reduce the convolution and practice it is often very vul­ complexity of the final soft­ nerable, for three reasons: ware system. In addition, 1. The hardware architecture provision was made to allow may contain exploitable functions to be added to the behavior (or misbehavior). system as subsystems rather For example, the hardware than as modifications of the implementation may offer operating system itself. opportunities for trap doors, which can be opened under specific conditions. 2. The software utilization of the table look-up mecha­ nisms may contain exploit­ able errors. 3. The table mechanism may be completely circum­ vented by implementation errors in the system's operating software.

*This paper is based on an article in the June 1981 issue of SCIENTIFIC HONEYWELLER © Honeywell lnfonnation Systems Inc., 1983 (Vol.2 No.2) iscretionary security is critical. name. Thus, in Figure 1, Access Control. The Access Control Lists "seg2" in directory "com­ D One generic data are built into the file system mands" has the unique path security mechanism and are maintained by the name: Root> libraries> is a table of users and blocks secondary storage subsys­ commands> seg2. of data. The table defines tem of the operating system, The directories are seg­ which users may have ac­ which keeps track of the ments containing branches cess to a given block of data locations of segments in to other segments, which and what kind of access peripheral storage devices consist of the address of a they are allowed. On and transfers them in and segment under the direc­ Multics, the table used to out of main memory as tory, and other information determine access is the needed. The storage system about it, such as its ACL. Access Control List, or ACL, maintains a hierarchy of Therefore, the ACL is inex­ associated with each block segments and directories, tricably linked with the of data, or segment (file), in which resembles an inverted address of the segment. the system. The security tree branching out from a Since it lies on the path to policy enforced by this table single root directory. Each the segment, it must be is "discretionary:" Those who segment under any given "found" if the segment is to "own" the segment decide directory has a unique be found. who is to have access to it. name. Thus each segment The ACL is a list of indi­ Another, nondiscretionary can be located by a unique vidual users or user groups mechanism, which enforces search strategy or path and the access modes, such military security policy; is name consisting of the as read access, allowed each also available and is used at series of directories under user. Individual users are Multics locations where which it is located and its identified by a person I.D., unique among users, and a project I.D. that groups users from the same depart­ Figure 1. Hierarchical Storage System Structure. ment or location for accounting and access con­ Each segment in the storage system has a unique trol purposes. Thus, user path name or search strategy, which lists, in turn, each Jones of the Budget project of the directories under which it is located and its would be identified as: name, which is always unique among the segment Jones.Budget names stored in the last directory in the sequence. Since it is often desirable to The path name for seg2 in this example is: Root> specify access to a segment libraries>commands>seg2. Access control informa­ for a class of users rather tion for each segment is stored with the information than for individuals, either about its location in the directory containing the seg­ part of a user identifier can ment. Thus the access information must be scanned be replaced by a special when the storage system locates the segment character,*, which repre­ for the user. sents a universal match.

project directory Thus ACL identifiers password. He may also spec- an encrypted form. The Jones~ ify which project he wishes algorithm used to encrypt and to log in on. If the I.D. sup- the passwords is a one-way *.Budget plied is unknown to the sys- algorithm; there is no algo- identify groups of users tem or the password rithm (other than exhaustive which include Jones.Budget. supplied does not match the search) for recovering the The access modes associated stored password for that clear form of the encrypted with each user identifier can user I.D., he is denied access. password. be either null, indicating that Because user I.D.'s are ACLs are associated with the user is not allowed public information, the secu- the directories in the stor- access to the segment, or rity of user passwords is age system hierarchy as well combinations of the letters vital and several steps have as with the segments. It is "r;• "e;' and "w;' which stand been taken to help ensure that important that access to the for read, execute, and write. they are not compromised. directories be controlled For example, if user Jones For example, the passwords because the directories con- wants to limit read and exe­ are stored on the system in tain the AC Ls of the di.Tee- cute access to users on the Budget project, he ntight create an ACL like the following: Figure 2. The Access Control Lists. rew Jones~ re *.Budget The ACLs enforce a security policy based on the con­ null * * cept of(nonexclusive) "ownership." Each segment The default access mode for has an Access Control List which gives the access a user whose I.D. does not modes allowed users and groups of users. The ACLs match any ACL entry is null, are stored in the directory containing the segment so the final entry in the ACL and the directories themselves have ACLs, which are could have been omitted stored in the next highest directory. Because of the (Figure 2). hierarchical nature of the storage system, users with Access rights to a seg­ access to high level directories can force access to ment are determined by subordinate segments by altering, in turn, the ACLs looking up a user I.D. in a of all the containing directories and that of the seg­ segment's ACL. The identity ment itself. Thus, in the example, a system adminis­ of the user as far as the sys­ trator with modify access to the project directory tem is concerned is estab­ could obtain access to one of the segments belonging lished by the user name he to Jones, even if Jones had written an ACL for the provides and is authenticat­ segment denying him access. ht effect, therefore, ed by a password. When he everyone with modify access to a containing directory logs in, each user must pro­ "owns" a segment, in the sense that they control it. vide a valid user I.D., gener­ While modify access to directories close to the root is ally his last name or last limited to a few system administrators, the power this name and first initial, and a confers on them constitutes a security risk.

Smith Jones sma Smith. Budget sma Jones. Budget s *. * null ·.' tories and segments below ACLs for the segments. The are maintained for each seg­ . them and thus a user with ACL mechanism enforces a ment in the storage system: the appropriate access to a security policy based on the • a classification level, a directory can change access concept of ownership. But number from 0 (least sen­ to any subordinate segments the hierarchical organization sitive) to 7 (most sensitive) or directories by modifying of the storage system makes • a set of up to 18 categories the ACLs in the directory. the definition of ownership to which the information in Directory ACLs, like seg­ very broad. In effect, any the segment belongs ment ACLs, are composed of user who has modify access The categorization of user identifiers and access to any directory in the stor­ segments (and of users) modes. The access modes age system hierarchy which enforces a policy of granting for directories are either contains a segment, owns access only when there is a null or combinations of the the segment. In other words, need-to-know, and helps to letters "s;' "m;' and "a;' it is not possible to ensure prevent users from deduc­ which stand for status, mod­ exclusive ownership. In fact, ing data stored at a higher ify, and append. Status one user could potentially clearance level from combi­ access allows a user to list alter the ACL to a segment nations of data at their the contents of the directory to deny access to the user clearance level. A company and to examine most of the under whose directory might classify information storage system attributes, it is listed. according to the levels and such as ACLs, associated However, the extended categories listed below: with each entry in the direc­ access control system used Security Category tory. Modify access allows on some Multics systems, Level Description the user to change many of AIM, or Access Isolation 0 Public 0 None the attributes of an entry, Mechanism, to a large extent Confidential Budget while append access allows 1 1 solves the security problem 2 Proprietary 2 Payroll a user to create entries in posed by users with access Secret Engineering the directory. Just as a seg­ to high-level directories by 3 3 4Assembly ment ACL is stored in the increasing the number of directory which contains the 5 Distribution attributes of each segment 6 Marketing segment, the directory ACL and each user, and by is stored m the next highest enforcing a stricter set of Marketing data for a well directory (closer to the root). rules for matches between established product, for Access to the root directory the two. example, might be consid­ is restricted to the system ondiscretionary ered confidential information itself since there is no con­ Access Control. (level 1) in the marketing taining directory for the root N The Discretionary category (6). On the other directory, which therefore Access Control hand, a budgeting report for cannot have an ACL. mechanism assumes that an engineering project likely This hierarchy of control each user can be trusted to to affect company operations allows system administra­ protect sensitive data. AIM for the next decade might be tors to handle any user assumes that the user may classified as secret informa­ directory and allows project release sensitive data either tion (level 3) within both the administrators to handle any by accident or intent, and is budget and engineering cat­ directories or segments designed to prevent such egories (1,3). within their project. While releases. AIM was imple­ AIM clearance informa­ the systeIIl is very practical mented in response to a Pen­ tion, consisting of both a and flexible, it involves some tagon request for a mecha­ clearance level and a cate­ security risk, since a user nism which would enforce gory set, is also maintained can grant access to seg­ military security policy. On for each active user of the ments without the authori­ systems which use both the system. System tables main­ zation or knowledge of the ACL and AIM mechanisms, tain lists of maximum clear­ users who originally set the the user's effective access ance values for each user to a segment is determined and project and the user may by the most restrictive of specify any clearance level, the two. up to his maximum authori­ AIM determines access zation, when logging in. on the basis of the classifica­ tion of the segment, and the clearance and need-to-know of the user. 'I\vo types of AIM classification information Access to any given seg- below his current clearance, execute rules allow infor­ . ment is calculated at the but may not read or execute mation to flow only within same time that the ACL is any segment at a higher or a level or to a higher level checked. The user's clear­ isolated classification. In of classification. ance (A) is compared to the other words, he may "read One of the major objec­ segment's classification (B) down" but not "read up." tives of the Access Isolation to determine the user's effec­ The second test is for Mechanism is to deal effec­ tive access to a segment. The write access. For the user to tively with the "Trojan clearance and classification have write access, his clear­ horse" problem (Figure 3). can have one of four differ­ ance must exactly equal A Trojan horse program is ent relationships: the segment's classification. generally a program which 1. A equals B if: This prevents the user from serves a useful function a) The level of A equals declassifying information and is likely to be referenced the level of B, and by "writing down" and alter­ by a wide variety of users, b) The category set of ing more highly classified but which also contains A is identical to the information by "writing up:' additional code, completely category set of B. The write access rules, in unrelated to the docu­ 2. A is greater than B if: combination with the read/ mented function and of a) The level of A is greater than or equal to the level of B, and b) The category set of B is Figure 3. The AIM Mechanism. a subset of the category set of A or is identical The AIM mechanism of access control is more to the category set restrictive than the ACL mechanism. The AIM rules, ofA,and which define access rights on the basis of the match c) A is not equal to B between a segment's classification and a user's clear­ (according to # 1 ance, ensure that information cannot flow from a above). higher to a lower clearance level, even if the ACLs on 3. A is less than B if B is the segment containing the information would allow greater than A (according this. As a result, AIM blocks attempts to obtain data to #2 above). illicitly by means of"Trojan horse" code. A Trojan 4. A is "isolated" from B if horse program is a program which serves some useful none of the above apply. function and is therefore likely to be used by a wide When a user references a variety of users, but which also contains undocu­ segment, two tests deter­ mented code which uses the access rights of the user mine what, if any, access will who has called the program to obtain information for be allowed. First, read and the program's author. For example, it might copy seg­ execute access require that ments to which the user has access but the author the user's clearance be does not into segments beneath the author's direc­ greater than or equal to the tory. Since AIM does not permit information to be segment's classification. read or written to a lower clearance level or across Thus, a user may read or categories, it effectively blocks this kind of attack execute any segment at or on data security. which the user is unaware. AIM rules for access tp seg­ location of the SDW in the The additional code might, ments. Each directory has descriptor segment, to the ·for example, search the stor­ an AIM classification; those user program (Figure 4 ). age system for data to which closer to the root have lower The user may then refer­ that user has access, but classifications than those ence the segment by its seg­ which is not available to the farther from the root. A user ment number. The first time author of the program and, can examine the contents of the user program refers to a on finding such data, copy it a directory only if his clear­ segment, a flag in the SDW to a different location in the ance is greater than or equal indicates that the segment is storage system hierarchy. If to the directory's classifica­ not in main memory. As a user A has written the Tro­ tion. In addition, the AIM result, the user program is jan horse program to steal rules specify that a user can­ interrupted until the storage data from user B, user A can not manipulate the entries system locates the segment give user B access to create in a directory unless his (by following the path new segments somewhere clearance is equal to the name) and loads it into main in a part of the hierarchy directory's classification. memory. The SDW includes which is under user Ns con­ This effectively blocks the fields for the segment's phys­ trol. Each time the program attempts to pass information ical address in main memory is invoked, it performs its to lower clearance levels by and for access control infor­ documented function and means of data maintained mation. In the course of fol­ then checks to see if it has by the storage system. lowing the path name, the been referenced by user B. ow Access Rights storage system examines If so, it examines user B's are Enforced. The the access control informa­ segments and copies those H first time a user tion for the segment, stored which may be of interest process, the surro­ in the directory which con­ into segments accessible to gate for the user on the sys­ tains the segment, and fills user A. Not only does such a tem, requests access to a in the appropriate SDW program cause data to be segment, the segment is access control fields. There released, but it has no obvi­ "unknown" to the process in may be several SDWs for the ous side effects, so user B the sense that it does not segment if several users have may never be aware that his know the physical location referred to it; the address data has been compromised. of the segment in the stor­ fields in the SDWs will be Since the nondiscretionary age system. To make it the same, but the access access controls prevent user known, it supplies the seg­ fields will vary with the user. B from "writing down;' it ment's path name, its logical For each user, data sharing effectively blocks a Trojan location, to the storage con­ is accomplished by the com­ horse program. As a result, trol subsystem. The subsys­ mon address fields; security user B can execute any pro­ tem records the path name is enforced by a specific gram from any source with and adds an entry, a Seg­ access field for each user confidence that it will not ment Descriptor Word in the SDW. After supplying cause data to be released to (SDW) to a special user seg­ the program with the seg­ a lower classification level. ment called the descriptor ment number, the storage In addition to blocking segment and returns a seg­ system restarts the user attempts to pass informa­ ment number, which is the program at the point of inter- tion directly, AIM blocks attempts to pass informa­ tion indirectly from a higher to a lower clearance level. Figure 4. The Segment Descriptor Word. For example, segment attributes, such as segment The Segment Descriptor Word (SDW) contains fields names, could provide a user for the physical address of the segment in main mem­ with information. Tu block ory and for access control information. There will be this information path, there several SDWs for a segment if several users are refer­ are AIM rules for access to ring to it; the access control fields in these SDWs directories parallel to the will have different settings. ruption and, if the access Figure 5. Referencing the SDW control settings allow it, the reference continues to No user ever has direct access to a segment in the completion. The hardware Multics storage system. The user actually references mediates every subsequent the SDW for the segment, which leads to the physical reference to the segment, address of the segment, and is stored in a special seg­ examining the SDW to ment the system creates for each user when he logs determine whether the ref­ in, called the descriptor segment. As a result of this erence is legitimate, but sub­ arrangement, every reference to a segment is medi­ sequent references need not ated by the hardware. The hardware examines the interrupt the user program SDW on every reference by every computer instruction (Figure 5). to a segment to determine its address and checks at It might seem unneces­ the same time to see that the settings of the access sarily repetitive to verify fields in the SDW allow access. access on each reference to the segment and that it would be sufficient to have the operating system verify rotecting the Data the release of information only the first access to the Security Mecha­ or to interrupt or interfere segment. But the fact that Bisms. While the with system operation. The the SDW is checked on ata security mech­ problem of defending the every reference to the seg­ anisms on Multics are more security mechanism in the ment allows changes of the difficult to subvert than operating system is com­ access rights for the seg­ most because they are pounded by the fact that the ment to take effect immedi­ enforced by the hardware, users must frequently call ately, rather than after the much of the data security is on the operating system to segment is no longer in use. implemented in software. execute some function on If the segment is in use The software is stored as their behalf, and therefore when access rights to it are information in the system, the operating system, changed, the storage system and is, therefore, potentially including the security mech­ records the change and sets alterable. Th protect the anism, cannot simply be the flag in any SDWs which software mechanisms, the inaccessible. Instead, the reference the segment to operating system must be distinction must be made indicate that the segment is protected from accidental or between legitimate and ille­ not in main memory. The intentional user modifica­ gitimate access to operating next time the user attempts tions. Intentional modifica­ system information. to reference the segment, tions of the operating his program will be inter­ system, called "trap doors;' rupted and his access to the are activated by a combina­ segment will be recalculated. tion of inputs known only to the author of the trap door. They can be used to cause Figure 7. The Call Bracket. The call bracket defined by the ring numbers associated with each segment, can be used to restrict the sequence in which a user process can execute segments, and therefore, in effect, the programs a user can write. In this example, the user's process, located at first in ring 6, references in turn segments A, B, C, and D, with ring numbers [6,6,6], [ 4,4,6], [2,5,6] and [0,0,4]. When the process calls segment B, its ring number changes to 4, the highest and only ring number in segment B's exe­ cute bracket. When it calls segment C from B, its ring number remains the same, but when it calls D from C, its ring number changes temporarily to 0. Because of the ring numbers on these segments, the user process cannot pass from segment A directly to segment D. It must pass through segment B, called a gate, because it has a non-null call bracket, to reach segment D. The ACL and AIM settings on gates can be used to control access to inner ring programs and data, making it much easier to protect them from misuse. This structure also protects data in outer rings from misuse by a process temporarily executing with ring 0 privileges since it is generally not possible to read or write to outer ring segments from ring 0. Note also that the user's current ring number reverts to its original value when a called segment has finished executing. In the example, the ring number would revert first to 4, after segment D had finished executing, and then to 6, after seg­ ment B had finished executing; the privilege conferred by the call is conferred temporarily. segment D. Since it is within mine the circumstances suppose that segment D is the call bracket of segment under which a sequence of the "make known" proce­ D, it is granted access, and segments can be called, in dure, and that segment x is its current ring number other words, gives them the the user's descriptor seg­ becomes 0. When it finishes ability to determine to some mene The user process can executing D,it is automati­ extent which programs the read the descriptor segment cally returned first to seg­ user can execute. no matter which ring it is in, ment C in ring 4, then to To illustrate how the ring as it must in order to refer­ segment B in ring 4, and mechanism can be used to ence any segment. However, then to segment A in the protect the data security even though it has write ring in which it began, ring 6. mechanisms, a level of com­ access to the descriptor seg­ Note that the process can­ plexity must be added to ment, it can write to this not call A, B, or C, while the example. Suppose that segment only when it is executing with privileged the ACL and AIM mecha­ status in ring 0, that it can­ nisms allow the process •This example is not accurate. In not call segment D from seg­ read and write access to fact, the descriptor segments can­ ment A, and that it cannot segment x, which has ring not be read or written to by users executing in rings outside of ring 0, skip the intermediate gate, numbers [0,7,7). When the and are accessible only to the oper­ B, and still reach the ring 0 process is executing seg­ ating system and only through a segment D by calling C from ments A, B, and C, it can special hardware register. But the A and D from C. This exam­ read segment x, but cannot example does accurately reflect the ring manner in which the ring mecha­ ple illustrates how the write to it. It can write to nism is used to protect the "make mechanism gives adminis­ segment x only when it is known" procedure on which the trators the ability to deter- executing segment D. Now other security mechanisms depend. executing in ring 0. This book segment with ring the grades. The teacher, who means that the user can numbers [ 4,4,4) and an ACL could log on in ring 4, how­ write to his own descriptor grantmg write access to all ever, would. segment only in the course users on his project. When onclusion. Multics of executing the "make the students finished home­ data security is known" procedure or some work problems in a segment Ceffective because other operating system seg­ in ring 5, they could call the there are few, if any, ment. Therefore the ring teacher's gate into ring 4. errors in its software and mechanism protects the The gate segment would because it is enforced, in ACL and AIM mechanisms examine the student's work, part, by the unmodifiable themselves from attack. The store a grade on behalf of hardware. Data security ring mechanism protects the student in the grade­ mechanisms, no matter how itself from attack; segment book segment, and return ingenious, are only as good ring numbers can only be to the student in ring 5. as the software and hard­ changed by the operating Because the students would ware on which they depend. system and the operating have access to the grade­ It is generally acknowledged system checks every book segment only through that to date Multics offers attempt to modify ring the gate, they would not be the highest level of data numbers to help ensure able to examine or modify security available. that it is legitimate. In addition to protecting the operating system, the ring mechanism is used to Figure 8. The Ring Structure. protect user subsystems (Figure 8). For example, a The ring structure is used to set up protected user teacher could restrict his subsystems, in addition to protecting operating students to ring 5 by asking systems segments. For example, a teacher could a system administrator to restrict his students to ring 5 but allow them access allow users on the teacher's to a gate into ring 4. When the students finished project to log in only in ring homework problems, they would call the gate seg­ 5. He might then write a gate ment, which would examine their work, entering a segment with ring numbers grade on their behalf in another segment in ring 4. [ 4,4,5) and an ACL granting Since they would have no access to the grade segment execute access to all users except through this particular gate, they would not be on his project, and a grade- able to examine or modify the grades.

Together, we can find the answers. Honeywell

Honeywell Information Systems U.S.A.: 200 Smith Street, MS 486, Waltham, Massachusetts 02154 Canada: 155 Gordon Baker Road, Willowdale, Ontario M2H 3N7 Auatralla: 124Walker Street, North Sydney, N.S.W. 2060 U.K.: Great West Road, Brentford, Middlesex TW8 9DH Mexico: Avenida Nuevo Leon 250, Mexico 11, D.F. S.E. Asia: Mandarin Plaza, Tslmshatsui East, H.K. Japan: 2·2KandaJlmbo-<:hoChiyoda·ku, Tokyo Maly: 32 Via Pirelli, 20124 Milano 38083, 1.51083, Printed in U.S.A. GA01-01