Multics Data Security 7 6 5 4 3 2 0 2 3 4 5 6 7 A---s---c~~~--o~~~--c---s---A omputer security is Operating systems are a general term which prone to error because Ccan be used to they are composed of many describe defenses complex computer pro­ against everything from wire grams and, because they are tapping to sophisticated repeatedly altered to extend software attacks, like "Trojan the functions available to horses" and "trap doors:' the user and patched to cor­ Data security is concerned rect the problems discov­ with internal rather than ered in the software external attack, that is, with extensions. The complexity the mechanisms which pre­ of the system makes it vent users from obtaining impossible to predict all of unauthorized access to the the effects of a proposed data stored in the system. change with any degree of The consensus is that Honey­ accuracy, so the effective­ well's Multics system has the ness of the security mecha­ best data security of any nisms tends to decrease as large, general-purpose com­ the number of changes and puter system available today. patches increases. Data security is usually When Multics was devel­ enforced by the specialized oped, an attempt was made software called the operating to design a system, including system, which coordinates security mechanisms, which and oversees the sharing of could grow without system the computer's resources, reorganization. The design­ programs and data. On ers recognized that it would Multics, as on many systems, be impossible, at the design the first line of defense is a stage, to anticipate all the set of tables which lists users problems which would crop and their access rights to up when the software was data. These tables are written. Therefore, if prob­ scanned by the operating lems arose as a module of system on each user's refer­ the system was imple­ ence to a block of data. In mented, it was redesigned, a theory this is a simple and process which served to unbreachable defense. In reduce the convolution and practice it is often very vul­ complexity of the final soft­ nerable, for three reasons: ware system. In addition, 1. The hardware architecture provision was made to allow may contain exploitable functions to be added to the behavior (or misbehavior). system as subsystems rather For example, the hardware than as modifications of the implementation may offer operating system itself. opportunities for trap doors, which can be opened under specific conditions. 2. The software utilization of the table look-up mecha­ nisms may contain exploit­ able errors. 3. The table mechanism may be completely circum­ vented by implementation errors in the system's operating software. *This paper is based on an article in the June 1981 issue of SCIENTIFIC HONEYWELLER © Honeywell lnfonnation Systems Inc., 1983 (Vol.2 No.2) iscretionary security is critical. name. Thus, in Figure 1, Access Control. The Access Control Lists "seg2" in directory "com­ D One generic data are built into the file system mands" has the unique path security mechanism and are maintained by the name: Root> libraries> is a table of users and blocks secondary storage subsys­ commands> seg2. of data. The table defines tem of the operating system, The directories are seg­ which users may have ac­ which keeps track of the ments containing branches cess to a given block of data locations of segments in to other segments, which and what kind of access peripheral storage devices consist of the address of a they are allowed. On and transfers them in and segment under the direc­ Multics, the table used to out of main memory as tory, and other information determine access is the needed. The storage system about it, such as its ACL. Access Control List, or ACL, maintains a hierarchy of Therefore, the ACL is inex­ associated with each block segments and directories, tricably linked with the of data, or segment (file), in which resembles an inverted address of the segment. the system. The security tree branching out from a Since it lies on the path to policy enforced by this table single root directory. Each the segment, it must be is "discretionary:" Those who segment under any given "found" if the segment is to "own" the segment decide directory has a unique be found. who is to have access to it. name. Thus each segment The ACL is a list of indi­ Another, nondiscretionary can be located by a unique vidual users or user groups mechanism, which enforces search strategy or path and the access modes, such military security policy; is name consisting of the as read access, allowed each also available and is used at series of directories under user. Individual users are Multics locations where which it is located and its identified by a person I.D., unique among users, and a project I.D. that groups users from the same depart­ Figure 1. Hierarchical Storage System Structure. ment or location for accounting and access con­ Each segment in the storage system has a unique trol purposes. Thus, user path name or search strategy, which lists, in turn, each Jones of the Budget project of the directories under which it is located and its would be identified as: name, which is always unique among the segment Jones.Budget names stored in the last directory in the sequence. Since it is often desirable to The path name for seg2 in this example is: Root> specify access to a segment libraries>commands>seg2. Access control informa­ for a class of users rather tion for each segment is stored with the information than for individuals, either about its location in the directory containing the seg­ part of a user identifier can ment. Thus the access information must be scanned be replaced by a special when the storage system locates the segment character,*, which repre­ for the user. sents a universal match. project directory Thus ACL identifiers password. He may also spec- an encrypted form. The Jones~ ify which project he wishes algorithm used to encrypt and to log in on. If the I.D. sup- the passwords is a one-way *.Budget plied is unknown to the sys- algorithm; there is no algo- identify groups of users tem or the password rithm (other than exhaustive which include Jones.Budget. supplied does not match the search) for recovering the The access modes associated stored password for that clear form of the encrypted with each user identifier can user I.D., he is denied access. password. be either null, indicating that Because user I.D.'s are ACLs are associated with the user is not allowed public information, the secu- the directories in the stor- access to the segment, or rity of user passwords is age system hierarchy as well combinations of the letters vital and several steps have as with the segments. It is "r;• "e;' and "w;' which stand been taken to help ensure that important that access to the for read, execute, and write. they are not compromised. directories be controlled For example, if user Jones For example, the passwords because the directories con- wants to limit read and exe­ are stored on the system in tain the AC Ls of the di.Tee- cute access to users on the Budget project, he ntight create an ACL like the following: Figure 2. The Access Control Lists. rew Jones~ re *.Budget The ACLs enforce a security policy based on the con­ null * * cept of(nonexclusive) "ownership." Each segment The default access mode for has an Access Control List which gives the access a user whose I.D. does not modes allowed users and groups of users. The ACLs match any ACL entry is null, are stored in the directory containing the segment so the final entry in the ACL and the directories themselves have ACLs, which are could have been omitted stored in the next highest directory. Because of the (Figure 2). hierarchical nature of the storage system, users with Access rights to a seg­ access to high level directories can force access to ment are determined by subordinate segments by altering, in turn, the ACLs looking up a user I.D. in a of all the containing directories and that of the seg­ segment's ACL. The identity ment itself. Thus, in the example, a system adminis­ of the user as far as the sys­ trator with modify access to the project directory tem is concerned is estab­ could obtain access to one of the segments belonging lished by the user name he to Jones, even if Jones had written an ACL for the provides and is authenticat­ segment denying him access. ht effect, therefore, ed by a password. When he everyone with modify access to a containing directory logs in, each user must pro­ "owns" a segment, in the sense that they control it. vide a valid user I.D., gener­ While modify access to directories close to the root is ally his last name or last limited to a few system administrators, the power this name and first initial, and a confers on them constitutes a security risk. Smith Jones sma Smith. Budget sma Jones. Budget s *. * null ·.' tories and segments below ACLs for the segments. The are maintained for each seg­ . them and thus a user with ACL mechanism enforces a ment in the storage system: the appropriate access to a security policy based on the • a classification level, a directory can change access concept of ownership. But number from 0 (least sen­ to any subordinate segments the hierarchical organization sitive) to 7 (most sensitive) or directories by modifying of the storage system makes • a set of up to 18 categories the ACLs in the directory.