M.D. Schroeder. Engineering a Security Kernel for MULTICS. In Fifth Symposium on Operating Systems Principles, pages 125--132, November 1975.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....may not operate as expected, i.e. the system is untrusted. Thus, any system is only as secure as the foundation upon which it is built. For example, a number of attempts were made in the 1960s and 1970s to produce secure computing systems using a secure operating system environment as a basis [Sch75] An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [MBD89] EKO94] over the years ....

M.D. Schroeder. Engineering a Security Kernel for MULTICS. In Fifth Symposium on Operating Systems Principles, pages 125--132, November 1975.

....Justify the work done in this thesis, in general. However, the actual motivating force that led to this research was the Multics kernel design project being carried On in the Computer Systems Research division of Project MAC at M.I.T. presently the M.I.T. Laboratory for Computer Science) Schroeder 75] Appendix A contains a brief discussion of that work and should be reviewed if the reader is unfamiliar with the ConCepts. In summary, certification of correctness or the.securitY features of the supervisor would be easier if the supervisor were made smaller. Modules unrelated to security would ....

....At first, placing the support routines in th e supervisor might be considered. However, appendix A presents reasons why programs which are not necessary for correct operation of the system should not be in the supervisor. crystallized this work. Recent research in system certification [Schroeder 75] has these reasons. Appendix A contains a brief description of 33 However, besides certification there are very simple reasons for not placing programs in the supervisor. These reasons have to do with extendability and maintainability. Sophisticated users of Multics greatly appreciate the ease ....

[Article contains additional citation context not shown here]

Schroeder, M.D.. "Engineering a Security Kernel for Multics", ACM 5th Symposium on Operating $ys.e m Principles, Austin, Texas, November, 1975, pp. 25-32.

....into are s model. That is, aoare assues a memory system consisting o[ a main memory and a d tn as a backingstore, bu t does not include sec0nd memory such as the disks assued here. Hoare uses monitors (H07i] to deScr ibe hi s sYsem. 0hi to rs are procedures rlth built i n sChrniti0 prtiiVeS. i mni0r delines group of procedures only one o [ch my in execU [bn a[ any tie thus ensuring mutual exclusion among processes executing the procedures comprising the monitor. Hene monitors are a high level lOCkin g device. In Hoare s system a monitor is assigned o aCh page; hi ....

.... for this tasks we can also restrict access to the paging device used list to the paging device manage process, No other processes need access to this list, Separation of polic, from mechanism is possible ii the system offers rings as does Multics (or some other ,form of protection domains) Sc75] The address space of each , page control proceSar can further be divided by use of these protection rlgs. The progroans imp, lmeutn the mechanics of paging, e,g. reading or writing a page from or Co disk, adding or removing a page frame from a list, gathering usage statisics, etc. can be ....

[Article contains additional citation context not shown here]

Schroeder, Michael D., "Engineering a Security Kernel for Multics", Operating Systems Review, vol. 9, no. 5, pp.25-32.

....the wheel. Rather than force each user to implement his own fil system, one is provided for all by the operating system. This has also been called the principle of greatest common mechanism [Hunt, 1976] The fourth technique derives from the principle of least common mechanism [Popek, 1974; Schroeder, 1975] and, in some respects, is the converse of the second. It says that if one function is common to mamy users and another is common to only a few, the two functions should be erated. The idea is that the amount of the system on which a module depends should be minimized by placing unneeded ....

M.D. Schroeder, "Engineering a Security Kernel for Multics," poceedings of the Fifth ymposium on OeratingSstems Principles, and ACMOperating Sstems Review 9, 5 (November 1975), pp. 25 - 32.

....appear to be trying to avoid having any service layer at all. Java [GJS96] and ML [MTH90, Ler] and the MMM [Lou96] project) provide security through language mechanisms. More recent versions of Java provide protection domains [GS98] Protection domains were first introduced in Multics [Sch72, Sch75, MSS77, Sal74] These solutions are not applicable to programs written in other languages (as may be the case with a heterogeneous active network with multiple execution environments) and are better suited for the applet model of execution than active networks. The need for a separate bytecode ....

M.D. Schroeder. Engineering a Security Kernel for MULTICS. In Fifth Symposium on Operating Systems Principles, pages 125--132, November 1975.

....integrity. Without integrity, no system can be made secure. Thus, any system is only as secure as the foundation upon which it is built. For example, a number of attempts were made in the 1960s and 1970s to produce secure computing systems, using a secure operating system environment as a basis [20]. An essential presumption of the security arguments for these designs was that system layers underpinning the operating system, whether hardware, firmware, or both, are trusted. We find it surprising, given the great attention paid to operating system security [13] 8] that so little attention ....

Schroeder, M. Engineering a security kernel for multics. In Fifth Symposium on Operating Systems Principles (November 1975), pp. 125-- 132.

....integrity. Without integrity, no system can be made secure. Thus, any system is only as secure as the foundation upon which it is built. For example, a number of attempts were made in the 1960s and 1970s to produce secure computing systems using a secure operating system environment as a basis [13]. An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [14] 15] that so little ....

M.D. Schroeder, "Engineering a security kernel for MULTICS," in Fifth Symposium on Operating Systems Principles, November 1975, pp. 125-- 132.

....ruled out on that count. The other possibilities are that the access rights are computed and checked, or simply that those present in the capability are checked. Most designs simply check the rights at this time, since recomputing them can be tedious. Note, however, that the protection ring scheme [7] implies a trivial computation of the rights (by comparing the integers defining the ring of execution and the ring brackets of the segment) upon access. The possible answers to the fifth question are: a) No checks are made. b) The access is checked against the available access rights. c) The ....

Schroeder, M. D., "Engineering a Security Kernel for Multics," Proc. 5th Symp. on Operating Systems Principles (also ACM SIGOPS Review 9, 5), pp. 25-32, November 1975.

....Without integrity, no system can be made secure. Thus, any layered system is only as secure as the foundation upon which it is built. For example, a number of attempts were made in the 1960s and 1970s to produce secure computing systems using a secure operating system environment as a basis [23]. An essential presumption of the security arguments for these designs was that the system layers underpinning the operating system, whether hardware, firmware, or both, were trusted. We find it surprising, given the great attention paid to operating system security [24] 25] that so little ....

M.D. Schroeder, "Engineering a security kernel for MULTICS," in Fifth Symposium on Operating Systems Principles, November 1975, pp. 125-- 132.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC