Bibliography

Contents

• Papers and Books (356, 196 online)
• Interviews (26, 26 online)
• Articles (22, 17 online)
• Videos (21, 21 online)
• Project MAC TRs and TMs [1964-1978] (74, 68 online)
• GE/Honeywell Manuals [1973-1987] (140, 114 online)
• BTL, GE, MIT Repository [1965-68] (130, 25 online)
• Honeywell Multics Design Documents (B2 certification) [1985-1986] (29, 17 online)
• Multics Design Notebook [1964-1965] (27, 27 online)
• Multics Planning Notebook [1967-1969] (61)
• Multics Operating Staff Notes [1970-1973] (88, 87 online)
• Multics Alternative Documents [1980-1983] (27)
• Local Site Memos [1974-1975] (6, 6 online)
• Multics Simulator Information (8, 8 online)

Listed on separate pages:

• Multics System Programmer's Manual [1965-1969] (838, 821 online)
• Multics Checkout Bulletins [1967-1973] (111)
• Multics Technical Bulletins [1973-1987] (732, 725 online)
• Multics Staff Bulletins [1971-1973] (83, 82 online)
• Multics Change Requests [1973-1992] (2246, 1361 online)
• Multics Administrative Bulletins [1973-1984] (33, 16 online)
• MTBs for Simulated Multics 2015-present
• MCRs for Simulated Multics 2015-present

The globe icon is used before materials available from other sites.

Items provided by the ACM Digital Library require a subscription or ACM membership in order to access them.

For more information on an author, see the list of Multicians.
For explanations of Multics terms, see the Multics Glossary.
For links to other sites of interest, see the Multics Links Page.

356 Papers and books

1. Adleman, N., Effects of Producing a Multics Security Kernel, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, October 1975 NTIS AD-A031 220/7

   This report summarizes the effects of reducing the current Multics hardcore supervisor (Ring 0), even as the entire Multics system is undergoing continuous development and enhancement. An evolutionary engineering discipline, rather than a structured, formal approach has been used to either modify or recommend changes to the system. Many of the proposed major changes have been demonstrated as being sound and useful. These system changes are documented in this report. For the purposes of this report, the security kernel is that part of the system which implements a reference monitor that enforces a specified protection policy. That is, a security kernel is a subset of the current Multics supervisor. This report will show that the engineering approach of undertaking trial designs and that the engineering approach of undertaking trial designs and implementation is indeed a major contribution to the eventual analytical development and certification of a Multics supervisor which can then be viewed as the Multics security kernel.

2. Adleman, N., Engineering Investigations in Support of Multics Security Kernel Software Development, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations. October 19, 1976 NTIS AD-A040 329/5

   This report provides the status of certain engineering efforts to support the development of a secure general purpose computer.

3. Adleman, N., J. R. Gilson, R. J. Sestak, and R. J. Ziller, Security Kernel Evaluation for Multics and Secure Multics Design, Development and Certification, Semi-annual progress rept. 1 Jan-30 June 76, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, August 1976 NTIS AD-A038 261/4
4. Adleman, N., J. R. Gilson, R. J. Sestak, and R. J. Ziller, Semi-Annual Progress Report July 1975 to December 1975, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, January 1976 NTIS AD-A037 501/4
5. Adleman, N., R. J. Ziller, and J. C. Whitmore, Multics Security Integration Requirements, 1 January 1976-31 December 1980, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, March 1976 NTIS AD-A041 514/1
6. Ames, S. R., File Attributes and Their Relationship to Computer Security, S.M. thesis, June 1974, Case Western Reserve University, Cleveland, OH: HQ Electronic Systems Division, Hanscom AFB, MA. ESD-TR-74-191
7. Ames Jr., Stanley R., and D. K. Kallman, Multics Security Kernel Validation: Proof Description, Volume I, MITRE Corp Bedford MA, July 1978 NTIS AD-A056 901/2
8. Ames Jr., Stanley R., and J. G. Keeton-Williams, Demonstrating security for trusted applications on a security kernel base, IEEE Comp. Soc. Proc 1980 Symposium on Security and Privacy, April 1980
9. Ames Jr., Stanley R., and Jonathan K. Millen, Interface Verification for a Security Kernel, System Reliability and Integrity, Vol 2, Infotech State of the Art report pp.1-21 1978
10. Ames Jr., Stanley R., and Peter G. Neumann, Computer Security Technology: Introduction, IEEE Computer 16(7) p.11, July 1983
11. Anderson, James P., Multics Evaluation, James P. Anderson and Co., Fort Washington Pa, October 1973 NTIS AD-777 593/5

    Details of a planning study for USAF computer security requirements are presented. An Advanced development and Engineering program to obtain an open-use, multilevel secure computing capability is described. Plans are also presented for the related developments of communications security products and the interim solution to present secure computing problems. Finally a Exploratory development plan complementary to the recommended Advanced and Engineering development plans is also included.

12. Anderson, James P., Accelerating Computer Security Innovation, IEEE Symposium on Security and Privacy, 1982

    This note is prompted by a number of observations. - After nearly twelve years of serious work on computer security, all that can be shown is two one-shot 'brassboard' systems and one commercially supported product that integrates the DoD security policy into the operating system. - The first round of research results on computer security were useful and by 1975 the principles of secure computers were well enough understood that the first demonstration models of security kernels had been completed. [SCHI 73] - In spite of hopes to the contrary, it has been amply demonstrated that the civil sector of government and virtually all of the private sector can satisfy their information protection needs with simple physical and procedural methods, coupled with using systems with "improved integrity". - In spite of the tiresomeness of its repetition, the fact is that the need for secure systems for important national defense applications has not been diminished in the slightest by any work that has gone on over the past twelve years.

13. anonymous, Session III, IEEE Computer Group News, Vol 2, No 8, February 1969

    Summary of a session of an unidentified conference, apparently a panel discussion in which Joe Ossanna described the status of Multics. But the pages that would tell us which conference it was (I didn't see it in the table of contents of the December 1968 FJCC) were not captured. There can't be very many conferences that had talks by Joe, Dave Farber, Gio Wiederhold, and Irwin Greenwald in the same session, but I haven't found it in any of the standard CS bibliographies, probably because it was a discussion-only session without a printed paper.

14. Bahrs, David L., John F. Couleur, and Richard L. Ruth, Synchronized storage control apparatus for a multiprogrammed data processing system, Filed March 6, 1968, Issued July 31, 1970 US Patent no 3,521,240
15. Banh, T., and H. Tran, Test program set/document management system, AUTOTESTCON '96, 'Test Technology and Commercialization' Conference Record, pp 369-374, Sep 1996

    The legacy C-17 Support Equipment Data Acquisition and Control System (SEDACS) was initially designed as a test requirement document (TRD) and test program set (TPS) development system. Its applications have expanded to include word processing for a majority of the C-17 support equipment (SE) deliverable documentation, project management functions, and line-replaceable-unit (LRU) and shop-replaceable-unit (SRU) tracking. While the SEDACS system enabled MDA to support C-17 test and early operation, this legacy SEDACS has some drawbacks. Recently, the SEDACS was upgraded from a host-based Honeywell/Multics mainframe to a new client/server system. The TPS document management system (DMS) was designed to provide the environment to create and edit documents as well as to control their configurations, and it is the first step toward becoming an electronic document management system. The system has increased efficiency and productivity, improved and safeguarded file sharing, and provides better management of document revisions. This TPS DMS was developed using an integrated application software package that runs on IBM PCs. This paper describes how the integrated application software was developed and how the deliverable documents were transferred from the existing mainframe system to the client/server system. The software products identified in this paper were chosen to meet our particular applications requirements and are provided only as examples.

16. Banâtre, Jean-Pierre, Michel Banâtre, and Florimond Ployette, The design and building of Enchère, a distributed electronic marketing system, Commun. ACM 29, 1, 19-29. Jan. 1986

    Building and prototyping an agricultural electronic marketing system involved experimenting with distributed synchronization, atomic activity, and commit protocols and recovery algorithms.

17. Banâtre, M., F. Ployette, and G. Lapalme, Utilisation de Multics pour le développement d'une application répartie, Journées de l'AFCET
18. Bastarache, Michael J., Hasan H. Sayani, III, Ernest A. Hershey, Daniel Teichroew, Beverly K. Kahn, and Michael B. Zenn, H6180/Multics/URA User's Manual, Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 497 pages ESD-TR-75-355

    The User Requirements Analyzer URA is one of two major components of computer aided requirements analysis. URA is used in conjunction with the User Requirements Language URL to generate, maintain, and analyze URL data bases. URL is described in ESD-TR-75-88, Vol. II. This document describes URA version 2.1 in the H6l80Multics computing environment. URA version 2.0 is implemented in the IBM 370158TS0 computing environment and described in ESD-TR-75-88, Vol. III.

19. Bell, D. E., and L. J. La Padula, Secure Computer Systems: Unified Exposition and Multics Interpretation, Mitre Technical Report MTR-2997, rev 2, March 1976 NTIS AD-A023 588/7

    For the past several years ESD has been involved in various projects relating to secure computer systems design and operation. One of the continuing efforts, started in 1972 at MITRE, has been secure computer system modeling. The effort initially produced a mathematical framework and a model [1, 2] and subsequently developed refinements and extensions to the model [3] which reflected a computer system architecture similar to that of Multics [4]. Recently a large effort has been proceeding to produce a design for a secure Multics based on the mathematical model given in [l, 2, 3]. Same as ESD-TR-75-306, DTIC AD-A023588

20. Bell, D. E., and L. J. La Padula, Secure Computer Systems: Mathematical foundations, MITRE tech report, 1 Mar 1973 MTR-2547 vol I
21. La Padula, L. J., and D. E. Bell, Secure Computer System: A Mathematical Model, MITRE tech report, 31 May 1973 MTR-2547 vol III
22. Bell, D. E., Secure Computer System: A Refinement of the Mathematical Model, MITRE tech report, 28 Dec 1973 MTR-2547 vol II
23. Bell, David Elliott, Looking Back: Addendum, Online
24. Bellec, Jean, From GECOS to GCOS8: An History of Large Systems in GE, Honeywell, NEC and Bull, FEB website, 19 Feb 2002

    a view by Jean Bellec (FEB), from the other side of the Atlantic

25. Benedict, G. G., An Enciphering Module for Multics, 1974 Jul NTIS AD-782 658/9
26. Bennett, D. A., and C. A. Landauer, An application of simulation to tracking, In: Winter Simulation Conference, San Diego, CA, December 3-5, 1979, Proceedings. Volume 1. New York, IEEE, p. 83-90.

    AIMER (Automatic Integration of Multiple Element Radars) is an emulated model of a loosely coupled distributed radar tracking processor. The design goal of the model is to provide a reliable processing system whose computational bandwidth can be dynamically altered in response to changing ground scenario and availability of hardware. A large number of minicomputers connected with multiple packet networks was chosen as the framework for the design. This paper describes the current status of AIMER.

27. Bensoussan, A., C. T. Clingen, and R. C. Daley, The Multics virtual memory: concepts and design, Proc Second ACM SOSP, Princeton NJ, October 1969

    Commun. ACM 15, 5, pp 308-318, May 1972. As experience with use of on-line operating systems has grown, the need to share information among system users has become increasingly apparent. Many contemporary systems permit some degree of sharing. Usually, sharing is accomplished by allowing several users to share data via input and output of information stored in files kept in secondary storage. Through the use of segmentation, however, Multics provides direct hardware addressing by user and system programs of all information, independent of its physical storage location. Information is stored in segments each of which is potentially sharable and carries its own independent attributes of size and access privilege. Here, the design and implementation considerations of segmentation and sharing in Multics are first discussed under the assumption that all information resides in a large, segmented main memory. Since the size of main memory on contemporary systems is rather limited, it is then shown how the Multics software achieves the effect of a large segmented main memory through the use of the Honeywell 645 segmentation and paging hardware.

28. Bensoussan, André, Honeywell, Inc., MULTICS records, 1965-1982. Finding Aid, University of Minnesota, Charles Babbage Institute

    In the late 1980s, when André Bensoussan was about to retire from Honeywell (or perhaps he was retiring as a Bull employee working at Honeywell) I was also working at Honeywell and arranged to send two boxes of what he considered the historically most valuable Multics material with which he was willing to part to the Charles Babbage Institute (CBI) at the University of Minnesota.

29. Berstel, J., and J.-F. Perrot, MULTICS: guide de l'usager, Manuels informatiques Masson, Paris [etc.]: Masson, 1986
30. Bhushan, A., A File Transfer Protocol, Apr 1971 RFC 114
31. Biba, K. J., S. R. Ames Jr., E. L. Burke, P. A. Karger, W. R. Price, R. R. Schell, and W. L. Schiller, The top level specification of a Multics security kernel, MITRE Corp, Bedford MA, August 1975 WP-20377
32. Birnbaum, D., J. J. Cupak, J. D. Dyar, and R. Jackson, MULTICS Remote Data Entry System. Volume I, Source: Pattern Analysis and Recognition Corp., Rome, NY., Rome Air Development Center, Griffiss AFB, NY, Oct 1979, RADC TR-79-265-VOL-1 NTIS ADA080625

    This report contains the user's manuals and software documentation for the Remote Data Entry System which is the front-end to the MULTICS Pattern Recognition Facility and the Cluster Analysis package which was added to MULTICS OLPARS. The Remote Data Entry System was designed to allow users of the MULTICS Pattern Recognition Facility the ability to input their data over the ARPANET from a Tektronix remote storage device. Once the data is input into the MULTICS System, routines are provided so that the user can easily restructure or cluster his database to perform different classification experiments.

33. Bisbey II, Richard L., Jim Carlstedt, Dale M. Chase, and Dennis Hollingworth, Data Dependency Analysis, ISI-RR-76-45, USC Information Sciences Institute, February 1976 NTIS: ADA 022017
34. Bisbey II, Richard L., and Dennis Hollingworth, Protection Analysis: Final Report, ISI-SR-78-13, USC Information Sciences Institute, July 1978 NTIS: ADA 056816

    The Protection Analysis project was initiated at ISI by ARPA IPTO to further understand operating system security vulnerabilities and, where possible, identify automatable techniques for detecting such vulnerabilities in existing system software. The primary goal of the project was to make protection evaluation both more effective and more economical by decomposing it into more manageable and methodical subtasks so as to drastically reduce the requirement for protection expertise and make it as independent as possible of the skills and motivation of the actual individuals involved. The project focused on near-term solutions to the problem of improving the security of existing and future operating systems in an attempt to have some impact on the security of the systems which would be in use over the next ten years. A general strategy was identified, referred to as "pattern-directed protection evaluation" and tailored to the problem of evaluating existing systems. The approach provided a basis for categorizing protection errors according to their security-relevant properties; it was successfully applied for one such category to the MULTICS operating system, resulting in the detection of previously unknown security vulnerabilities.

35. Boebert, Earl, The Fox Herder's Guide: How to Lead Teams That Motivate and Inform Organizational Change, Bitsmasher Press, 2001

    180 pages.

36. Boebert, Earl, Back to the Future, Keynote Address, UNIX Security Symposium ;LOGIN: VOL. 29, NO. 6

    A lot has been forgotten about security over the years, so it is necessary for somebody who's been around for a while to speak up.

37. Bosworth, Bruce, A user's guide to statistics programs on the MULTICS time-sharing system, Avery Publishing Group, Inc. (1982)

    64 pages.

38. Boyd, Donald L., and Antonio Pizzarello, Introduction to the WELLMADE design methodology, Proceedings of the 3d International Conference on Software Engineering, 1978
39. Bull HN Information Systems Inc., Multics Data Security and Data Privacy, USA: Bull HN Information Systems. no date
40. Burke, Edmund L. et al., Emulating a Honeywell 6180 Computer System, Mitre Corporation, pp. 1-73. June 1974 NTIS AD 787 218

    he Honeywell 6180 is a new, large-scale computer for the MULTICS time-sharing system. This report describes the 6180, and examines the feasibility of emulating it with each of three microprogrammable processors: the Burroughs D-Machine, the Nanodata QM-1, and the Burroughs B1700. Benchmark emulations are presented for each of these machines.

41. Burke, Edmund L., Concept of Operation for Handling I/O in a Secure Computer at the Air Force Data Services Center (AFDSC), Mitre Corporation. Apr 1974 DTIC AD0780529

    The operation of a computer system in a secure fashion requires the control of access to all parts of the system. One part of the system which is often neglected when access and security controls are developed is the input/output (I/O) subsystem. This paper develops a general Concept of Operations for I/O in a secure computer system. This concept is then applied to the proposed two-level, Secret-Top Secret, MULTICS System at the Air Force Data Services Center (AFDSC). The most unusual operational feature recommended for the AFDSC MULTICS is the use of autonomous processes to perform all I/O, preventing any user from directly accessing any I/O device. Procedures are described to provide the necessary controls for operation in the Data Services Center environment.

42. Burner, Wes, The vanishing user, ACM SIGUCCS Newsletter (SIGUCCS), Volume 5, Issue 4, December 1975, pp 9-11

    This article spells Wes Burner's name wrong throughout

43. Burrus, Phillip F., SEDACS-a client/server approach to TPS development, AUTOTESTCON '95. Systems Readiness: Test Technology for the 21st Century. Conference Record, Aug 1995

    The C-17 Support Equipment Data Acquisition and Control System (SEDACS) Test Program Set/Test Requirements Document (TPS/TRD) development system was upgraded from a host-based Honeywell/Multics mainframe system to a new client/server system with Internet connectivity. Reliability, flexibility, and supportability were the requirements for the new system. The combination of the client/server model and commercial software met these requirements by exploiting fast and inexpensive hardware and commercial off-the-shelf (COTS) software such as word processing and project and circuit analysis software. Greater efficiencies were realized by reducing the required time needed to train users, develop TPSs, and prepare supporting documentation. Quality was improved by incorporating configuration management tools and integrated spell checking into the applications suite and by designing around a centralized database. This paper briefly describes how we developed our new system and how we migrated from our existing mainframe (or legacy) system to a client/server system.

44. Buser, Jon Franklin, and Paul E. Rubin, User Considerations and their Impact on an Expert System Building Tool for War Gaming, Proceedings of the Eastern Computer Simulation Conference - AI Papers, April 1988

    This paper discusses user considerations and how they affected the design of Tactical Control Directives (TCD). TCDs were a system extension to the Enhanced Naval Warfare Gaming System (ENWGS). They were a forward chaining rule-based language and runtime environment that allowed users to construct and execute simulations of complex naval doctrine. They differed significantly from other rule-based environments of the time in that rules could be triggered by a combination data conditions and real-time events.

45. Caruso, Michael Joseph, A graphics systems for RDMS, Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Thesis. 1975. B.S., 1975

    82 pages

46. Clark, David D., Modularity and Efficiency In Protocol Implementation, July 1982 RFC 817
47. Clingen, C. T., Program naming problems in a shared tree-structured hierarchy, Proc Conf on Techniques in Software Engineering, October 1969
48. Clisham, Tom J., Source RX: A Multics-Fortran program for stratigraphic and petroleum geochemical data, U.S. Geological Survey, 1979
49. Colijn, A. W., A note on the Multics command language, Software -- Practice and Experience 11, 6, pp 741-744, Jul 1981

    Some aspects of the Multics operating system are critically examined. In particular, the properties of the command and language are noted as allowing considerable general purpose programming power. The strength and weaknesses are discussed and a quantitative evaluation of speed is attempted based on a comparison of programming the "Towers of Hanoi" and Ackermann's function in both Multics command language and pll. The programs also serve to exemplify the use of the command language.

50. Colman, S. M., CHEMANAL: A MULTICS Fortran program to calculate chemical weathering data, U.S. Geological Survey, 1980
51. Connell, David B., Kermit N. Klingbail, and Richard A. Jackson, MULTICS OLPARS Operating System. Volume I, Pattern Analysis and Recognition Corp Rome N Y, 219 pages, PAR-74-25-A, F30602-75-C-0226, F30602-73-C-0352, RADC TR-76-271-Vol-1 NTIS ADA034393

    The development of interactive graphics computer systems for use in detection, identification, and transformation of patterns contained in high- dimensional data has been a continuing program at the Rome Air Development Center since 1968. This long standing effort has resulted in the implementation of OLPARS (the On-Line Pattern Analysis and Recognition System), IFES (the Image Feature Extraction System), and WPS (the Waveform Processing System). This report contains detailed design and user-oriented information related to MOOS (the MULTICS OLPARS Operating System), and advanced version of OLPARS currently resident upon the Honeywell 6180 MULTICS computer system. The currently operational system represents an implemented version of the operations described in a previous report (RADC-TR-73-241); appropriate selections of that report are retained within this document. This report contains brief descriptions of the MOOS system and the mathematics underlying the system algorithms. A major portion of this document is reserved for a user's manual (providing detailed information relating to the operation of all system options) and for MOOS program documentation.

52. Connell, David B., Kermit N. Klingbail, and Richard A. Jackson, MULTICS OLPARS Operating System. Volume II, Pattern Analysis and Recognition Corp Rome N Y, 667 pages, RADC TR-76-271-Vol-1 NTIS ADA033437
53. Connell, David B., and Bruce K. Opitz, Programs for On-Line Pattern Analysis and Recognition System (OLPARS), Pattern Analysis and Recognition Corp Rome N Y, 193 pages NTIS AD0742280

    The report describes the implementation of a series of applications programs and graphic techniques on the On-Line Pattern Analysis and Recognition System (OLPARS) previously developed at RADC. The report is an addendum to RADC-TR-71-177 (AD-732 235) and is therefore a continuation in format and information content to that document. Sections 1 and 2 describe the overview of the additions and modifications to OLPARS in the areas of structure analysis, logic design, and measurement reduction. The remainder of the report contains changes, additions and deletions to the user manuals, programmer's manual and flow charts previously published as RADC-TR-71-177.

54. Corbató, F. J., A paging experiment with the Multics system, Chapter 19 of In Honor of Philip M. Morse, edited by Herman Feshbach and K. Uno Ingard, M. I. T. Press, Cambridge MA, 217-228, 1969 MIT Press print-on-demand.

    A key strategic question that a paging algorithm must answer whenever a new page is needed is: "Which page should be removed from core memory?" (1.9MB PDF)

55. Corbató, F. J., and C. T. Clingen, A Managerial View of the Multics System Development, in Research Directions in Software Technology edited by P. Wegner, M.I.T. Press, 1979

    (Also published in Tutorial: Software Management, Reifer, Donald J. (ed), IEEE Computer Society Press, l979; Second Edition l981; Third Edition, 1986.) A reasonable question of a software manager might be "What possible insight can I gain from the agonies of someone else's project?"

56. Corbató, F. J., and J. H. Saltzer, Some considerations of supervisor program design for multiplexed computer systems, Proc IFIP 4th Global Conf, Edinburgh, August 1968 MAC-M-372, May 1968

    One of the principal hurdles in developing multiplexed computer systems is acquiring sufficient insight into the apparently complex problems encountered. This paper isolates two system objectives by distinguishing between problems related to multiplexing and those arising from sharing of information. In both cases, latent problems of noninteractive systems are shown to be aggravated by interacting people. Viewpoints such as reversibility of binding, and mechanisms such as segmentation, are suggested as approaches to acquiring insight. It is argued that only such analysis and functional understanding can lead to simplifications needed to allow design of more sophisticated systems.

57. Corbató, F. J., and V. A. Vyssotsky, Introduction and overview of the Multics system, AFIPS Conf Proc 27, 185-196, 1965

    Multics (Multiplexed Information and Computing Service) is a comprehensive, general-purpose programming system which is being developed as a research project. The initial Multics system will be implemented on the GE 645 computer. One of the overall design goals is to create a computing system which is capable of meeting almost all of the present and near-future requirements of a large computer utility.

58. Corbató, F. J., C. T. Clingen, and J. H. Saltzer, Multics -- the first seven years, Proc SJCC, 571-583, May 1972

    First we review the goals, history and current status of the Multics project. This review is followed by a brief description of the appearance of the Multics system to its various classes of users. Finally several topics are given which represent some of the research insights which have come out of the development activities.

59. Corbató, F. J., M. M. Daggett, and R. C. Daley, An experimental time-sharing system, AFIPS Conf Proc 21, 335-344, 1962

    It is the purpose of this paper to discuss briefly the need for time-sharing, some of the implementation problems, an experimental time-sharing system which has been developed for the contemporary IBM 7090, and finally a scheduling algorithm of one of us (FJC) that illustrates some of the techniques which may be employed to enhance and be analyzed for the performance limits of such a time-sharing system.

60. Corbató, F. J., PL/I as a Tool for System Programming, Datamation 15, 5, 68-76, May, 1969
61. Corbató, F. J., Sensitive issues in the design of multi-use systems, M. I. T. Project MAC, December 1968 MAC-M-383

    Talk presented at a symposium on Advances in Software Technology held in February, 1968, at the opening of the Honeywell EDP Technology Center, Waltham, Massachusetts.

62. Corbató, F. J., On building systems that will fail, (A. M. Turing Award lecture), Commun. ACM 34 No. 9, September 1991

    What I am really trying to address is the class of systems that for want of a better phrase, I will call "ambitious systems." It almost goes without saying that ambitious systems never quite work as expected. Things usually go wrong and sometimes in dramatic ways. And this leads me to my main thesis, namely, that the question to ask when designing such systems is not: "if something will go wrong, but when will it?"

63. Corbató, F. J., M. M. Daggett, R. C. Daley, R. J. Creasy, J. D. Hellwig, R. H. Orenstein, and L. K. Korn, The compatible time-sharing system: a programmer's guide, 1st ed, M. I. T. Press, June 1963

    The "candy stripe" manual describing early versions of CTSS.

64. Corbató, F. J., A Letter from Prof. Corbató (2000-10-30)

    Letter to Multicians on the occasion of the shutdown of the last Multics.

65. Corbató, Fernando J., John W. Poduska, and Jerome H. Saltzer, Advanced Computer Programming, M. I. T. Press, Cambridge, Massachusetts, 1963. ISBN 978-0-262-03006-9

    A case study of a Classroom Assembly Program. Textbook for MIT course 6.251, System Programming, in 1962-63. FAP for the IBM 7090.

66. Couleur, John F., and Edward L. Glaser, Shared-access data processing system, filed November 26, 1965, awarded November 19, 1968 US Patent no 3,412,382
67. Couleur, John F., and Edward L. Glaser, Data storage control apparatus for a multiprogrammed data processing system, Filed February 27, 1968, Issued August 18, 1970 US Patent no 3,525,080
68. Couleur, John F., and Robert F. Montee, Method and means for storing and accessing information in a shared access multiprogrammed data processing system, ("New System Architecture" patent) filed November 14, 1978, awarded November 10, 1981 US Patent no 4,300,192

    Partitioning, paging, and segmentation techniques are employed with virtual memory to provide more secure and efficient storage and transfer of information. The virtual memory is divided into a plurality of partitions with real memory storage provided by paging the plurality of partitions. User programs are segmented into logical units and stored in assigned partitions thereby isolating user programs and data. Unsegmented programs may be run by storage in a partition with direct addressing. Segment descriptors including partition, base, and bound are utilized in accessing memory. User domains are expandable by temporarily passing descriptor parameters from one routine to another with access flags limiting access thereto. By shrinking passed descriptors the receiving routine can be restricted to only a portion of the information defined by the descriptor.

69. Couleur, John F., The Core of the Black Canyon Computer Corporation, IEEE Annals of the History of Computing Vol. 17, No. 4: Winter 1995, pp. 56-60
70. Crisman, P. A., Ed., The compatible time-sharing system: a programmer's guide, 2nd ed, M. I. T. Press, 1965

    Looseleaf. 454 pages.

71. Daley, R. C., and J. B. Dennis, Virtual memory, processes, and sharing in Multics, Commun. ACM 11, 306-312, May 1968

    The value of a computer system to its users is greatly enhanced if a user can, in a simple and general way, build his work upon procedures developed by others. The attainment of this essential generality requires that a computer system possess the features of equipment-independent addressing, an effectively infinite virtual memory, and provision for the dynamic linking of shared procedure and data objects. The paper explains how these features are realized in the Multics system.

72. Daley, R. C., and P. G. Neumann, A general-purpose file system for secondary storage, AFIPS Conf Proc 27, 212-230, 1965

    The need for a versatile on-line secondary storage complex in a multiprogramming environment is immense.

73. Datapro, An Overview of Operating Systems Security, Datapro Reports on Information Security, June 1986 Datapro IS56-001
74. Datapro, Bull HN Information Systems Inc: Security Capabilities of Multics, Datapro Reports on Information Security; Vol 3, USA: Datapro Research. April 1989 IS56-115-101
75. David Jr., E. E., and R. M. Fano, Some thoughts about the social implications of accessible computing, AFIPS Conf Proc 27, 243-248, 1965
76. Davids, Noah S., Experiences with an Interactive Electronic Meeting Facility, Proc Second Annual Phoenix Conference on Computers and Communications, 563-567, Mar 1983

    The introduction of an interactive electronic meeting facility, called Forum, within Honeywell's Large Information Systems Division (LISD), a large multi-national organization, has had profound effets. The environment set up by Forum closely mimics that of a face-to-face meeting. The user interface, based on a TTY-style terminal, allows the users to concentrate on the content of the meeting instead of on the interface or the computer. Forum is briefly described, and LISD's experiences, both good and bad, are discussed.

77. Davis, R. C., A Security Compliance Study of the Air Force Data Services Center Multics System, Mitre Corp., Bedford, Mass, NTIS, December 1976

    Do the hardware and software security features of the Air Force Data Services Center (AFDSC) Multics system comply with the Department of Defense security requirements. To answer this question AFDSC commissioned MITRE to undertake a study to compare intrinsic features of the AFDSC Multics system with the applicable requirements set forth in DoD Requirement 5200.28 and expanded upon in DoD Manual 5200.28-M. (also available as DTIC AD-A034985)

78. Davis, Edward W., STARAN parallel processor system software, Proc AFIPS 74

    This paper is concerned with the features and concepts of system software for a parallel associative array processor---STARAN. Definitions of parallel processors have appeared often. Essentially they are machines with a large number of processing elements. They have the capability to operate on multiple data streams with a single instruction stream. STARAN is a line of parallel processors with a variable number of processing elements.

79. Denning, P. J., The working set model for program behavior, Commun. ACM 11, 5, 323-333, May 1968
80. Denning, P. J., Virtual memory, ACM Computing Surveys 2, 3, 153-189, September 1970
81. Denning, P. J., Effects of scheduling on file memory operations, Proc 1967 SJCC, 1967
82. Denning, P. J., A statistical model for console behavior in multiuser computers, Commun. ACM, Sep 1968
83. Denning, P. J., Thrashing: its causes and prevention, Proc 1968 FJCC, 1968

    A particularly troublesome phenomenon, thrashing, may seriously interfere with the performance of paged memory systems, reducing computing giants (Multics, IBM System 360, and others not necessarily excepted) to computing dwarfs. The term thrashing denotes excessive overhead and severe performance degradation or collapse caused by too much paging. Thrashing inevitably turns a shortage of memory space into a surplus of processor time.

84. Denning, P. J., Equipment configuration in balanced computer systems, IEEE Trans on Computers, Nov 1969
85. Denning, P. J., Comments on a linear paging model, Proceedings of the 1974 ACM SIGMETRICS conference on Measurement and evaluation, Jan 1974

    The linear approximation relating mean time between page transfers between levels of memory, as reported by Saltzer for Multics, is examined. It is tentatively concluded that this approximation is untenable for main memory, especially under working set policies; and that the linearity of the data for the drum reflects the behavior of the Multics scheduler for background jobs, not the behavior of programs.

86. Dennis, J. B., A multiuser computation facility for education and research, Commun. ACM 7, 521-529, September 1964
87. Dennis, Jack B., and Edward L. Glaser, The Structure of On-line Information Processing Systems, MIT Project MAC memorandum MAC-M-181, October 3, 1964
88. Dennis, J. B., Segmentation and the design of multiprogrammed computer systems, IEEE Intl Convention Rec 3, 214-225, 1965
89. Deutsch, L. P., and B. W. Lampson, An online editor, (qed), Commun. ACM 10, 12, pp 793-799, December 1967
90. Diamond, D. S., and L. L. Selwyn, Considerations for computer utility pricing policies, Proc ACM 23d Natl Conf, 189-200, 1968

    There are a number of different philosophies concerning the problems of pricing the resources of a multi-access computer utility. Although some have been proposed only academically, others have actually been implemented by the various fledgling systems that have come into existence during the past few years.

91. Dominick, W. D., and S. K. Agarwal, MADAM: Multics Approach to Data Access and Management Users Guide, Computer Science Department, University of Southwestern Louisiana, 1977 Technical Report CMPS-77-6-1

    The MADAM system was developed to provide the framework for conducting information system research, design, implementation, measurement and evaluation experiments within the context of the Multics operating system. This paper overviews some of the more important aspects of the design philosophy of MADAM.

92. Dominick, W. D., THE USL NASA PC R&D PROJECT: GENERAL SPECIFICATIONS OF OBJECTIVES, Computer Science Department, University of Southwestern Louisiana, 1984
93. Donovan, J. J., Tools and philosophy for software education, Commun. ACM, 19, Issue 8, August 1976
94. Downey, P. J., MULTICS Security Evaluation: Password and File Encryption Techniques, US Air Force, Electronic Systems Div, Hanscom AFB Mass,, Jun 1977 NTIS AD-A045 279/7
95. Downey, P. J., MULTICS Security Evaluation: Password and File Encryption Techniques, volume II, US Air Force, Electronic Systems Div, Hanscom AFB Mass,, Jun 1977
96. Downey, P. J., MULTICS Security Evaluation: Password and File Encryption Techniques, ESD-TR-74-193, volume III, US Air Force, Electronic Systems Div, Hanscom AFB Mass,, Jun 1977
97. Dyar, J. D., Multics Remote Data Entry System. Volume II. Clustering Additions to MOOS, PATTERN ANALYSIS AND RECOGNITION CORP ROME N Y, Oct 1979 DTIC ADA080626

    This report describes the clustering algorithms added to the MULTICS OLPARS Operating System under this effort.

98. Elefante, Donald M., Unattended Testing Sessions on the Honeywell Multics Computer, Rome Air Development Center Griffiss AFB N Y (MAR 1977). NTIS ADA041824

    This report discusses the procedure used to run a series of machine-dedicated performance evaluation tests without any machine operator intervention, either before or after the tests, and with minimum disruption to normal time-sharing service. The procedure involves, among other things, setting up a control program to execute at some optimum time in the future, whereupon MULTICS is automatically induced to remove itself from its normal user support status, log in a predetermined set of artificial users for the duration of the test, and following this, restore itself to its normal user (time-sharing) status. 43 pages.

99. Elspas, B., R. E. Shostak, and J. M. Sptizen, A Verification System for JOCIT/J3 Programs (Rugged Programming Environment - RPE/2)., Stanford Research Inst Menlo Park Calif DTIC ADA042670

    This report describes work done during the second year of a research and development program aimed ultimately at a Rugged Programming Environment for JOVIAL. The RPE/1 verification system designed and built during the first year has been greatly extended and improved in several ways. The basic method of verification remains the same--that of inductive assertions. The input processor has been modified to handle virtually of all JOCIT instead of the small subset covered by the RPE/1 system. The overall speed of verification has been increased by a factor of over 25. Ease of user interaction with the system has been greatly enhanced by adding facilities for carrying out and saving partial proofs of programs, for extending the assertion language, and for enabling top-down and bottom-up proofs for well-structured programs. Moreover, the entire system has been translated into MACLISP, the system files have been transferred to the RADC-MULTICS Honeywell 6180 computer, and a sample verification (shown in the report) has been carried out entirely on the RADC computer.

100. Enslow, Philip H., 6180 Multics Systems and 6000 Series, Appendix C (pages 219-228) of Philip H. Enslow, editor, Multiprocessors and Parallel Processing, John Wiley & Sons, New York, 1974.
101. Fano, R. M., and P. Elias, Project MAC 25th Anniversary, M. I. T. Laboratory for Computer Science, 1989
102. Fano, R. M., The computer utility and the community, IEEE Int Convention Record 12, 30-37, 1967
103. Fano, R. M., The MAC system: The computer utility approach, IEEE Spectrum 2, 56-64, January 1965
104. Fano, R. M., and F. J. Corbató, Time-sharing on computers, Scientific American 215, 3, September, 1966, pp. 129-140

     also in Information, A Scientific American Book, W. H. Freeman & Co., pp. 76-95, 1966

105. Fano, R. M., Project MAC, Encyclopedia of Computer Science and Technology, Vol 12, Marcel Dekker, Inc. New York and Basel, 1979
106. Fano, R. M., The MAC System: A progress Report, MAC-TR-12 MIT-LCS-TR-012
107. Feiertag, R. J., and E. I. Organick, The Multics input/output system, Proc ACM Third SOSP, 35-41, October 1971

     An I/0 system has been implemented in the Multics system that facilitates dynamic switching of I/0 devices. This switching is accomplished by providing a general interface for all I/O devices that allows all equivalent operations on different devices to be expressed in the same way. Also particular devices are referenced by symbolic names and the binding of names to devices can be dynamically modified. Available I/0 operations range from a set of basic I/0 calls that require almost no knowledge ...

108. Feiertag, R. J., Karl N. Levitt, and Lawrence Robinson, Proving Multilevel Security of a System Design, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977
109. Feingold, Richard, Electronic Resources for Security Related Information, US Department of Energy, Lawrence Livermore National Laboratory, Computer Incident Advisory Capability, December 1994 CIAC-2307 R.1
110. Yochelson, J. C., A LISP garbage collector for virtual memory computer systems, Commun. ACM 12, 611-612, 1969
111. Fenichel, Robert R., Joseph Weizenbaum, and Jerome C. Yochelson, A program to teach programming, Commun. ACM 13, 1970

     The TEACH system was developed at MIT to ease the cost and improve the results of elementary instruction in programming. To the student, TEACH offers loosely guided experience with a conversational language which was designed with teaching in mind. Faculty involvement is minimal. A term of experience with TEACH is discussed. Pedagogically, the system appears to be successful; straightforward reimplementation will make it economically successful as well. Similar programs of profound tutorial skill will appear only as the results of extended research. The outlines of this research are beginning to become clear.

112. Finfer, M., J. Fellows, and D. Casey, Software debugging methodology. Volume II: Handbook for debugging in the MULTICS/GCOS/RTM environments, System Development Corp, Santa Monica, Calif, Apr 1979

     A debugging study was conducted which surveyed current research being performed in the area of software debugging during integration level testing. Particular emphasis was placed on assessing debugging tools and techniques which were applicable to embedded software developments. The purpose of the debugging study was to define a software debugging methodology applicable to diverse environments to be utilized during integration testing of system software. The results of the study are contained in three volumes. This volume presents the application of the debugging methodology to three specific environments. 122 pages.

113. Flamm, Kenneth, Targeting the Computer: Government Support and International Competition, Washington, DC; Brookings Institution, 1987, pp. 42-92.
114. Futas, George P., and Simon P. Flemming Jr, Auxiliary Store Access Control for a Data Processing System, Filed June 14, 1968, Issued August 18, 1970 US Patent no 3,525,081
115. Frankston, Robert M., A Limited Service System on Multics, Bachelor of Science thesis, M. I. T. Department of Electrical Engineering, June 1970
116. Frankston, Robert M., Multics: Lightweight Processes, Unpublished memorandum, MIT Project MAC, March 1974

     This is a pair of memos I wrote in 1974 when I was a graduate student working on the Multics project. (precursors of MIT CSR-RFC-123)

117. Freiburghouse, R. A., A user's guide to the Multics FORTRAN compiler implementation, CISL, October 1969

     A document that provides the prospective Multics FORTRAN user with sufficient information to enable him to create and execute FORTRAN programs on Multics. It contains a complete definition of the Multics FORTRAN language as well as a description of the FORTRAN command and error messages. It also describes how to communicate with non-FORTRAN programs and discusses some of the fundamental characteristics of Multics that affect the FORTRAN user. 68 pages. -- Organick

118. Freiburghouse, R. A., The Multics PL/1 compiler, Proc 1969 FJCC, 187-199, 1969

     Description of the Multics version 1 PL/I compiler implementation.

119. Freiburghouse, R. A., Register allocation via usage counts, Commun. ACM 17, Issue 11, November 1974

     This paper introduces the notion of usage counts, shows how usage counts can be developed by algorithms that eliminate redundant computations, and describes how usage counts can provide the basis for register allocation. The paper compares register allocation based on usage counts to other commonly used register allocation techniques, and presents evidence which shows that the usage count technique is significantly better than these other techniques.

120. Friesen, O. D., and J. A. Weeldreyer, Multics Integrated Data Store: An Implementation of a Network Data Base Manager Utilizing Relational Data Base Methodology, Proc 11th Hawaii Intl Conf on System Sciences, Vol 1, pp. 67-84, 1978
121. Friesen, O. D., N.S. Davids, and R. E. Brinegar, MRDS/LINUS: System Evaluation, in Relational Database Systems: Analysis and Comparison, J. W. Schmidt and M. L. Brodie, eds., Berlin, Springer-Verlag, 1983
122. Gasser, M., A Random Word Generator for Pronouncable Passwords, MTR-3006, The Mitre Corporation, Bedford, MA 01730, ESD-TR-75-97, HQ Electronic Systems Division, Hanscom AFB, MA 01731. 1975 NTIS AD A 017676
123. Gasser, M., S. R. Ames, and L. J. Chmura, Test Procedures for Multics Security Enhancements, Mitre Corp., Bedford, Mass., NTIS, December 1976

     (also available as DTIC AD-A034986)

124. Gasser, M., Top Level Specification of a Security Kernel for Multics Front-End Processor, MTR-3269, Mitre Corp., Bedford, Mass., November 1977
125. Gifford, D., Hardware Estimation of a Process's Primary Memory Requirements, Commun. ACM 20, 9, September 1977

     A minor hardware extension the Honeywell 6180 processor is demonstrated to allow the primary memory requirements of a process in Multics to be approximated. The additional hardware required for this estimate to be computed consists of a program accessible register containing the miss rate of the associative memory used for page table words. This primary memory requirement estimate was employed in an experimental version of Multics to control the level of multiprogramming in the system and to bill for memory usage. The resulting system's tuning parameters display configuration insensitivity, and it is conjectured that the system would also track shifts in the referencing characteristics of its workload and keep the system in tune.

126. Gilson, J. R., Security and Integrity Procedures., Honeywell Information Systems Inc, Mclean Va, Federal Systems Operations, 21 pages, F19628-74-C-0193, ESD TR-76-294 NTIS ADA040328

     This report covers the procedures required to protect critical phases of the design, development, and certification of a secure Multics. Involved is protection of the security kernel software from unauthorized alteration or sabotage. The facilities of the Government Information Security Program are applied. The program includes protection of a security kernel for Multics and a security kernel for the Secure Communications Processor.

127. Glaser, Edward L., A brief description of privacy measures in the Multics operating system, Proc AFIPS 1967 SJCC, pp 303-304. 1967

     The problem of maintaining information privacy in a multi-user, remote-access system is quite complex. Hopefully, without going into detail, some idea can be given of the mechanisms that have been used in the Multics operating system at MIT.

128. Glaser, E. L., J. F. Couleur, and G. A. Oliver, System design of a computer for time-sharing applications, AFIPS Conf Proc 27, 197-202, 1965

     In the late spring and early summer of 1964 it became obvious that greater facility in the computing system was required if time-sharing techniques were to move from the state of an interesting pilot experiment into that of a useful prototype for remote access computer systems. Investigation proved computers that were immediately available could not be adapted readily to meet the difficult set of requirements time-sharing places on any machine. However, there was one system that appeared to be extendible into what was desired. This machine was the General Electric 635.

129. Gligor, Virgil D., Some thoughts on denial-of-service problems, University of Maryland, College Park, MD, 16 Sept. 1982
130. Goldstein, R. C., and A. L. Strnad, The MacAIMS Data Management System, ACM SIGFIDET, Houston TX, 1970 963K
131. Gotch, Leslie, and Shawn Rovansek, Implementation and Usage of Mandatory Access Controls in an Operational Environment, proc 13th National Security Systems Conference

     The National Computer Security Center (NCSC) uses DOCKMASTER, a Honeywell DPS-8/70 mainframe running the B2-evaluated Multics operating system. DOCKMASTER provides a central electronic facility for technical interchange between NCSC personnel, computer vendors, and the US computer security community on unclassified topics related to computer security. To support this role, DOCKMASTER is used to store a considerable amount of vendor proprietary data. Up until January 1989, this information was protected using only a discretionary security policy enforced by the Multics Access Control List (ACL) mechanisms. In January 1989, the NCSC began utilizing the Multics Access Isolation Mechanism (AIM) to provide Mandatory Access Controls (MAC) to protect vendor-proprietary information stored on DOCKMASTER. Modifications to standard AIM were necessary to increase the number of compartments in order to adequately separate vendor data (i.e., each vendor has a single compartment). This paper discusses the modifications made to Multics to increase the number of compartments used in the enforcement of its Mandatory Access Control policy. These modifications included revisions to the Trusted Computing Base (TCB). This paper will describe the reason for the changes, the extent of work required to make the changes, the adjustments made by users to utilize AIM, and the impact of the changes on user productivity.

132. Graham, R. M., Protection in an information processing utility, Commun. ACM 11, 5, 365-369, May 1968 also http://portal.acm.org/citation.cfm?doid=363095.363146

     In this paper we will define and discuss a solution to some of the problems concerned with protection and security in an information processing utility. This paper is not intended to be an exhaustive study of all aspects of protection in such a system. Instead, we concentrate our attention on the problems of protecting both user and system information (procedures and data) during the execution of a process. We will give special attention to this problem when shared procedures and data are permitted.

133. Graham, R. M., Use of High Level Languages for Systems Programming, MIT Project MAC Programming Linguistics Group Memo No. 2, November 20, 1969

     edited transcript of a talk given at NSA November 20, 1969.

134. Graham, Robert M., Gerald J. Clancy, and David B. DeVaney, A software design and evaluation system, Commun. ACM 16, 2, 110,116, Feb 1973
135. Graham, Robert M., and Robert A. Freiburghouse, Report of session on systems programming languages, Proceeding of ACM SIGPLAN - SIGOPS interface meeting on Programming languages, Feb 1973
136. Gray, Terence E., and Maria M. Pozzo, An Approach to Containing Computer Viruses, Computers & Security, volume 6, issue 4, pp. 321-331

     This paper presents a mechanism for containing the spread of computer viruses by detecting at run-time whether or not an executable has been modified since its installation. The detection strategy uses encryption and is held to be better for virus containment than conventional computer security mechanisms which are based on the incorrect assumption that preventing modification of executables by unauthorized users is sufficient. Although this detection mechanism is most effective when all executables in a system are encrypted, a scheme is presented that shows the usefulness of the encryption approach when this is not the case. The detection approach is also better suited for use in untrusted computer systems. The protection of this mechanism in untrusted computing environments is addressed.

137. Green, Paul, An implementation of SEAL on Multics, S. B. Thesis, Department of Electrical Engineering, M. I. T., Cambridge, May, 1973 93MB

     This thesis describes the implementation of a code generator for the Seal language on the Multiplexed Information and Computing Service. The implementation developed extensive error handling techniques for both the code generator itself, and the Seal programs it compiles.

138. Greenberg, B. S., Multics Emacs: an experiment in computer interaction, Proc Fourth Honeywell Software Conf, March 1980
139. Greenberg, B. S., Prose and CONS (Multics Emacs: production text-processing in Lisp), Report on the 1980 LISP Conference, August 1980

     This paper addresses the choice of Lisp as the implementation language, and its consequences, including some of the implementation issues. The detailed history of Multics Emacs, its system-level design considerations, and its impact on Multics and its user community are discussed in [Greenberg]. One of the immediate and profound consequences of this choice has been to assert Lisp's adequacy, indeed, superiority, as a full-fledged systems and applications programming language. Multics Emacs ...

140. Greenberg, B. S., "Multics Emacs: The History, Design and Implementation", 1979

     Multics Emacs is a video-oriented text preparation and editing system running on Honeywell's Multics system, being distributed as an experimental offering in Multics Release 7.0. From the viewpoint of Multics, it represents the first video-management software to be implemented, the first time character-at-a-time-interaction has been used, and a radical and complete departure from other editing and text preparation tools and techniques prevalent on Multics.

141. Greenberg, B. S., The Multics MACLISP Compiler. The Basic Hackery. A tutorial, 1977

     If you are not already familiar with LISP, in some detail, including the traditional implementations and value/object issues, you probably should not be reading this.

142. Greenberg, B. S., and S. H. Webber, The Multics Multilevel Paging Hierarchy, Proc 1975 IEEE Intercon, 1975

     This paper describes the Multics multilevel paging system, the Page Multilevel algorithm or PML for short, with particular emphasis on the algorithms used to move pages from one level of the storage hierarchy to another. The paper also discusses some of the history and background of the development in particular where it relates to changes in the algorithms. Although Multics has been in working existence for many years, many of its features are still novel and implemented on few if any other operating systems. For this reason, a discussion of some of the terminology as it relates to Multics is also included as background for the reader. Finally, a discussion is presented which predicts probable future developments both on Multics and other systems with respect to hierarchically organized memories (storage hierarchies) in light of what we have learned from Multics.

143. Greenberger, Martin, The Computers of Tomorrow, Atlantic Monthly, May 1964

     In the past two decades, thousands of computers have been applied successfully in various industries. How much more widespread will their use become? Martin Greenberger, who is associate professor at the School of Industrial Management of M.I.T., has been working with computers for fourteen years.

144. Grochow, J. M., MOO in Multics, Software -- Practice and Experience 2, 303-308, 1972 179K

     PL/I source for moo is available online.

145. Grochow, J. M., Real-time graphic display of time-sharing system operating characteristics, AFIPS Conf Proc 35 (1969 FJCC), AFIPS Press, pp. 379-385, 1969

     The Graphic Display Monitoring System (GDM) is an experimental monitoring facility for Multics, a general purpose time-sharing system implemented at Project MAC cooperatively with General Electric and the Bell Telephone Laboratories. GDM allows design, systems programming, and operating staff to graphically view the dynamically changing properties of the time-sharing system. It was designed and implemented by the author to provide a medium for experimentation with the real-time observation of time-sharing system behavior. GDM has proven to be very useful both as a measuring instrument and a debugging tool and as such finds very general use.

146. Gumpertz, Richard Henry, The Design and Fabrication of an ARPA Network Interface, Bachelor of Science thesis, M. I. T. Department of Electrical Engineering, July 1973
147. Gunson, Alison, Directory of library software for microcomputers: Design and implementation of a STATUS database, and hardcopy output using the Multics Wordpro system, ASIN: B0000CHIWC
148. Haggett, Allan G., John R. McFadden, and Peter R. Newsted, Naive user behavior in a restricted interactive command environment, ACM SIGSOC Bulletin, Volume 13, Issue 2-3, p 139 1982 ISBN:0-89791-064-8

     Results are reported showing the changing pattern of command use by introductory business data processing students. Using the ability of the University of Calgary's Honeywell Multics Operating System to tailor a command and response environment, a subset of commands and responses (called GENIE) was set up in a user-friendly environment to facilitate novice students programming at CRT terminals. Frequency and time of usage of all commands was metered and changing patterns of usage emerged as the semester progressed. For example, "help" usage -- which was originally quite extensive and broad -- limited itself over time to questions only about specific topics. Reluctance to use an "audit" facility to capture an interactive session disappeared as the commands for such usage were likened to a movie camera taking pictures over a student's shoulder. It is further noted that specific emphasis was placed on simplifying commands and reducing options.The whole idea of a restricted command environment is compared to the "abstract machine" concept of Hopper, Kugler, and Unger who are building a universal command and response language (NICOLA, a NIce Standard COmmand LAnguage). GENIE is seen as an example of what such an abstract machine could be if the Multics operating system were viewed as a basic or "parent" abstract machine. Interactive environments such as Multics provides are viewed as essential to providing a satisfactory time-sharing system for the various, but frequently intermittent uses, in the social sciences.

149. Hauben, Michael, and Ronda Hauben, Cybernetics, Time-Sharing, Human-computer Symbiosis and Online Communities: Creating a Supercommunity of Online Communities, First Monday, Volume 3, Number 8 - 3 August 1998
150. Heafner, John, J. A. N. Lee, and Sharon Schrock, Developing Curriculum for Use in an Interactive Computational Environment, internal memo CS79004-E
151. Hebalkar, Prakash Gurunath, Asynchronous cooperative multiprocessing within MULTICS, S.M. Thesis, Department of Electrical Engineering, M.I.T., June 1968
152. Heckman, Mark R., and Roger R. Schell, Using Proven Reference Monitor Patterns for Security Evaluation, Information 2016, 7(2), 23, July 2016

     The most effective approach to evaluating the security of complex systems is to deliberately construct the systems using security patterns specifically designed to make them evaluable. Just such an integrated set of security patterns was created decades ago based on the Reference Monitor abstraction. An associated systematic security engineering and evaluation methodology was codified as an engineering standard in the Trusted Computer System Evaluation Criteria (TCSEC). This paper explains how the TCSEC and its Trusted Network Interpretation (TNI) constitute a set of security patterns for large, complex and distributed systems and how those patterns have been repeatedly and successfully used to create and evaluate some of the most secure government and commercial systems ever developed.

153. Henderson, H., and Elliott I. Organick, Considerations in the Design of an XDS Sigma 7 Multics, University of Texas, Department of Computer Science, September, 1969 NTIS AD0713477
154. Henningan, K. B., Hardware Subverter for the Honeywell 6180, MTR-3280, Dec. 1976, pp. 1-222. 1976 ESD-TR-76-352

     (also available as DTIC AD-A034221)

155. Hilton, Jarvis Gene, Instructional data base development using MULTICS relational data store, Thesis (M.B.A.)--San Diego State University, 1978.
156. Hinke, Thomas H., and Marvin Schaefer, Secure Data Management System., System Development Corp, Santa Monica Calif, 197 pages, SDC-TM-(L)-5407/007/00, F30602-74-C-0258, RADC TR-75-266 NTIS ADA019201

     This report describes the design of a Secure Data Management System (DMS) that is to operate on a Secure MULTICS Operating System Kernel. The DMS achieves its security by mapping its data base into the security structure provided by the operating system, with the result that the DMS need contain no security enforcement code. The logical view chosen for the DMS is the relational view of data.

157. Honeywell, Prototype Secure MULTICS Specification, Preliminary draft, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, January 1976 NTIS AD-A055 166/3

     The goal of Project Guardian is to design, develop and certify a secure Multics to provide a certified secure multilevel computer utility. This report covers preliminary work in development of a specification describing the characteristics of the secure system.

158. Honeywell, Multics Security Kernel Certification Plan, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, July 1976 NTIS AD-A055 171/3
159. Honeywell, Project Guardian (Final Report), ESD-TR-78-115, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, September 1977
160. Ikeda, Katsuo, Structure of a computer utility: anatomy of Multics, (in Japanese), 2nd ed, Shokoda Co Ltd, Tokyo, Japan, 1976
161. Iuorno, Normand, Rzepka, Kobziar, LaMonica, Douglas White, and McCauley, RADC/MULTICS evaluation, May 1971 RADC-TR-71-121
162. Janson, Phillipe A., Dynamic linking and environment initialization in a multi-domain process, ACM 5th Symposium on Operating System Principles, 1975

     As part of an effort to engineer a security kernel for Multics, the dynamic linker has been removed from the domain of the security kernel. The resulting implementation of the dynamic linking function requires minimal security kernel support and is consistent with the principle of least privilege. In the course of the project, the dynamic linker was found to implement not only a linking function, but also an environment initialization function for executing procedures. This report presents an analysis of dynamic linking and environment initialization in a multi-domain process, isolating three sets of functions requiring different sets of access privileges. A design based on this decomposition of the dynamic linking and environment initialization functions is presented.

163. Janson, P. A., Using Type-Extension to Organize Virtual-Memory Mechanisms, Operating Systems Review, Vol 15 #4 (October 1981) pages 6-38

     As part of an effort to engineer a security kernel for Multics, the dynamic linker has been removed from the domain of the security kernel. The resulting implementation of the dynamic linking function requires minimal security kernel support and is consistent with the principle of least privilege. In the course of the project, the dynamic linker was found to implement not only a linking function, but also an environment initialization function for executing procedures. This report presents an analysis of dynamic linking and environment initialization in a multi-domain process, isolating three sets of functions requiring different sets of access privileges. A design based on this decomposition of the dynamic linking and environment initialization functions is presented.

164. Janson, P. A., Dynamic linking and environment initialization in a multi-domain process, Proc. SOSP 75
165. Jarvis, J. E., The many faces of Multics, The Computer Journal, 1975; 18: 2-6
166. Johnson, Howard W., Report of the President 1969, Massachusetts Institute of Technology

     multiple references to Multics use at MIT

167. Johnson, Howard W., Report of the President for the Academic Year 1969-1970, Massachusetts Institute of Technology

     multiple references to Multics use at MIT

168. Jones, Malcolm M. et al., The SIMPL Primer, Oct 1971
169. Jones, Malcolm M., On-line simulation, ACM CSC-ER, Proc 22d National Conference, 1967

     An on-line simulation system allows both the user and the computer to cooperate and share the task of performing the simulation. It does this by providing facilities for the user to interact with the computer so that they may both play active roles in the simulation process as it is occurring. Thus, the user may perform some of the simulation functions himself and the computer performs the remaining ones. Alternately, the user may act only as a monitor and observe, verify and record data or modify and redirect the simulation when it strays erroneously from the desired path. A second feature of an on-line simulation system is that it may allow the actual phenomenon being simulated to become a part of the simulation.

170. Jordan, D. M., Multics Data Security, Scientific Honeyweller 2, 2, June 1981

     Later published as Honeywell GA01

171. Kalynycz, John, Jr., Handbook for Conversion of GCOS III Application Programs to the GCOS Environment Simulator of Multics, Rome Air Development Center, Air Force Systems Command, Griffis Air Force Base RADC-TR-77-241, DTIC ADA044939
172. Kanodia, R. K., Performance improvement in ARPANET file transfers from Multics, Nov 1974 RFC 662
173. Kaplow, Roy, David Schneider, Franklin C. Smith, and William R. Stensrud, Computer assistance for writing interactive programs: TICS, Proceedings of the 1973 annual ACM conference, August 1973

     In this paper, we describe an on-line and interactive programming system, TICS(1) (for Teacher-Interactive Computer System), which is aimed at facilitating the authoring of interactive computer programs. The system includes particular features for creating instructional software, and in that application it is intended for direct use by teachers or other persons whose expertise lies in the subject matter being addressed, but not necessarily in computer programming. To that purpose, the system provides a greater degree of computer-assistance for the authoring process itself than has been afforded in earlier languages and programming systems of similar orientation(2-5). TICS is implemented within the M. I. T. Multics time-sharing system (6) in two components: an author system and a delivery system. The former provides the tools for writing, investigating, editing, and trying out programs. The latter provides a special environment for student use of the programs.

174. Karger, Paul A., The Lattice Security Model In A Public Computing Network, ACM CSC-ER, Proc 1987 National Conference, December 1978

     This paper defines the lattice security model and shows it to be useful in private sector applications of decentralized computer networks. It examines discretionary security models and shows them to be inadequate to protect against 'Trojan Horse' attacks. It examines the management of large security lattices and proposes solutions to the proliferation of categories problem.

175. Karger, Paul A., and Roger R. Schell, Multics Security Evaluation: Vulnerability Analysis, ESD-TR-74-193, Vol 2, Electronic Systems Division, USAF, June 1974 NTIS AD-A001 120/5

     A security evaluation of Multics for potential use as a two-level (Secret/Top Secret) system in the Air Force Data Services Center (AFDSC) is presented. An overview is provided of the present implementation of the Multics Security controls. The reports then details the results of a penetration exercise of Multics on the HIS 645 computer. In addition, preliminary results of a penetration excise of Multics on the new HIS 6180 computer are presented. The report concludes that Multics as implemented today is not certifiably secure and cannot be used in an open use multi-level system. However, the Multics security design principles are significantly better than other contemporary systems. Thus, Multics as implemented today, can be used in a benign Secret/Top Secret environment. In addition, Multics forms a base from which a certifiably secure open use multi-level system can be developed.

176. Karger, Paul A., New Methods for Immediate Revocation, in: Proc 1989 IEEE Symposium on Security and Privacy, Oakland, California, USA: IEEE Computer Society, pp 48-55, May, 1989
177. Karger, Paul A., An Implementation of XPL for Multics, SB thesis, June 1972, Massachusetts Institute of Technology: Cambridge, MA
178. Karger, Paul A., and Roger R. Schell, Thirty Years Later: Lessons from the Multics Security Evaluation, Proc ACSAC 2002 IBM Research Report RC22534.

     Almost thirty years ago a vulnerability assessment of Multics identified significant vulnerabilities, despite the fact that Multics was more secure than other contemporary (and current) computer systems. Considerably more important than any of the individual design and implementation flaws was the demonstration of subversion of the protection mechanism using malicious software (e.g., trap doors and Trojan horses). A series of enhancements were suggested that enabled Multics to serve in a relatively benign environment. These included addition of "Mandatory Access Controls" and these enhancements were greatly enabled by the fact the Multics was designed from the start for security. However, the bottom-line conclusion was that "restructuring is essential" around a verifiable "security kernel" before using Multics (or any other system) in an open environment (as in today's Internet) with well-motivated professional attacks employing subversion. The lessons learned from the vulnerability assessment are highly applicable today as governments and industry strive (unsuccessfully) to "secure" today's weaker operating systems through add-ons, "hardening", and intrusion detection schemes.

179. Karger, P. A., D. C. Toll, E. R. Palmer, S. K. McIntosh, S. M. Weber, and J. Edwards, Implementing a High-Assurance Smart-Card OS, Proc Financial Cryptography and Data Security 10 Lecture Notes in Computer Science Vol. 6052, Springer. p. 51-65.

     Building a high-assurance, secure operating system for memory constrained systems, such as smart cards, introduces many challenges. The increasing power of smart cards has made their use feasible in applications such as electronic passports, military and public sector identification cards, and cell-phone based financial and entertainment applications. Such applications require a secure environment, which can only be provided with sufficient hardware and a secure operating system. We argue that smart cards pose additional security challenges when compared to traditional computer platforms. We discuss our design for a secure smart card operating system, named Caernarvon, and show that it addresses these challenges, which include secure application download, protection of cryptographic functions from malicious applications, resolution of covert channels, and assurance of both security and data integrity in the face of arbitrary power losses. The paper is of interest to Multicians, because the Caernarvon operating system uses a clone of the Multics quota mechanism to control usage of the very limited amount of persistent memory on the smart card.

180. Karger, Paul Ashley, Improving Security and Performance for Capability Systems, PhD thesis, March 1988, Cambridge University

     This dissertation examines two major limitations of capability systems: an inability to support security policies that enforce confinement and a reputation for relatively poor performance when compared with non-capability systems.

181. King, Jane, and William A. Shelly, A Family History of Honeywell's Large-Scale Computer Systems, IEEE Annals of the History of Computing Vol. 19, No. 4, October/ December 1997.
182. Klensin, John Conrad, The Consistent System, Multics version: Handbook of programs and data, Massachusetts Institute of Technology, Laboratory of Architecture and Planning, 1978
183. Koch, R. D., TMPLOT -- Transverse Mercator Plot Program for Multics, U.S. Geological Survey (1980)
184. Kork, John O., Modifications of the IBM Personal Computer Asynchronous Communications Support programs for use with the Multics, U.S. Geological Survey, 1983
185. Lackey, R. D., Penetration of Computer Systems, an Overview, Honeywell Computer Journal 8, 2, 1974
186. Lahr, J. C., HYPOELLIPSE/MULTICS: A computer program for determining local earthquake hypocentral parameters, magnitude, and first-motion pattern, U.S. Geological Survey Open-File Report 80-59, 59 p.
187. Lahr, John C., SQUASH/MULTICS: A computer program to be used in conjunction with HYPOELLIPSE to generate an augmented phase data archive, U.S. Geological Survey, 1980
188. Landwehr, Carl E., The Best Available Technologies for Computer Security, IEEE Computer 16(7) pp.86-100, July 1983
189. Landwehr, Carl E., Alan R. Bull, John P. McDermott, and William S. Choi, A taxonomy of computer program security flaws, ACM Computing Surveys 26, 3, 211-254. Sept. 1994

     An organized record of actual flaws can be useful to computer system designers, programmers, analysts, administrators, and users. This survey provides a taxonomy for computer program security flaws, with an Appendix that documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they ...

190. Lebrument, Chantal, The Inventions of Louis Pouzin: One of the Fathers of the Internet, Springer, 13 Dec 2019 ISBN 978-3030348359
191. Lee, J. A. N., The Rise and Fall of the General Electric Corporation Computer Department, IEEE Annals of the History of Computing Vol. 17, No. 4: Winter 1995, pp. 24-45. 1995

     The computer department of the General Electric Corporation began with the winning of a single contract to provide a special purpose computer system to the Bank of America, and expanded to the development of a line of upward compatible machines in advance of the IBM System/360 and whose descendants still exist in 1995, to a highly successful time-sharing service, and to a process control business. Over the objections of the executive officers of the Company the computer department strived to become the number two in the industry, but after fifteen years, to the surprise of many in the industry, GE sold the operation and got out of the competition to concentrate on other products that had a faster turn around on investment and a well established first or second place in their industry. This paper looks at the history of the GE computer department and attempts to draw some conclusions regarding the reasons why this fifteen year venture was not more successful, while recognizing that there were successful aspects of the operation that could have balanced the books and provided necessary capital for a continued business.

192. Lee, J. A. N., and George E. Snively, The Rise and Sale of the General Electric Corporation Computer Department, IEEE Annals of the History of Computing April-June 2000 (vol. 22 no. 2) pp. 53-60.

     This article is a follow-up and extension of the first author's 1995 Annals article entitled, "The Rise and Fall of the General Electric Corporation Computer Department." It is divided into three parts: a study of the financial implications of rental versus sales in the larger GE environment, a collection of differing views with respect to the GE management paradigm and its effect on the Computer Department, and a set of corrections to the original article.

193. Lennington, R. K., and N. E. Marquina, Separability Study of Wheat and Small Grains, Lockheed Electronics JSC-14604, Nov 1978
194. Lipari, Charles A., An intelligent temperature monitor-control system for the University of Southwestern Louisiana Multics machine room, Thesis USL, 1978
195. Lipner, S. B., Computer security research and development requirements, MITRE Corp, Bedford MA, February 1973 MTP-142
196. Lipner, Steven B., A comment on the confinement problem, Proc 5th symposium on Operating systems principles, November 1975
197. Lipner, Steven B., The Birth and Death of the Orange Book, IEEE Annals of the History of Computing Vol. 37, No. 2: April-June 2015, pp. 19-31
198. Liu, I-Hsiung, Concepts and implementations of natural language query systems, Computer Science Department, University of Southwestern Louisiana, 1984

     The currently developed user language interfaces of information systems are generally intended for serious users. These interfaces commonly ignore potentially the largest user group, i.e., casual users. This project discusses the concepts and implementations of a natural query language system which satisfy the nature and information needs of casual users by allowing them to communicate with the system in the form of their native (natural) language. In addition, a framework for the development of such an interface is also introduced for the MADAM (Multics Approach to Data Access and Management) system at the University of Southwestern Louisiana.

199. Lively, Mark Beirne, Time aspects of paging on MULTICS., MIT thesis, 1971

     52 pages

200. Loepere, Keith, Resolving covert channels within a B2 class secure system, ACM SIGOPS Operating Systems Review, Volume 19 Issue 3, July 1985

     For a secure computer system in the B2, B3 and A1 classes (as defined by the DoD Trusted Computer System Evaluation Criteria), the problem of confining a process such that it may not transmit information in violation of the *-property is an analyzable and solvable problem. This paper examines the problem of covert channels and attempts to analyze and resolve them relative to satisfying the B2 security requirements. A novel solution developed for the Multics computer system for a class of covert channels is presented.

201. Loepere, Keith, The covert channel limiter revisited, ACM SIGOPS Operating Systems Review, Volume 23 Issue 2, April 1989

     In a previous article, I introduced the idea of a mechanism (the covert channel limiter) that would watch for the potential uses of covert channels and affect the responsible process (or process group) only when such potential uses exceeded the allowable bandwidth for covert channels. Recent work involving the design of the Opus operating system (target class B3) has refined and extended this idea. This paper extends the informal basis for the covert channel limiter and extends its possible utility.

202. Loome, James R., Mark L. Langberg, and Albert J. Thurmond, Wartime Manpower Programing System: Final Report, Management Systems Division, General Research Corporation, 1980 1063-03-80-CR
203. Lorho, Bernard, Semantic attributes processing in the system DELTA, Lecture Notes In Computer Science; Vol. 47, Symposium on Methods of Algorithmic Language Implementation, Springer-Verlag, London, UK, 1975 ISBN:3-540-08065-1
204. Lucas, Henry C., An on-line user information facility for the Multics-time-sharing system (Project MAC), Massachusetts Institute of Technology Project MAC (1967)

     textbookland.com lists the price for this report as 10 trillion dollars.

205. MacKenzie, Donald, and Garrel Pottinger, Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military, IEEE Annals of the History of Computing Vol. 19, No. 3: JULY-SEPTEMBER 1997, pp. 41-59. Sept 1997

     A distinctive concern in the U.S. military for computer security dates from the emergence of time-sharing systems in the 1960s. This paper traces the subsequent development of the idea of a "security kernel" and of the mathematical modeling of security, focusing in particular on the paradigmatic Bell-La Padula model. The paper examines the connections between computer security and formal, deductive verification of the properties of computer systems. It goes on to discuss differences between the cultures of communications security and computer security, the bureaucratic turf war over security, and the emergence and impact of the Department of Defense's Trusted Computer System Evaluation Criteria (the so-called Orange Book), which effectively took its final form in 1983. The paper ends by outlining the fragmentation of computer security since the Orange Book was written.

206. MacKenzie, Donald, Mechanizing Proof: Computing, Risk, and Trust, MIT Press, Cambridge MA, January 30, 2004 ISBN: 9780262632959

     Most aspects of our private and social lives--our safety, the integrity of the financial system, the functioning of utilities and other services, and national security--now depend on computing. But how can we know that this computing is trustworthy? In Mechanizing Proof, Donald MacKenzie addresses this key issue by investigating the interrelations of computing, risk, and mathematical proof over the last half century from the perspectives of history and sociology. His discussion draws on the technical literature of computer science and artificial intelligence and on extensive interviews with participants.

207. Mainnikko, Sirkku, Multics in the computer world, Master's thesis in social anthropology
208. Margulies, Benson I., Security in a Multics environment, USA: Auerbach Publishers Inc. Honeywell Information Systems, 1985
209. Margulies, B I, An overview of Multics security, Proc 2nd IFIP international conference on Computer security, Dec 1984
210. Mark, Robert K., User oriented, interactive Multics computer programs to create grid cell, contour, and perspective maps using Surface Display Library, U.S. Geological Survey, 1981
211. Martin, Thomas Joseph, A performance analysis of the relational data management system, Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Thesis. 1976. B.S., 1976
212. McCarthy, John, A time-sharing operator program for our projected IBM 709, M. I. T. Computation Center memo, 1959
213. McCarthy, John, Time-Sharing Computer Systems, in M. Greenberger (ed.). Management and the Computer of the Future, Cambridge, Mass.: The MIT Press, 1963, pp. 221-836
214. McCarthy, John, Reminiscences on the History of Time Sharing, 1983
215. McClure, R. M., TMG -- a syntax directed compiler, Proc 20th ACM National Conf, 262-274, 1965
216. McGee, R. C., My Adventures with Dwarfs: A Personal History in Mainframe Computers, Charles Babbage Institute, unpublished manuscript

     The book is a slice through the history of those mainframe machines as experienced by GE and Honeywell old timer Russ McGee, manager in Phoenix and creator of the VMM virtual machine monitor. Many interesting insights into the politics at LISD.

217. McGibbon, Thomas L., MULTICS Long Waveform Analysis System., Pattern Analysis and Recognition Corp Rome N Y, 551 pages, PAR-78-28, F30602-77-C-0090, RADC TR-78-218 NTIS ADA062111

     The objective of the research described in this report was the development and software implementation of a Long Waveform Analysis System (WAVES) on the Honeywell 6180 Computer System running under the MULTICS operating System. The currently operational WAVES System is an open-ended and flexible system for primary use in feature definition and extraction and, as such, serves as a front-end to the MULTICS version of OLPARS (On-Line Pattern Analysis and Recognition System). The development of computer-based interactive feature definition and pattern classification systems has been a continuing program at Rome Air Development Center since 1968. This long standing effort has resulted in the implementation of OLPARS, IFES (the Image Feature Extraction System), IDRS (the Interactive Digital Receiver Simulator System), and WPS (the Waveform Processing System). WAVES represents a furtherance of this continuing effort and a logical expansion and improvement of currently available waveform analysis and feature definition systems.

218. McRae, J. R., and W. Y. Svrcek, Honeywell Multics: an approach to simplify use of an interactive simulation language, Proceedings of the 1983 Summer Computer Simulation Conference, 1983, vol. 1, pp. 31-39

     The simulation of continuous systems, simulation languages in general and CSSLIV in particular are discussed briefly, followed by a description of the attempts made to create a more user friendly environment for the CSSLIV implementation on the Honeywell Multics system at the University of Calgary.

219. MacLaren, M. Donald, Exception handling in PL/I, ACM SIGOPS Operating Systems Review, 11, 2, April 1977

     The PL/I language's facilities for handling exceptional conditions are analyzed. The description is based on the new PL/I standard. Special attention is given to fine points which are not well known. The analysis is generally critical. It emphasizes problems in regards to implementation and structured programming. A few suggestions for future language design are offered.

220. Michalopoulos, D. A., Software Factory Backs Up Pulp and Paper Mill, IEEE Computer, Jan 1978

     Article in the "New Applications" column about Industrial Nucleonics.

221. Michelsen, Christie D., Joseph E. Urban, and Wayne D. Dominick, A methodology for the objective evaluation of the user/system interfaces of the MADAM system using software engineering principles, Proceedings of the 18th annual Southeast regional conference, Tallahassee, Florida, pp 103 - 109 ISBN:0-89791-014-1
222. Mills, R. G., Communications implications of the project MAC multiple-access computer system, 1965 IEEE International Convention Record. Pt. I, 237-241
223. Mills, R. G., Man-machine communication and problem solving, in Annual review of information science and technology, Vol. 2 (CUADRA, C. A., ED.), Wiley & Sons, New York, 1967
224. Misa, Thomas J., Computer Security Discourse at RAND, SDC, and NSA (1958-1970), IEEE Annals of the History of Computing Oct-Dec 2016

     The 1967 Spring Joint Computer Conference session organized by Willis Ware and the 1970 Ware Report are widely held by computer security practitioners and historians to have defined the field's origin. This article documents, describes, and assesses new evidence about two early multilevel access, time-sharing systems, SDC's Q-32 and NSA's RYE, and outlines its security-related consequences for both the 1967 SJCC session and 1970 Ware Report. Documentation comes from newly conducted Charles Babbage Institute oral histories, technical literature, archival documents, and recently declassified sources on National Security Agency computing. This evidence shows that early computer security emerged from the intersection of material, cultural, political, and social events and forces.

225. Montgomery, W. A., Measurements of Sharing in Multics, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977

     There are many good arguments for implementing information systems as distributed systems. These arguments depend on the extent to which interactions between machines in the distributed implementation can be minimized. Sharing among users of a computer utility is a type of interaction that may be difficult to provide in a distributed system. This paper defines a number of parameters that can be used to characterize such sharing. This paper reports measurements that were made on the M.I.T. Multics system in order to obtain estimates of the values of these parameters for that system. These estimates are upper bounds on the amount of sharing and show that although Multics was designed to provide active sharing among its users, very little sharing actually takes place. Most of the sharing that does take place is sharing of system programs, such as the compilers and editors.

226. Moon, David A., MacLISP Reference Manual, Revision 0, Project MAC, Massachusetts Institute of Technology, April 8, 1974

     From Herbert Stoyan Collection on LISP Programming, Lot Number X5687.2010

227. Moreau, Dennis, THE USL NASA PC R&D DEVELOPMENT ENVIRONMENT STANDARDS, Computer Science Department, University of Southwestern Louisiana, 1984
228. Morgan, D., The Multics System, IEEE Trans on Communications 21 10, Oct 1973, pp 1166-1167

     (A book review of Organick's book.) "The miracle is that it works and provides a level of service sufficient for customers of Honeywell to buy it and M.I.I users to use it. Nevertheless, there must be a better way to achieve an information utility than such a complex system as Multics."

229. Mullen, R. E., Automated merging of software modifications, Proc Honeywell Software Productivity Symposium, April 1977

     Parallel modification of software modules by different programming teams is an inherent problem of large scale system software efforts. In the Multics Project experiment and analysis have lead to the development of an interactive program, merge_ascii, which competently merges related texts.

230. Nandigam, Jagadeesh, EMT : an interactive expert system for Multics tuning, Thesis USL, 1987
231. NCSC staff, Department of Defense Trusted Computer System Evaluation Criteria, the "Orange Book", December 1983 DOD 5200.28-STD

     The trusted computer system evaluation criteria defined in this document classify systems into four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: (a) to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; (b) to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and (c) to provide a basis for specifying security requirements in acquisition specifications. Two types of requirements are delineated for secure processing: (a) specific security feature requirements and (b) assurance requirements. Some of the latter requirements enable evaluation personnel to determine if the required features are present and functioning as intended. The scope of these criteria is to be applied to the set of components comprising a trusted system, and is not necessarily to be applied to each system component individually. Hence, some components of a system may be completely untrusted, while others may be individually evaluated to a lower or higher evaluation class than the trusted product considered as a whole system. In trusted products at the high end of the range, the strength of the reference monitor is such that most of the components can be completely untrusted. Though the criteria are intended to be application-independent, the specific security feature requirements may have to be interpreted when applying the criteria to specific systems with their own functional requirements, applications or special environments (e.g., communications processors, process control computers, and embedded systems in general). The underlying assurance requirements can be applied across the entire spectrum of ADP system or application processing environments without special interpretation.

232. NCSC staff, Final Evaluation Report of Honeywell Multics MR 11.0, Evaluated Product Report, August 1985 CSC-EPL-85003

     The security protection provided by the Honeywell Multics MR 11.0 operating system, with the B2-specific changes applied, configured according to the most secure manner described in the Trusted Facility Manual, and running on the Honeywell Level 68/DPS or Honeywell DPS 8/70M multiprocessor has been evaluated by the National Computer Security Center (NCSC). The security features of Multics were evaluated against the requirements specified by the DoD Trusted Computer System Evaluation Criteria (the Criteria) dated 15 August 1983. (6MB PDF)

233. Neumann, P. G., The role of motherhood in the pop art of system programming, Proc Second ACM SOSP, October 1969

     Numerous papers and conference talks have recently been devoted to the affirmation or reaffirmation of various common-sense principles of computer program design and implementation, particularly with respect to operating systems ad to large subsystems such as language translators. These principles are nevertheless little observed in practice, often to the detriment of the resulting systems. This paper attempts to summarize the most significant principles, to evaluate their applicability in the real world of large multi-access systems, and to assess how they can be used more effectively.

234. Neumann, P. G., R. J. Feiertag, K. N, Levitt, and L. Robinson, Software Development and Proofs of Multi-Level Security, ICSE, 1976

     This paper summarizes current research at SRI aimed at developing secure operating systems and verifying certain critical properties of these systems. It is seen that proofs of design properties can be relatively straightforward when the design is specified in suitable formal specification language. These proofs demonstrate the correspondence between the desired properties and a specification of the system design. Various on-line tools aid considerably in this process. In addition, correctness proofs for implementations of such systems are now feasible, because of both various theoretical advances and the use of supporting tools.

235. National Research Council, System Security Study Committee, Computers at Risk: Safe Computing in the Information Age., Washington, DC: The National Academies Press, 1991
236. Oda, Kazuhiro, Recent Status of Multics at Project MAC (in Japanese), Computer Science Magazine bit Vol. 6, No. 1, January 1974, pages 51-56

     (755KB PDF)

237. Oke, Tom, Multics Through the Looking Glass, HLSUA Formu XXXI, October 1980

     This paper deals with some of the problems encountered at The University of Calgary during the tuning and optimization of system performance. It presents some of the characteristics to be found in both the scheduling system and the virtual memory environment of Multics, and attempts to put forward a heuristic model of system action to permit a tuner to improve performance.

238. Oldfield, Homer R., King of the Seven Dwarfs: General Electric's Ambiguous Challenge to the Computer Industry, IEEE Computer Society, May 1996 ISBN 0818673834
239. O'Neill, Judy E., 'Prestige Luster' and 'Snow-Balling Effects': IBM's Development of Computer Time-Sharing, IEEE Annals of the History of Computing Vol. 17, No. 2: Summer 1995, pp. 50-54. 1995

     In the middle 1960s IBM responded to pressure from its most prestigious customers to hasten the development and availability of computer time-sharing systems. When MIT and Bell Laboratories chose General Electric computers for their new time-sharing system, IBM management feared that the 'prestige luster' of these customers would lead other customers to demand the same capabilities and that there would be a 'snow-balling' effect as more customers rejected IBM computers. IBM worked on a time-sharing product and brought it to market by the end of the decade despite greater-than-expected costs. Meanwhile MIT, Bell Laboratories, and GE worked together on a new time-sharing system known as Multics. By examining IBM's role in and response to the development of time-sharing, this article illustrates the nontechnological criteria that even high-technology companies use to decide what products to develop and market.

240. Organick, E. I., The Multics System: An Examination of its Structure, M. I. T. Press, Cambridge MA, 1972 ISBN 0-262-15012-3

     Multics as it was in the 60s. Reprint available from M. I. T. Press.

     This volume provides an overview of the Multics system developed at M.I.T.--a time-shared, general purpose utility like system with third-generation software. The advantage that this new system has over its predecessors lies in its expanded capacity to manipulate and file information on several levels and to police and control access to data in its various files. On the invitation of M.I.T.'s Project MAC, Elliott Organick developed over a period of years an explanation of the workings, concepts, and mechanisms of the Multics system. This book is a result of that effort, and is approved by the Computer Systems Research Group of Project MAC.

     In keeping with his reputation as a writer able to explain technical ideas in the computer field clearly and precisely, the author develops an exceptionally lucid description of the Multics system, particularly in the area of "how it works." His stated purpose is to serve the expected needs of designers, and to help them "to gain confidence that they are really able to exploit the system fully, as they design increasingly larger programs and subsystems."

     The chapter sequence was planned to build an understanding of increasingly larger entities. From segments and the addressing of segments, the discussion extends to ways in which procedure segments may link dynamically to one another and to data segments. Subsequent chapters are devoted to how Multics provides for the solution of problems, the file system organization and services, and the segment management functions of the Multics file system and how the user may employ these facilities to advantage. Ultimately, the author builds a picture of the life of a process in coexistence with other processes, and suggests ways to model or construct subsystems that are far more complex than could be implemented using predecessor computer facilities.

     This volume is intended for the moderately well informed computer user accustomed to predecessor systems and familiar with some of the Multics overview literature. While not intended as a definitive work on this living, ever-changing system, the book nevertheless reflects Multics as it has been first implemented, and should reveal its flavor, structure and power for some time to come.

241. Ossanna, J. F., and J. H. Saltzer, Technical and human engineering problems in connecting terminals to a time-sharing system, AFIPS Conf Proc 37 (1970 FJCC), 355-362, 1970
242. Ossanna, J. F., L. Mikus, and S. D. Dunten, Communications and input-output switching in a multiplexed computing system, AFIPS Conf Proc 27, 231-242, 1965

     This paper discusses the general communications and input/output switching problems in a large-scale multiplexed computing system.

243. Padlipsky, M. A., New Multics network software features, Nov 1972 RFC 411
244. Padlipsky, M. A., Multics sampling timeout change, Feb 1973 RFC 450
245. Padlipsky, M. A., Two Solutions to a File Transfer Access Problem, June 1973 RFC 505
246. Padlipsky, M. A., NETED: A Common Editor for the ARPA Network, Oct 1973 RFC 569
247. Padlipsky, M. A., Multics address change, Nov 1973 RFC 590
248. Pandolf, MA, Implementing Forth for the Multics operating system, Journal of FORTH Application and Research archive Volume 3 , Issue 2 1986 proc 1985 Rochester Forth conference
249. Parks, Lee S., The Design and Implementation of a Multi-Programming Virtual Memory Operating System for a Mini-Computer, B.S. thesis MIT, May 1979

     Magic 6 was a paged, segmented, dynamic linked, operating system for the Interdata series of mini-computers inspired by Multics.

250. Pelkey, James, The History of Computer Communications, Associaton for Computing Machinery and Computer History Museum
251. Perron, Richard Theodore, Establishing a data channel between Multics and a communications processor., Thesis MIT, 1971

     36 pages

252. Peterson, John Raymond, Contour model in Multics, Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Thesis. 1975. B.S.
253. Podlaska-Lando, S., Implementation and evaluation of interval arithmetic software: Report 2: The Honeywell MULTICS System, Technical report - U.S. Army Engineer Waterways Experiment Station, 1979 NTIS B0006X47Z0

     This is Report 2 of a series entitled Implementation and Evaluation of Interval Arithmetic Software. Interval arithmetic can be used to determine the precision of the arithmetic required to guarantee a given precision in the results of an algorithm. In general, whether using interval or regular arithmetic, the greater the precision the longer the run time required for a given algorithm. A 56 decimal digit version of the original MULTICS interval package was implemented on the MULTICS system. It is concluded that the use of single precision and 56 decimal digit extended precision interval arithmetic can, at times, be extremely useful. The testing showed that, when using the 56 decimal digit data type, much better bounds were obtained for the results than when using the single precision interval data type.

254. Powell, Kit, Evolution of networks using standard protocols, Computer Communications, Volume 3, Issue 3, July 1980, Pages 117-122 doi:10.1016/0140-3664(80)90069-9

     The UK South West Universities Computer Network (SWUCN) was implemented on a homogenous set of computers, before the emergence of accepted standard protocols for networking. The paper outlines problems of evolving from this network to a heterogeneous one, in which standard protocols are used. A particular application of the strategy involved is described that includes the implementation of a network connection using the X.25 Recommendation on the Honeywell Multics system.

255. Pozzo, M. M., Life Cycle Assurance for Trusted Computer Systems: a Configuration Management Strategy for Multics, 7th DOD/NBS Computer Security Conf, September 1984
256. Proctor, A. H., J. E. Roach, and M. H. Fick, RADC Seismic Classifier Design, Rome Air Development Center Griffiss Afb N Y, 1973

     The report describes the design and evaluation of seismic classifiers for distinguishing among humans, heavy trucks, armored personnel carriers, helicopters, and C-131 aircraft. The data used to develop these classifiers consisted of many digitized seismometer responses to each of the intrusion targets and was collected by the Sensor Development Section of the Surveillance and Control Division at the West Lee Test Site. The Interactive Processing Section of the Information Sciences Division analyzed this waveform data and extracted an initial set of 48 features. The on-line pattern analysis and recognition system (OLPARS) was then used to develop several seismic classifier designs which are based on different subsets of the initial 48 features.

257. Pugh, Emerson et al., IBMs 360 and early 370 systems, no date
258. Radin, George, The early history and characteristics of PL/I, August 1978 SIGPLAN Notices , Volume 13 Issue 8

     Source material for a written history of PL/I has been preserved and is available in dozens of cartons, each packed with memos, evaluations, language control logs, etc. A remembered history of PL/I is retrievable by listening to as many people, each of whom was deeply involved in one aspect of its progress. This paper is an attempt to gather together and evaluate what I and some associates could read and recall in a few months. There is enough material left for several dissertations. The exercise is important, I think, not only because of the importance of PL/I, but because of the breadth of its subject matter. Since PL/I took as its scope of applicability virtually all of programming, the dialogues about its various parts encompass a minor history of computer science in the middle sixties. There are debates among numerical analysts about arithmetic, among language experts about syntax, name scope, block structure, etc., among systems programmers about multi-tasking, exception handling, I/O, and more.

259. Ramprasad, B. S., A design and implementation of a hierarchical data store as a front end to Multics relational data store, Computer Science, University of Calgary, 1980

     114 pages

260. Rao, T. R., V. V. Ramanamurthy, and Abbas Youssefi, A UNIFIED DATA FLOW MODEL FOR FAULT TOLERANT COMPUTERS: Final Report, Computer Science Department, University of Southwestern Louisiana, 1984
261. Rautenberg, Lee Howard, A data communications tutorial and a MULTICS-minicomputer program transfer operating system., MIT thesis, 1972

     87 pages

262. Reynolds, G. E., Multics Security Evaluation. Volume IV. Exemplary Performance Under Demanding Workload, Electronic Systems Div Hanscom AFB Mass November, 1976 NTIS AD-A038 231/7
263. Ritchie, D. M., The evolution of the UNIX time-sharing system, Bell System Technical Journal 63, 8, Oct 1984

     This paper presents a brief history of the early development of the Unix operating system. It concentrates on the evolution of the file system, the process-control mechanism, and the idea of pipelined commands. Some attention is paid to social conditions during the development of the system.

264. Ritchie, D. M., The development of the C language, ACM SIGPLAN Notices 28, 3, 201-208 (ACM HOPL-II Conf), March 1993

     The C programming language was devised in the early 1970s as a system implementation language for the nascent Unix operating system. Derived from the typeless language BCPL, it evolved a type structure; created on a tiny machine as a tool to improve a meager programming environment, it has become one of the dominant languages of today. This paper studies its evolution.

265. Rubin, Paul E., and Jon Franklin Buser, Development of an Expert System Environment for use with a War Gaming System, Proceedings of the Society for Computer Simulation Multi-Conference on Artificial Intelligence and Simulation, February 1988

     This paper discusses the overall architecture of Tactical Control Directives (TCD). TCDs were a system extension to the Enhanced Naval Warfare Gaming System (ENWGS). They were a forward chaining rule-based language and runtime environment that allowed users to construct and execute simulations of complex naval doctrine. They differed significantly from other rule-based environments of the time in that rules could be triggered by a combination data conditions and real-time events.

266. Rus, T., Data Structures and Operating Systems, John Wiley & Sons, Chichester, 1979
267. Sabonnadiere, J., G. Meunier, and B. Morel, FLUX: A general interactive finite elements package for 2D electromagnetic fields, IEEE Trans on Magnetics 18, 2, Mar 1982, pp 624-626

     Achievement of finite element methods leads nowadays to the development of general purpose packages. FLUX, developed by the Laboratoire d'Electrotechnique de l'Institut National Polytechnique de Grenoble is an interactive system in which graphic facilities are combined with a convenient command language to allow a high level of conversational use. FLUX is made of three independent programs : a pre-processor : ENTREE for geometrical, physical and finite element descriptions of the model, the computation processor RESOL in which equations occurring from finite elements are solved, and, finally EXPLOI, the post-processor for flux plots, field visualisation, forces and torques. FLUX is implemented under the conversational system MULTICS on the HB68 computer of the Centre Inter-universitaire de Calcul de Grenoble. It is available in France through TRANSRAC, the french computer network, and in all western EUROPE through EURONET.

268. Saltzer, J. H., A simple linear model of demand paging performance, Commun. ACM 17, 4, April, 1974. Project MAC memo M0131, November 1972

     Predicting the performance of a proposed automatically managed multilevel memory system requires a model of the patterns by which programs refer to the information stored in the memory. Some recent experimental measurements on the Multics virtual memory suggest that, for rough approximations, a remarkably simple program reference model will suffice. The simple model combines the effect of the information reference pattern with the effect of the automatic management algorithm to produce a ...

269. Saltzer, J. H., Considerations in the Choice of Typewriter Terminals for Use With Multics, draft MIT memo
270. Saltzer, J. H., and J. F. Ossanna, Remote terminal character stream processing in Multics, AFIPS Conf Proc 36 (1970 SJCC), 621-627, 1970 Project MAC memo M0121, March 1970

     This paper describes system design and human engineering considerations pertinent to the processing of the character stream between a remote terminal and a general-purpose, interactive computer system. The Multics system is used to provide examples of: terminal escape conventions which permit input of a full character set from a limited terminal, single character editing for minor typing mistakes, and reformatting of input text to produce a canonical stored form. A formal description of the Multics canonical form for stored character strings appears in an appendix.

271. Saltzer, J. H., and J. W. Gintell, The instrumentation of Multics, Commun. ACM 13, No. 8, 495-500, August 1970

     An array of measuring tools devised to aid in the implementation of a prototype computer utility is discussed. These tools include special hardware clocks and data channels, general purpose programmed probing and recording tools, and specialized measurement facilities. Some particular measurements of interest in a system which combines demand paging with multiprogramming are described in detail. Where appropriate, insight into effectiveness (or lack thereof) of individual tools is provided.

272. Saltzer, J. H., Some Observations about Decentralization of File Systems, IEEE COMPCON, pages 163-164, September 1971 Multics repository document M0128, May 1971

     An array of measuring tools devised to aid in the implementation of a prototype computer utility is discussed. These tools include special hardware clocks and data channels, general purpose programmed probing and recording tools, and specialized measurement facilities. Some particular measurements of interest in a system which combines demand paging with multiprogramming are described in detail. Where appropriate, insight into effectiveness (or lack thereof) of individual tools is provided.

273. Saltzer, J. H., List of Multics Security Holes, revision 5, Internal MIT memo
274. Saltzer, J. H., and D. H. Hunt, List of Multics Security Holes, revision 6, Internal MIT memo
275. Saltzer, J. H., Protection and the control of information sharing in the Multics system, Commun. ACM 17, 7, July 1974 also https://portal.acm.org/citation.cfm?doid=361011.361067

     The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.

276. Saltzer, J. H., and M. D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE. Vol. 63, No. 9 (September 1975), pp. 1278-1308

     This seminal paper collected and established many the of the fundamental principles and terms used in computer security over the last three decades. In addition to the eight "Saltzer/Schroeder Design Principles" and other basic principles of information protection in section 1, it provides an overview of descriptor-based protection systems in section 2, and surveys the state of the art in section 3. Although the paper dates from 1974, most of it is still highly relevant to systems being designed today.

     ABSTRACT: This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification. It concentrates on those architectural structures--whether hardware or software--that are necessary to support information protection. The paper develops in three main sections. Section I describes desired functions, design principles, and examples of elementary protection and authentication mechanisms. Any reader familiar with computers should find the first section to be reasonably accessible. Section II requires some familiarity with descriptor-based computer architecture. It examines in depth the principles of modern protection architectures and the relation between capability systems and access control list systems, and ends with a brief analysis of protected subsystems and protected objects. The reader who is dismayed by either the prerequisites or the level of detail in the second section may wish to skip to Section III, which reviews the state of the art and current research projects and provides suggestions for further reading.

277. Saltzer, J. H., Ongoing research and development on information protection, ACM Operating Systems Review 8, 3, pp. 8-24, July, 1974
278. Saltzer, J. H., Naming and binding of objects, in R. Bayer, R. M. Graham, and G. Seegmuller (eds.), Operating Systems: An Advanced Course, Springer Verlag, New York, 1979, pp. 99-208. [Appendix A: Case Study of Naming in Multics, pp. 193-208.] 1979
279. Saltzer, J. H., On the modeling of paging algorithms, ACM Forum, Commun. ACM 19, 5, May 1976
280. Saltzer, J. H., Technical possibilities and problems in protecting data in computer systems, in Dierstein et al., eds, Datenschutz und Datensicherung, J. P. Bachem Verlag, Cologne, 1976
281. Saltzer, Jerome H., and M. Frans Kaashoek, Principles of Computer System Design, Part II, MIT Open Courseware, 2009
282. Saltzer, Jerome H., Memorial tribute for Corby, National Academy of Engineering Memorial Tributes Volume 26
283. Salus, Peter H., A Quarter Century of UNIX, Addison Wesley, 1994
284. Sawatzky, Don L., REMAPP Multics programmer's guide, Open-file report / U.S. Department of the Interior, Geological Survey, 1980
285. Schaefer, Marvin, If A1 is the Answer, What was the Question? An Edgy Naïf's Retrospective on Promulgating the Trusted Computer Systems Evaluation Criteria, Proceedings of the 20th Annual Computer Security Applications Conference, 2004

     This paper provides an introspective retrospective on the history and development of the United States Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). Known to many as the Orange Book, the TCSEC contained a distillation of what many researchers considered to be the soundest proven principles and practices for achieving graded degrees of sensitive information protection on multiuser computing systems. While its seven stated evaluation classes were explicitly directed to standalone computer systems, many of its authors contended that its principles would stand as adequate guidance for the design, implementation, assurance, evaluation and certification of other classes of computing applications including database management systems and networks. The account is a personal reminiscence of the author, and concludes with a subjective assessment of the TCSEC's validity in the face of its successor evaluation criteria.

286. Scheffler, Lee J., Optimal folding of a paging drum in a three level memory system, Proceedings of the fourth symposium on Operating system principles, January 1973

     This paper describes a drum space allocation and accessing strategy called "folding", whereby effective drum storage capacity can be traded off for reduced drum page fetch time. A model for the "folded drum" is developed and an expression is derived for the mean page fetch time of the drum as a function of the degree of folding. In a hypothetical three-level memory system of primary (directly addressable), drum, and tertiary (usually disk) memories, the tradeoffs among drum storage capacity, drum page fetch time, and page fetch traffic to tertiary memory are explored. An expression is derived for the mean page fetch time of the combined drum-tertiary memory system as a function of the degree of folding. Measurements of the MULTICS three-level memory system are presented as examples of improving multi-level memory performance through drum folding. A methodology is suggested for choosing the degree of folding most appropriate to a particular memory configuration.

287. Schell, R. R., Effectiveness -- the Reason for a Security Kernel, Proceedings of the National Computer Conference, 1974, pp. 975-976. 1974
288. Schell, Roger R., Peter J. Downey, and Gerald J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, The MITRE Corporation, Bedford, MA 01730 (Jan. 1973) MCI-73-1

     The military has a heavy responsibility for protection of information in its shared computer systems. The military must insure the security of its computer systems before they are put into operational use. That is, the security must be "certified", since once military information is lost it is irretrievable and there are no legal remedies for redress. Most contemporary shared computer systems are not secure because security was not a mandatory requirement of the initial hardware and software design. The military has reasonably effective physical, communication, and personnel security, so that the nub of our computer security problem is the information access controls in the operating system and supporting hardware. We primarily need an effective means for enforcing very simple protection relationships, (e.g., user clearance level must be greater than or equal to the classification level of accessed information); however, we do not require solutions to some of the more complex protection problems such as mutually suspicious processes. Based on the work of people like Butler Lampson we have espoused three design principles as a basis for adequate security controls:

     1. Complete Mediation -- The system must provide complete mediation of information references, i.e., must interpose itself between any reference to sensitive data and accession of that data. All references must be validated by those portions of the system hardware and software responsible for security.
     2. Isolation -- These valid operators, a "security kernel," must be an isolated, tamper-proof component of the system. This kernel must provide a unique, protected identity for each user who generates references, and must protect the reference-validating algorithms.
     3. Simplicity -- The security kernel must be simple enough for effective certification. The demonstrably complete logical design should be implemented as a small set of simple primitive operations and system database structures that can be shown to be correct.

     These three principles are central to the understanding of the deficiencies of present systems and provide a basis for critical examination of protection mechanisms and a method for insuring a system is secure. It is our firm belief that by applying these principles we can have secure shared systems in the next few years.

289. Schell, Roger R., Evaluating Security Properties of Computer Systems, IEEE Symposium on Security and Privacy 1983

     The Department of Defense has recently published Trusted Computer System Evaluation Criteria that provide the basis for evaluating the effectiveness of security controls built into computer systems. This paper summarizes basic security requirements and the technical criteria that are used to classify systems into eight hierarchical classes of enhanced security protection. These criteria are used in specifying security requirements during acquisition, guiding the design and development of trusted systems and evaluating systems used to process sensitive information.

290. Schell, Roger R., Information Security: Science, Pseudoscience, and Flying Pigs, Proceedings 17th Annual Computer Security Applications Conference, 2001, pp 205-216 DOI 10.1109/ACSAC.2001.991537

     The state of the science of information security is astonishingly rich with solutions and tools to incrementally and selectively solve hard problems. In contrast, the state of the actual application of science, and the general knowledge and understanding of existing science, is lamentably poor. Still we face a dramatically growing dependence on information technology, e.g., the Internet, that attracts a steadily emerging threat of well-planned, coordinated hostile attacks. A series of hard-won scientific advances gives us the ability to field systems having verifiable protection, and an understanding of how to powerfully leverage verifiable protection to meet pressing system security needs. Yet, we as a community lack the discipline, tenacity and will to do the hard work to effectively deploy such systems. Instead, we pursue pseudoscience and flying pigs. In summary, the state of science in computer and network security is strong, but it suffers unconscionable neglect.

291. Schell, Roger R., Cyber Defense Triad for Where Security Matters, Communications of the ACM, Vol. 59 No. 11, Pages 20-23, Nov 2016

     In the early days of computers, security was easily provided by physical isolation of machines dedicated to security domains. Today's systems need high-assurance controlled sharing of resources, code, and data across domains in order to build practical systems. Current approaches to cyber security are more focused on saving money or developing elegant technical solutions than on working and protecting lives and property. They largely lack the scientific or engineering rigor needed for a trustworthy system to defend the security of networked computers in three dimensions at the same time: mandatory access control (MAC) policy, protection against subversion, and verifiability--what I call a defense triad. Fifty years ago the U.S. military recognized subversion as the most serious threat to security. Solutions such as cleared developers and technical development processes were neither scalable nor sustainable for advancing computer technology and growing threats. In a 1972 workshop, I proposed "a compact security 'kernel' of the operating system and supporting hardware--such that an antagonist could provide the remainder of the system without compromising the protection provided." I concluded: "We are confident that from the standpoint of technology there is a good chance for secure shared systems in the next few years. However, from a practical standpoint the security problem will remain as long as manufacturers remain committed to current system architectures, produced without a firm requirement for security. As long as there is support for ad hoc fixes and security packages for these inadequate designs, and as long as the illusory results of penetration teams are accepted as a demonstration of computer system security, proper security will not be a reality."

292. Schiller, W. L., K. J. Biba, and E. L. Burke, A preliminary specification of a Multics security kernel, MITRE Corp, Bedford MA, April 1975 WP-20119
293. Schiller, W. L., Design and Abstract Specification of a Multics Security Kernel, MITRE Corp Bedford MA, 1977 NTIS AD-048 576
294. Schiller, W. L. et al., Top level specification of a Multics security kernel, MITRE Corp, Bedford MA, July 1976 WP-20810
295. Schiller, W. L., Preliminary Specification of the Answering Service, Multics design note 33, MITRE Corp, Bedford MA, 1976
296. Schroeder, M. D., and J. H. Saltzer, A hardware architecture for implementing protection rings, Proc ACM Third SOSP, 42-54, October 1971. Commun. ACM 15, 3, pp.157-170, March 1972 also repository M0126

     Protection of computations and information is an important aspect of a computer utility. In a system which uses segmentation as a memory addressing scheme, protection can be achieved in part by associating concentric rings of decreasing access privilege with a computation. This paper describes hardware processor mechanisms for implementing these rings of protection. The mechanisms allow cross-ring calls and subsequent returns to occur without trapping to the supervisor. Automatic hardware ...

297. Schroeder, M. D., Engineering a security kernel for Multics, ACM Operating Systems Review 9, 5, pp. 25-32, Proc ACM 5th SOSP, November, 1975

     This paper describes a research project to engineer a security kernel for Multics, a general-purpose, remotely accessed, multiuser computer system. The goals are to identify the minimum mechanism that must be correct to guarantee computer enforcement of desired constraints on information access, to simplify the structure of that minimum mechanism to make verification of correctness by auditing possible, and to demonstrate by test implementation that the security kernel so developed is capable of supporting the functionality of Multics completely and efficiently. The paper presents the overall viewpoint and plan for the project and discusses initial strategies being employed to define and structure the security kernel.

298. Schroeder, M. D., Performance of the GE-645 associative memory while Multics is in operation, Proc ACM SIGOPS Workshop on System Performance Evaluation, Harvard, April 1971

     The Multiplexed Information and Computing Service (Multics) of Project MAC at M.I.T. runs on a General Electric 645 computer system. The processors of this hardware system contain logic for both paging and segmentation of addressable memory. They directly accept two-part addresses of the form (segment number, word number) which they translate into absolute memory addresses through a series of indexed table lookups. To speed this address translation each processor contains a small, fast associative memory which remembers the most recently used address translation table entries. This paper reports the results of performance measurements on this associative memory. The measurements were made by attaching an electronic counter directly to a processor while Multics was in operation, and were taken for several associative memory sizes. The measurements show that for the observed load 16 associative registers are enough.

299. Schroeder, M. D., D. D. Clark, and J. H. Saltzer, The Multics kernel design project, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977 MIT LCS CSR-RFC-140

     We describe a plan to create an auditable version of Multics. The engineering experiments of that plan are now complete. Type extension as a design discipline has been demonstrated feasible, even for the internal workings of an operating system, where many subtle intermodule dependencies were discovered and controlled. Insight was gained into several tradeoffs between kernel complexity and user semantics. The performance and size effects of this work are encouraging. We conclude that ...

300. Sebring, Michael M., Eric W. Shellhouse, Mary E. Hanna, and R. Alan Whitehurst, Expert Systems in Intrusion Detection: A Case Study, Proc 11th NCSC, Baltimore, USA: NBS/NCSC: pp.74-81, October 17, 1988

     Describes MIDAS (Multics Intrusion Detection and Alerting System).

301. Sekino, A., Response time distribution of multiprogrammed time-shared computing systems, Sixth Annual Princeton Conf on Information Sciences and Systems, Princeton, March 1972
302. Sekino, A., Throughput analysis of multiprogrammed virtual-memory computer systems, Proceedings of the 1973 ACM SIGME symposium

     A model of paging behavior of programs under multiprogramming and a model of dual processor multi-memory processing system with virtual memory are developed. Combining these two models, it is possible to evaluate the throughput of multiprogrammed virtual-memory computer systems realistically. Numerical results obtained by these models are then compared with the measurement data of the Multics system of M.I.T. Finally, the effect of multiprogramming and sharing upon a system's throughput is numerically evaluated.

303. Selwyn, Lee L., Computer resource accounting in a time sharing environment, AFIPS Conference Proceedings 36 (1970 Spring Joint Computer Conference), pages 119-130
304. Shafer, Fred J., Multilevel Computer Security Requirements of the World Wide Military Command and Control System (WWMCCS), LCD-78-106, April 5, 1978

     The World Wide Military Command and Control System (WWMCCS) is a composite of military command facilities, communications, warning systems, and computers located throughout the world to support military command and control activities. A followup review was conducted to determine whether the multilevel computer security requirements of WWMCCS were being properly provided for by the Department of Defense (DOD) and if Air Force efforts to solve this problem had been properly considered by DOD. At the time of the review, WWMCCS officials had not endorsed or supported Air Force efforts on multilevel computer security even though the Air Force had demonstrated a potential for resolving the shortcomings of WWMCCS software. However, the Air Force terminated its efforts to develop multilevel computer security because of insufficient financing. The Departments of the Army and Navy also have a need for multilevel security in their computerized systems and had been waiting for the developed capability by the Air Force. The apparent need for a multilevel security system and the lack of a concentrated effort to meet it, as well as cancellation of the Air Force program which showed promise of meeting this need, resulted from a lack of centralized responsibility and authority for development of a multilevel system. An office within the Office of the Secretary of Defense should be given budget authority and responsibility for: control of all computer security research and development in DOD; review and approval of computer security requirements for all three services; review and approval of all computer security specifications, methodologies, and procurements; and review and approval of all long-range plans for WWMCCS and the services.

305. Shapiro, Jonathan, Extracting the Lessons of Multics, Response to Keynote Address, UNIX Security Symposium ;LOGIN: VOL. 29, NO. 6

     It seems fitting to try to answer the question Boebert posed in his talk: What can we learn from the past? Why did Multics fail?

306. Sibert, Olin, mxload - Read Multics Backup Tapes, HLSUA FORUM, 1988
307. Sibert, W. Olin, and Robert W. Baldwin, The Multics encipher_ Algorithm, Cryptologia, Volume 31, Issue 4 October 2007, pages 292 - 304 $48 download

     A fast software block encryption algorithm with a 72-bit key was written by (then) Major Roger R. Schell (United States Air Force) in April 1973 and released as part of the source code for the Multics operating system. The design of the Multics encipher_ algorithm includes features such as variable data-dependent rotations that were not published until the 1990s - 20 years after the Multics cipher. This article describes the history and details of the Multics encipher_algorithm and how it was used for Key Generation, File Encryption, and Password Hashing. A cryptographic analysis of the algorithm has not been performed, although similarities are noted with algorithms such as XTEA, SEAL, and RC5.

308. Spafford, Eugene H., UNIX and Security: The Influences of History, Information Systems Security. Auerbach Publications. 4-3. 1995

     Unix has a reputation as an operating system that is difficult to secure. This reputation is largely unfounded. Instead, the blame lies partially with the traditional use of Unix and partially with the poor security consciousness of its users. Unix's reputation as a nonsecure operating system comes not from design flaws but from practice. For its first 15 years, Unix was used primarily in academic and computer industrial environments --- two places where computer security has not been a priority until recently. Users in these environments often configured their systems with lax security, and even developed philosophies that viewed security as something to avoid. Because they cater to this community, (and hire from it) many Unix vendors have been slow to incorporate stringent security mechanisms into their systems. This paper describes how the history and development of Unix can be viewed as the source of many serious problems. Some suggestions are made of approaches to help increase the security of your system, and of the Unix community.

309. Speckman, Wendy S., Multics STATPAC user handbook: Part 2, a guide with examples to basic statistical programs and more advanced general operation, U.S. Geological Survey, 1983
310. Spicer, Robert A., MAGIC, computer programs for paleontologists available on MULTICS, Reports-Open file series - United States Geological Survey, 1980
311. Spier, M. J., and E. I. Organick, The Multics inter-process communication facility, Proc ACM Second SOSP, 83-91, October 1969

     Essential to any multi-process computer system is some mechanism to enable coexisting processes to communicate with one another. The basic inter-process communication (IPC) mechanism is the exchange of messages among independent processes in a commonly accessible data base and in accordance with some pre-arranged convention.By introducing several system wide conventions for initiating communication, and by utilizing the Traffic Controller it is possible to expand the basic IPC mechanism into a general purpose IPC facility. The Multics IPC facility is an extension of the central supervisor which assumes the burden of managing the shared data base and of respecting the IPC conventions, thus providing a simple and easy way for the programmer to use the interface.

312. Spratt, Lindsey L., The transaction resolution journal: extending the before journal, ACM SIGOPS Operating Systems Review, Volume 19 Issue 3, July 1985
313. Stachour, Paul, and David Collier-Brown, You Don!t Know Jack About Software Maintenance, Communications of the ACM, Vol. 52 No. 11, Pages 54-58, Nov 2009

     Long considered an afterthought, software maintenance is easiest and most effective when built into a system from the ground up.

314. Stamen, Jeffrey P., and Robert M. Wallace, Janus: a data management and analysis system for the behavioral sciences, ACM CSC-ER, Proc 1973 national conference, 1973

     This paper describes the Janus data management and analysis system which has been designed at the Cambridge Project. A prototype of Janus is currently running on the Multics time-sharing system at M.I.T. The data model for the design of Janus is very general and should be usable as a model for data handling in general, as well as for Janus in particular. The Janus command language is an English-like language based on procedural functions - such as define, display, and delete - which act on logical objects from the data model, such as datasets, attributes and entities. For example, delete-attribute, define-attribute and define-dataset are all commands. The implementation of Janus is interesting for a number of reasons: it runs on the Multics system which has segmented and paged memory; it is based almost entirely on datasets (tables), which describe each other as well as themselves; and it is organized in a functionally modular way that is often talked about, but less often done.

315. Stanke, Edward C., II, An Associative Processor Study, The RADCAP Project, Rept. for 1 Sep 72-30 Nov 76, Rome Air Development Center, Griffiss AFB N Y, Feb 1978 DTIC ADA052717

     The underlying objective of the Rome Air Development Center Associative Processor (RADCAP) Project is to investigate solutions to data processing problems which strain conventional approaches due to high data rates and heavy processing requirements. One group of data processing functions, those inherent in the USAF Airborne Warning and Control System (AWACS, now called the E-3A), have been chosen as being representative of this class of problems. This report describes the results of a five-year project which involved the implementation of the AWACS functions on the RADCAP testbed system which consists of a STARAN S-1000P associative processor interfaced to a Honeywell Information Systems 645-MULTICS computer (later upgraded to a HIS 6180). Based on these results, the key characteristics of an associative processor to handle this type of problem are identified and some general conclusions as to the applicability of associative/parallel processing to real-world, real-time processing problems are drawn. The report also makes some general statements concerning the future of associative/parallel processing.

316. Stein, Arthur, Processor and memory allocation in multics and TSS, Thesis (M.B.A.)--Bernard M. Baruch College, 1977
317. Stern, J. A., Multics Security Kernel Top Level Specification, ESD-TR-76-368, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, November 1976 NTIS AD-A060 000/7

     Air Force Systems Command terminated the effort which this document describes before the effort reached its logical conclusion. This report is incomplete but was published in the interest of capturing and disseminating the computer security technology that was available at the time of the termination.

318. Stern, J. A., Discretionary Access Control, memo, 15 March 1976
319. Steuert, James, and Jay Goldman, The relational data management system: A perspective, SIGFIDET 1974: Proceedings of the 1974 ACM SIGFIDET (now SIGMOD) workshop on Data description, access and control

     In this paper, the functional capabilities and economic features of the Relational Data Management System (RDMS) are discussed. RDMS is a generalized on-line data management system written in PL/1 for the Multics operating system. The basic concepts of RDMS are introduced and the similarities between the conventional file concept and the relation concept are discussed. A data-base is shown to be a set of relations. By generalizing the concept of field to be a property of the data-base, and by labeling relations with the names of their columns (fields), relations of a data-base may be implicitly linked by virtue of having a common column or field name (the dataclass name). On-line commands for operations on two such relations which yield a third result relation are illustrated. Other facilities of RDMS, such as computational, report-generation, and query-report packages are discussed. In RDMS, the relation concept is implemented as a matrix of reference numbers which refer to character string datums which are stored elsewhere in distinct dataclass files. In addition to significant storage savings, this allows a single representation-independent logical interface to the storage and access of character string data. RDMS was developed from graduate work done at M.I.T. by L. A. Kraning and A. I. Fillat in 1970 and is now being used by the administrative departments at M.I.T.

320. Strachey, Christopher, Time-sharing in large fast computers, Proc Int. Conf on Info Processing, UNESCO, June, 1959, 336-341
321. Tagg, A. G., Speculations on the evolution of an architecture, ACM SIGARCH Computer Architecture News, Volume 13, Issue 2, June 1985
322. Teichroew, D., A. Hershey, and S. Spewak, User Requirements Language (URL) User's Manual. Part I. (Description) H6180/Multics/Version 3.2., Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 200 pages, F19628-76-C-0197, ESD TR-78-127-VOL-1 NTIS ADA054096

     This report is part of a series that deals with a Computer-Aided Design and Specification Analysis Tool (CADSAT). The purpose of the tool is to describe the requirements for information processing systems and to record such descriptions in machine-processable form. The major components of CADSAT are the User Requirements Language (URL) and the User Requirements Analyzer (URA) which can operate in an interactive computer environment. This report describes how the formal URL may be used to define systems. It explains the language statements available, their use and application on a Honeywell 6180 Multics Computer.

323. Teichroew, D., A. Hershey, and S. Spewak, User Requirements Language (URL) User's Manual. Part II. (Reference) H6180/Multics/Version 3.2., Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 450 pages, F19628-76-C-0197 ESD TR-78-127-VOL-2

     This report is part of a series that deals with a Computer-Aided Design and Specification Analysis Tool (CADSAT). Its purpose is to describe the requirements for information processing systems and to record such descriptions in machine-processable form. The major components of CADSAT are the User Requirements Language (URL) and the User Requirement Analyzer (URA) which can operate in an interactive computer environment. In parts I and II, this report describes how the formal URL may be used to define systems. It explains the language statements available, their use and application on a Honeywell 6180 Multics Computer. This manual describes the User Requirements Language (URL) to be used with Version 3.2 of the User Requirements Analyzer (URA). Part I gives a detailed description of the URL statements available and their use. Part II is a reference manual which gives the proper syntax for each statement.

324. Triantafyllopoulos, Spiros, A PERFORMANCE EVALUATION OF THE IBM 370/XT PERSONAL COMPUTER, Computer Science Department, University of Southwestern Louisiana, 1984
325. Turner, Richard, An interactive simulator for MATHILDA-RIKKE on multics: Concept, design and implementation, Computer Science Dept., University of Southwestern, Louisiana, 1977
326. US Deputy Assistant Secretary of Defense, Wartime Manpower Planning System ADP System Users Manual, DoD 1100-19-M, March 1987
327. US Department of Defense, Computer Security Evaluation Center, DoD Directive 5215.1, October 25, 1982

     This Directive establishes the DoD Computer Security Evaluation Center (CSEC), provides policy, and assigns responsibilities for the technical evaluation of computer system and network security, and related technical research.

328. Van Vleck, T. H., An example of industry-university cooperation: Multics, Proc IRIA Tenth Anniversary Conf, Paris, June 1978
329. Van Vleck, T. H., and C. T. Clingen, Implementation of security concepts in a large-scale operating system, Proc Honeywell Security Symposium, Monaco, December 1980
330. Van Vleck, T. H., and C. T. Clingen, The Multics system programming process, Proc IEEE COMPCON 78, Atlanta, May 1978

     Reprinted in IEEE Tutorial on Software Maintenance, 1981. Features of the Multics system programming process lead to high programmer productivity with a small programming staff and a finished system with high software reliability. Other workers' predictions of increasing difficulty of system maintenance with time have not been observed; reasons for this are suggested.

331. Van Vleck, T. H., Control of access to computer system resources, Proc IEEE COMPCON 74, San Francisco, February 1974
332. Van Vleck, T. H., The administration and management of Multics, Project MAC Multics Symposium, January 1971
333. Van Vleck, Tom, Electronic Mail and Text Messaging in CTSS, 1965-1973, IEEE Annals of the History of Computing Vol. 34, No. 1: January-March 2012, pp. 4-6 DOI 10.1109/MAHC.2012.6

     My colleague Noel Morris and I implemented both an electronic mail command and a text messaging facility for the Massachusetts Institute of Technology's Compatible Time-Sharing System (CTSS) in 1965.

334. Van Vleck, Tom, Celebrating the 50th Anniversary of MIT Project MAC, IEEE Annals of the History of Computing Vol. 36, No. 4: Oct-Dec 2014, pp. 3-5
335. Vestal, Stanley Curtis, Diane Anderson, and Henry Nirsberger, GCOS/Multics File Transfer Facility, Honeywell Information Systems Inc Minneapolis Minn, 440 pages, F30602-73-C-0327, RADC TR-75-137 NTIS ADA013109

     Rome Air Development Center currently operates two R and D computer facilities: an HIS GCOS system and an HIS Multics system. Another Air Force site also operates both a GCOS and a Multics installation. In both cases, the GCOS system has preceded the Multics system by several years. There is thus a large GCOS user applications and data files. Many of these users desire to transfer these programs, applications, and data files from the GCOS environment to the Multics environment in order to take advantage of the unique design features of the Multics system. To facilitate this transfer, and to make the process as simple and easy to use as possible, Rome Air Development Center contracted with Honeywell Information Systems to specify, design, and implement procedures and software to provide an integrated capability for the transfer of information, programs, and procedures from the GCOS to the Multics environment. This technical report describes the activities conducted in the performance of this contract.

336. Vestal, Stanley Curtis, and Henry Nirsberger, GCOS/Multics File Transfer Tool., Honeywell Information Systems Inc Minneapolis Minn, 157 pages, F30602-75-C-0162, RADC TR-75-312 NTIS ADA019748

     The effort described in this report consisted of enhancements to the GCOS/Multics File Transfer Facility which was developed under contract. The facility provides for the transfer of data files from the GCOS environment to the Multics environment. In particular, data base and file backup facilities, performance monitoring instrumentation, and Inner Ring Program/Data Protection have been added.

337. Vestal, S. C., T. Krocak, H. S. Schwenk, and A. Levy, Virtual Machine Monitor Performance Analysis, Honeywell Information Systems Inc Minneapolis Minn, 178 pages, F30602-77-C-0097, RADCTR-78-251 NTIS ADA065087

     This report describes the H6180 Virtual Machine Monitor Performance Analysis. Included as part of this report is a description of the Virtual Machine Monitor. This report also includes an approach for enhancing the baseline VMM functionality by use of a service machine to control peripheral sharing. The actual experimentation performed in this effort identifies the feasibility of a VMM in a Programming Environment and the performance tradeoffs required for its optimized utilization.

338. Vinograd, D. R., What's a system to do? -- Assuring system data integrity, Proc IEEE Conf, September 1971
339. Vyssotsky, V. A., F. J. Corbató, and R. M. Graham, Structure of the Multics Supervisor, AFIPS Conf Proc 27, 203-212, 1965

     This paper is a preliminary report on a system which has not yet been implemented. Of necessity, it therefore reports on status and objectives rather than on performance.

340. Wade, W., M. Mortara, P. Leong, and V. Frost, Interactive Communication Systems Simulation Model--ICSSM, IEEE Journal on Selected Areas in Communications 2, 1, Jan 1984, pp 102-128

     The design of ICSSM, a nonreal time computer-aided simulation and analysis tool for communications systems, is presented, ICSSM is capable of supporting modeling, simulation, and analysis of any system representable in terms of a network of multiport functional blocks. Its applicability is limited only by the modeler's ingenuity to decompose the system to functional blocks and to represent these functional blocks algorithmically. ICSSM has been constructed modularly, consisting of five subsystems to facilitate the tasks of formulating the model, exercising the model, evaluating and showing the simulation results, and storing and maintaining a library of modeling elements, analysis, and utility subroutines. It is written exclusively in ANSI Standard Fortran IV language, and is now operational in a Honeywell DPS 7/80 M computer under the MULTICS Operating System. Description of a recent simulation using ICSSM and some generic modules of general interest developed as a result of the modeling work are also presented.

341. Walden, David, and Tom Van Vleck, Compatible Time Sharing System (1961-1973) Fiftieth Anniversary Commemorative Overview, IEEE Computer Society, Washington DC, 2011 3MB

     The IEEE Computer Society History Committee prepared a document in June 2011 in honor of the 50th anniversary of CTSS, edited by Dave Walden and Tom Van Vleck. It contains an extensive bibliography and interviews with Corby, Marge Daggett, Bob Daley, Peter Denning, David Alan Grier, Dick Mills, Roger Roach, Allan Scherr, and Tom Van Vleck.

342. Waldrop, M. Mitchell, The Dream Machine: J. C. R. Licklider and the Revolution That Made Computing Personal, Viking Press, 2001

     The history of time-sharing and networks and ARPA's part in supporting the activities. It has one or two chapters which focus on CTSS and Multics. It also includes the saga of PARC.

343. Walter, K. G., J. M. Gilligan, S. I. Schaen, W. F. Ogden, W. C. Rounds, D. G. Shumway, D. D. Schaeffer, K. J. Biba, F. T. Bradshaw, and S. R. Ames, Structured specification of a Security Kernel, Proceedings of the SIGPLAN international conference on Reliable software, pp 285 - 293, Los Angeles, California, 1975

     Certifying an entire operating system to be reliable is too large a task to be practicable. Instead, we are designing a Security Kernel which will provide information security. The kernel's job is to monitor information flow in order to prevent compromise of security. Sound design is encouraged by using a technique called Structured Specification, in which successively more detailed models of the Security Kernel are developed. The initial model, M0, is an abstract description which formalizes governmental security applied to computer systems. Subsequent levels of modeling provide increasingly more detail, and gradually the models begin to resemble a particular system (Multics in this case). The second model, M1, defines a tree-structured file system, and an interagent communication system while M2 adds details concerning segmentation in a dynamic environment. It is intended that the final level of modeling will specify the primitive commands for the kernel of a Multics-like system and will enumerate precisely those assertions which must be proved about the implementation in order to establish correctness.

344. Walter, K. G., W. F. Ogden, W. C. Rounds, F. T. Bradshaw, S. R. Ames, and D. G. Shumway, Primitive Models for Computer Security, 23 January 1974, Case Western Reserve University, Cleveland, OH: HQ Electronic Systems Division, Hanscom AFB, MA. ESD-TR-74-117
345. Watson, R., Time-Sharing System Concepts, McGraw Hill, 1970
346. Weeldreyer, J. A., and O. D. Friesen, Multics Relational Data Store: An Implementation of a Relational Data Base Manager, Proc 11th Hawaii Intl Conf on System Sciences, Vol 1, pp. 52-66. 1978
347. Weizenbaum, Pm, Creating a campus on-line news system, Proceedings of the 4th annual international conference on Systems documentation

     Information Systems, MIT's campus-wide computing service organization, recently reorganized and strengthened its resources. Out of this recent effort came the decision to explore several ways of reporting on the expanded range of systems and services we offer. One service that central computing facilities must provide is timely notice of changes to the supported systems. This paper presents the design and implementation of Information Systems' "On-Line News System", which keeps users updated about changes in the wide variety of services offered by Information Systems.

348. Whiteside, Thomas, Computer Capers: Tales of Electronic Thievery, Embezzlement, and Fraud, New York: Thomas Y. Crowell Co., NY, 1978 ISBN 0-690-01743-X
349. Whitmore, Jerold, André Bensoussan, Paul Green, Douglas Hunt, Andrew Kobziar, and Jerry Stern, Design for Multics security enhancements, ESD AFSC Hanscom AFB Mass, 1974 ESD-TR-74-176

     The results of a 1973 security study of the Multics Computer System are presented detailing requirements for a new access control mechanism that would allow two levels of classified data to be used simultaneously on a single Multics system. The access control policy was derived from the Department of Defense Information Security Program. The design decisions presented were the basis for subsequent security enhancements to the Multics system.

350. Whitmore, J., A. Bensoussan, P. Green, D. Hunt, and A. Kobziar, Design for Multics Security Enhancements, Honeywell Information Systems Inc., Cambridge Mass,, December 1973 NTIS AD-A030 801/5

     The results of a 1973 security study of the Multics computer system are presented detailing requirements for a new access control mechanism that would allow two levels of classified data to be used simultaneously on a single Multics system. The access control policy was derived from the Department of Defense Information Security Program. The design decisions presented were the basis for subsequent security enhancements to the Multics system.

351. Withington, P. T., Design and Abstract Specification of a Multics Security Kernel, Volume 2, MITRE Corp Bedford MA, March 1978 NTIS AD-A053 148/3
352. Withington, P. T., A Secure Flat File System for Multics, MITRE Corp Bedford MA. no date
353. Wolman, B. L., Debugging PL/I programs in the Multics environment, AFIPS Conf Proc 41, Part I, (1972 FJCC), 507-514, AFIPS Press, 1972

     One of the popular misconceptions concerning PL/I is that programs written in PL/I are necessarily inefficient and hard to debug. Several years experience with the Multics PL/I compiler running on the Honeywell 645 has shown that in spite of the apparent complexity of the PL/I language, PL/I programs are easily debugged in the Multics environment, even by novice users who are newcomers to PL/I and are unfamiliar with the Honeywell 645. In most cases the user can debug his program symbolically without having to refer to a listing of the generated instructions or add debugging output statements to the program. This is due to a number of factors: * the run-time environment provided by the system. * the implementation of PL/I. * the availability of a variety of powerful debugging facilities.

354. Woodward, J. P. L., Design and Abstract Specification of a Multics Security Kernel. Volume 3, MITRE Corp Bedford MA, March 1978 NTIS AD-A053 149/1
355. Yntema, Douwe B., Arthur P. Dempster, John P. Gilbert, John C. Klensin, Wren M. McMains, William Porter, Jeffrey P. Stamen, and Raymond A. Wiesen, The Cambridge Project's Consistent System, Proceedings of the ACM annual conference, August 1972

     One of the main goals of the Cambridge Project is a Consistent System of programs, data, and models for use in the behavioral sciences. A framework for the System has been constructed on the Multics time-sharing system at M.I.T., and a collection of programs has begun to accumulate within it. This session will be devoted to that framework and to three examples of subsystems that are being fitted into it. They will be described briefly, and the reasons why they are expected to be more useful when surrounded by the rest of the Consistent System will be discussed.

356. Yntema, Douwe B., The Cambridge Project: Computer Methods for Analysis and Modeling of Complex Systems, Massachusetts Institute of Technology, AD-783 626, pp. 1-29 , Feb. 1974 DTIC AD0783626

     The Cambridge Project is a cooperative effort by a number of scientists at M.I.T. and Harvard; its purpose is to make the digital computer more useful and usable by scientists in the basic and applied behavioral sciences, and in other sciences that have similar computing problems. The most notable single achievement of the half year covered in this report was the transfer of the entire Consistent System from the old Multics computer, which was a Honeywell 645, to a new Multics computer, a Honeywell 6180, and the subsequent transfer to another 6180 operated by the Air Force Data Services Center.

26 Interviews

1. Campbell-Kelly, Martin, Paul Ceruzzi, Daniel Bricklin, and Robert M. Frankston, Oral history interview with Dan Bricklin and Bob Frankston, Martin Campbell-Kelly and Paul Ceruzzi, 7 May 2004, Needham, Massachusetts.

   Dan Bricklin and Bob Frankston discuss the creation of VisiCalc, the pioneering spreadsheet application. Bricklin and Frankston begin by discussing their educational backgrounds and experiences in computing, especially with MIT's Multics system. Bricklin then worked for DEC on typesetting and word-processing computers and, after a short time with a small start-up company, went to Harvard Business School. After MIT Frankston worked for White Weld and Interactive Data. The interview examines many of the technical, design, and programming choices in creating VisiCalc as well as interactions with Dan Fylstra and several business advisors. Bricklin comments on entries from his dated notebooks about these interactions. The interview reviews the incorporation of Software Arts in 1979, then describes early marketing of VisiCalc and the value of product evangelizing.

2. Farrow, Rik, and Peter G. Neumann, An interview with Peter G. Neumann, ;login 42 No. 4, Winter 2017
3. Frenkel, K. A., and F. J. Corbató, An interview with Fernando Jose Corbató, Commun. ACM 34 No. 9, September 1991

   All systems will fail. The question is not whether some mishap will happen, but rather what to do when it does occur. In this Turing Award address, Corbató examines the problems associated with the development of ambitious or complex systems and identifies why they always fail. Sources of complexity that contribute to this failure include the number of personnel required, the levels of management, the lack of willingness to report bad news, and the inability of any one person to understand the complete system. He offers solutions to each of these problems, including simplicity in design, use of metaphors, constrained languages for design, anticipation of errors, design for modification, cross education of team members, and learning from past mistakes. Frenkel's interview, conducted after Corbató's Turing Award lecture, complements it. The questions and answers provide a comprehensive overview of the development of the time-sharing systems CTSS and Multics, and a good overview of some of the individuals involved in these efforts. One of the most interesting parts of this interview is the support (or lack of interest) of some of the major computer manufacturers in the 1960s, including GE, IBM, and DEC. The support of Bell Labs for Multics and its eventual disengagement are examined. The relationship between UNIX and Multics is discussed in some detail, as are the problems in the development of these systems. The discussion concludes with an examination of the transition from mainframes to workstations and PCs. (Thomas C. Richards)

4. Hendrie, Gardner, and Robert A. Freiburghouse, Oral history interview with Robert (Bob) Freiburghouse, conducted by Gardner Hendrie on 28 February 2011, Computer History Museum

   Bob Freiburghouse discusses his extensive career in computer science in this oral history. His interview begins with a description of his early life in Wisconsin and his initial interest in history and political science. He discusses his first step into computer science through the US Air Force as a punch card machine operator, displaying real aptitude in programming. Freiburghouse follows with the story of his career, starting with the Air Force Security Service and moving on to Honeywell and General Electric. He then started his own company, Translation Systems, before transitioning to Stratus Computer. He also describes teaching AP Computer Science in the Caribbean, and his ideas of using a communications mechanism to streamline the healthcare system and make healthcare delivery more efficient.

5. Hendrie, Gardner, and J. William Poduska, Oral history interview with John William (Bill) Poduska Sr., conducted by Gardner Hendrie on 09 October 2002, Computer History Museum

   John William "Bill" Poduska was interested in electronics from an early age. He received his Bachelor, Masters and doctorate in Electrical Engineering and Computer Science from MIT in seven years. He taught at MIT and served in the Army Signal Corps. He joined project MAC and later Honeywell Research where he became director of its Cambridge Research Center. He left the Center to co-found Prime Computer 1972. In 1979 He left Prime to found Apollo Computer, an early workstation manufacturer. In 1985 Poduska founded Stellar Computer Inc., a graphic supercomputer company which in 1989 merged with Ardent Computer Corp to become Stardent Computer Inc.

6. Hendrie, Gardner, and Richard Greenblatt, Oral history interview with Richard Greenblatt, conducted by Gardner Hendrie on 12 January 2005, Computer History Museum

   See Greenblatt's description of the AI Lab view of Multics about page 39.

7. Lee, J. A. N., Robert Rosin, F. J. Corbató, R. M. Fano, M. Greenberger, J. C. R. Licklider, D. T. Ross, and A. L. Scherr, The Project MAC Interviews, IEEE Annals of the History of Computing, vol. 14, no. 2, pp. 14-35, Apr-Jun, 1992

   On the day following the Celebration of the 25th anniversary of Project MAC held in Cambridge on October 16 and 17, 1988, two small groups of participants in the developments of CTSS and Project MAC met to exchange recollections about their activities. These interviews are separated into two parts, concentrating on each of the two developmental stages of time-sharing, although it was impossible to strictly maintain the separation since the discussions naturally overlapped the time periods. By choice, the interviewers guided the discussion to concentrate on the more personal and background aspects of this history, since the technological history has been well documented in the open literature.

8. Morris, Errol, T. H. Van Vleck, F. J. Corbató, R. M. Fano, and J. H. Saltzer, Did My Brother Invent E-Mail With Tom Van Vleck?, conducted by Errol Morris in June 2011, New York Times Opinionator blog

   Interviews about the development of CTSS, electronic mail, and Multics with Van Vleck, Corbató, Fano, and Saltzer.

9. Muehlhauser, Luke, and Roger R. Schell, Roger Schell on long-term computer security research, conducted by Luke Muehlhauser on 23 June 2014 for the Machine Intelligence Research Institute
10. Norberg, Arthur L., and F. J. Corbató, An interview of Fernando Corbató, conducted by Arthur L. Norberg on 18 April 1989 and 14 November 1990, Charles Babbage Institute call number OH 162

    Corbató discusses computer science research, especially time-sharing, at the Massachusetts Institute of Technology (MIT). Topics in the first session include: Phil Morse and the establishment of the Computation Center, Corbató's management of the Computation Center, the development of the WHIRLWIND computer, John McCarthy and research on time-sharing, cooperation between International Business Machines (IBM) and MIT, and J. C. R. Licklider and the development of Project MAC. Topics in the second session include: time-sharing, the development of MULTICS by the General Electric (GE) Computer Division, IBM's reaction to MIT working with GE, the development of CTSS, the development of UNIX in cooperation with Bell Labs, interaction with the Information Processing Techniques Office of the Defense Advanced Research Projects Agency, interaction with Honeywell after they purchased GE's Computer Division, and the transformation of Project MAC into the Laboratory for Computer Science.

11. Norberg, Arthur L., and R. M. Fano, An interview of Robert M. Fano, conducted by Arthur L. Norberg on 20-21 April 1989, Charles Babbage Institute call number OH 165

    Fano discusses his move to computer science from information theory and his interaction with the Advanced Research Projects Agency (ARPA). Topics include: computing research at the Massachusetts Institute of Technology (MIT); the work of J. C. R. Licklider at the Information Processing Techniques Office of ARPA; time-sharing and computer networking research; Project MAC; computer science education; CTSS development; System Development Corporation (SDC); the development of ARPANET; and a comparison of ARPA, National Science Foundation, and Office of Naval Research computer science funding.

12. O'Neill, Judy E., and Jack B. Dennis, An Interview with Jack Dennis, Judy O'Neill and Jack Dennis, 31 Oct 1989, Cambridge, Massachusetts.

    Dennis describes his educational background and work in time-sharing computer systems at the Massachusetts Institute of Technology (MIT). The interview focuses on time-sharing. Dennis discusses the TX0 computer at MIT, the work of John McCarthy on time-sharing, and the influence of the Information Processing Techniques Office of the Advanced Research Projects Agency (later the Defense Advanced Research Projects Agency) on the development of time-sharing. Dennis also recalls the competition between various firms, including Digital Equipment Corporation, General Electric, Burroughs, and International Business Machines, to manufacture time-sharing systems. He describes the development of MULTICS at General Electric.

13. Pelkey, James, and Louis Pouzin, Oral history interview with Louis Pouzin, conducted by James Pelkey on 28 November 1988, Computer History Museum

    Louis Pouzin's contributions to the development of computer communications have been significant both as a research scientist and as a leader in the areas of network architecture and international protocol development. His achievements often placed him at odds with government and business entities vested in the technology of the day, but some of his key ideas have survived to become founding principles of today's Internet.

    Pouzin attended École Polytechnique and worked for the French computer company Bull, managing a team of software engineers, before traveling to the US to work at MIT on their first large scale time-sharing system (CTSS). For this system, he wrote a program for simplifying commands (RUNCOM) that he termed a 'shell' program, which became a forerunner of an entire class of command language programs. After returning to France, Pouzin was chosen to lead a government sponsored networking project to help promote the country's computer industry. Before starting the project, Pouzin traveled back to the US to meet with key developers of Arpanet who shared with him lessons they had learned building their newly operational network. Pouzin returned to France with ideas for improvements. Based on theoretical simulation studies by Donald Davies at NPL, and on his own predilection for simplicity, Pouzin designed the CYCLADES network, as it became known, without the need for IMP hardware over a subnet. He used a new idea of packet switching, a packet he coined a "Datagram", that could be sent over PTT provided telephone circuits.

    While the French government stopped funding the CYCLADES program in the late '70's, and the network went offline in 1981, the concepts Pouzin had implemented were heavily influential in the development of future Internet architecture, especially the TCP/IP protocols. While their decision to abandon CYCLADES left the French on the sidelines in the future development of the Internet, Pouzin's vision of a simplified method for connecting diversified networks together contributed greatly to its future design.

    I was able to meet with Pouzin at a busy restaurant in Ft. Lauderdale, FL. A gracious and polite man, Pouzin talked freely about his work and past. I enjoyed our brief time together and I hope I have asked questions that help clarify his considerable contributions.

14. Ranum, Marcus, and Roger R. Schell, Roger R. Schell on Trusted Computer Systems, Information Security, October 2017, Vol. 19, No. 8

    Roger R. Schell is an authority on high-assurance computing and has spent more than 20 years in the U. S. Air Force before working in private industry. As one of the lead authors of the U. S. Department of Defense Trusted Computer System Evaluation Criteria (TCSEC), known as the Orange Book, Schell has first-hand knowledge of the standards required for classified computer systems. Published in 1983 by the National Computer Security Center, where he served as deputy director, the TCSEC was replaced in 2005 by an international standard, the Common Criteria for Information Technology Security Evaluation. The co-founder and vice president of Gemini Computers Inc., Schell led the development of the Gemini Multi-processing Secure Operating System, known as GEMSOS. In 2001, he founded Aesec Corp., which acquired Gemini Computers and its security kernel in 2003. He also served as the corporate security architect at Novell. Marcus Ranum spoke with Schell, now a professor of engineering at the University of Southern California Viterbi School of Engineering, about the security practices of the U.S. government, the National Security Agency's A1-class systems--Gemini was one--and the development of a secure operating system. Is it even feasible at this point?

15. Ranum, Marcus, and Tom Van Vleck, Tom Van Vleck on the Multics operating system, security decisions, Information Security, August 2018, Vol. 20, No. 4
16. Walden, David, and F. J. Corbató, Fernando Corbató, IEEE Annals of the History of Computing Vol. 34, No. 1: January-March 2012, pp. 83-87 DOI 10.1109/MAHC.2012.8

    An interview with Corby by Dave Walden, IEEE History Committee

17. Webber, Steven H., and F. J. Corbató, Oral History of Fernando Corbató conducted by Steven Webber on February 1, 2006, Computer History Museum reference number X3438.2006

    Fernando Corbató reviews his early educational and naval experiences in the Eddy program during World War II. Corbató attended Cal Tech and MIT, where he received his PhD under the tutelage of Professor Phil Morse and worked with Whirlwind. A detailed exploration of Corbató's time-sharing systems projects including the Compatible Time-Sharing System (CTSS), Project MAC, and Multics completes the oral history.

18. Yost, Jeffrey R., and Roger R. Schell, An interview with Roger R. Schell, Ph.D, conducted by Jeffrey R. Yost on 1 May 2012, Charles Babbage Institute call number OH 405 OH 405

    Dr. Roger R. Schell, a retired U.S. Air Force Colonel and current president of AEsec Corporation, is one of the foremost contributors to and authorities on "high assurance" computer security. In this oral history he discusses his formulation of the secure kernel and reference monitor concepts (in the early 1970s), his work that led to security enhancements to Honeywell-Multics (mid-1970s), his role as deputy director of the National Computer Security Center (including leadership on TCSEC or "The Orange Book" in the early to mid-1980s), and commercial (high assurance) computer security enterprises he's led since retiring from the Air Force.

19. Yost, Jeffrey R., and David Elliott Bell, Oral history interview with David Elliott Bell, Oral history interview by Jeffrey R. Yost, 24 September 2012, Reston, VA. Charles Babbage Institute, University of Minnesota call number OH411. OH 411

    David Elliott Bell is a mathematician and computer security pioneer who co-developed the highly influential Bell-LaPadula security model. This interview discusses the context of his pivotal computer security work at MITRE Corporation, and his later contributions at the National Security Agency and Trusted Information Systems (including his leadership on TIS's Trusted Xenix B2-rated system).

20. Yost, Jeffrey R., and Thomas H. Van Vleck, Oral history interview with Thomas Van Vleck, conducted by Jeffrey R. Yost on 24 October 2012, Charles Babbage Institute call number OH 408 OH 408

    Thomas Van Vleck is a time-sharing and computer security pioneer. As a user he worked with MIT's Compatible Time-Sharing System (CTSS) and MULTICS as a MIT student prior to helping to design enhancements (including security enhancements) to the MULTICS system first as a technical staff member at MIT and later on Honeywell-MULTICS as a technical staff member and manager at Honeywell. The interview discusses the security issues/risks on CTSS that resulted in modest changes (password protection) to CTSS and influenced the far more extensive security design elements of MULTICS. His long association w/ MULTICS in both the MIT and Honeywell setting provides unique perspective on the evolution of MULTICS security over the long term. He also briefly discusses his post-Honeywell career working on computer security as a manager at several other firms.

21. Yost, Jeffrey R., and Steven B. Lipner, Oral history interview with Steven B. Lipner, conducted by Jeffrey R. Yost on 15 August 2012, Charles Babbage Institute call number OH 406 OH 406

    Steven B. Lipner is a computer security pioneer with more than 40 years of experience as a researcher, development manager, and general manager in IT Security. He helped form and served on the Anderson Panel for the Air Force in the early 1970s (was MITRE's representative), oversaw path breaking computer security high assurance mathematical model work at MITRE later that decade, was a leader in Digital Equipment Corporation's (DEC) effort to build an A1 (TCSEC certification) system in the 1980s, and led the creation of Microsoft's Security Development Lifecycle in the 2000s. This interview focuses primarily on Lipner's involvement on the Anderson Panel, his work at MITRE, and his work at DEC.

22. Yost, Jeffrey R., and Peter G. Neumann, Oral history interview with Peter G. Neumann, conducted by Jeffrey R. Yost on 03 Jun 2013, Charles Babbage Institute call number OH 425 OH 425

    In this interview, computer security pioneer Peter G. Neumann relates his education at Harvard University (A.B. in Math, S.M. and Ph.D. in Applied Math), including an influential (to his perspective and career) two-hour long meeting/discussion as an undergraduate with Albert Einstein (discussing "complexity" and other topics). The vast majority of the interview addresses the many facets of his highly influential career in computer security research. With regard to the latter, this includes discussion of his work at Bell Labs and extensive involvement with MULTICS security, and his subsequent four-decade (and continuing) career as a research scientist at SRI International. He tells of his work and leadership with the Provably Secure Operating System (PSOS), research and writing on risks (including moderating the ACM Risks Forum), insider misuse and intrusion-detection systems (IDES, NIDES, EMERALD), and his current work on two DARPA-funded projects that builds on key lessons of the past to design and develop secure/trustworthy computer systems. He also relates the computer security research infrastructure and how it evolved, as well as comments on a number of other topics such as the major computer security conferences and the range of perspectives of researchers in the computer security research community.

23. Yost, Jeffrey R., and Daniel J. Edwards, Oral history interview with Daniel J. Edwards, conducted by Jeffrey R. Yost on 02 Jul 2013, Charles Babbage Institute call number OH 427 OH 427

    In this oral history, computer security pioneer Daniel Edwards discusses his long-term career as a computer security researcher at the National Security Agency (NSA). He discusses Trojan Horse attacks, a term he introduced in the computer security field to describe a particular type of computer security vulnerability of hidden malicious code within a seemingly harmless program. He provides perspective on the evolving relationship of communications security (COMSEC) and computer security (COMPUSEC) at the NSA. Edwards became part of the NSA's National Computer Security Center and was principally involved with the development of the NCSC's/DOD's Trusted Computer Security Evaluation Criteria (TCSEC) and elaborates on the processes and considerations in developing and refining this influential set of computer security standards.

24. Yost, Jeffrey R., and Peter J. Denning, Oral history interview with Peter J. Denning, conducted by Jeffrey R. Yost on 10 April 2013, Charles Babbage Institute call number OH 423 OH 423

    This interview focuses on Peter Denning's pioneering early contributions to computer security. This includes discussion of his perspective on CTSS and Multics as a graduate student at MIT, pioneering (with his student Scott Graham) the critical computer security concept of a reference monitor for each information object as a young faculty member at Princeton University, and his continuing contributions to the computer security field in his first years as a faculty member at Purdue University. Because of an extensive, career spanning oral history done with Denning as part of the ACM Oral History series (which includes his contributions as President of ACM, research on operating systems, and principles of computer science), this interview is primarily limited to Denning's early career when computer security was one of his fundamental research areas.

25. Yost, Jeffrey R., and Marvin Schaefer, Oral history interview with Marvin Schaefer, conducted by Jeffrey R. Yost on 20 November 2013, Charles Babbage Institute call number OH 435 OH 423

    This interview with computer security pioneer Marvin Schaefer discusses his roles and perspectives on computer security work at the System Development Corporation over many years (an organization he began working at in the summer of 1965), as well as his work at the National Computer Security Center in helping to create the Trusted Computer System Evaluation Criteria (TCSEC). With the latter he relates the challenges to writing the criteria, the debates over the structure and levels, and the involvement of criteria lawyers. He also summarizes his work at the company Trusted Information Systems. In addition to detailing his pivotal work in computer security, he offers insightful commentary on issues in the field such as the Bell-LaPadula Model, John McLean's System Z, and other topics.

26. Yost, Jeffrey R., and W. Earl Boebert, Oral history interview with W. Earl Boebert, conducted by Jeffrey R. Yost on 28 April 2015, Charles Babbage Institute call number OH 460 OH 460

    Computer security pioneer Earl Boebert discusses his education at Stanford University before the bulk of the interview focuses on his work within the Air Force and at Honeywell. Among the topics he discusses are the Air Force Undergraduate Navigator Training System, efforts to save and market Multics (and the inherent challenges given GE's existing systems and the economics of the mainframe business), PSOS, Sidewinder, the formation of Secure Computing Corporation. Also discussed is his role in the broader computer security research community including serving on many National Research Council committees, including the one producing the influential 1991 Computers at Risk.

22 Newspaper & magazine articles about Multics

1. anonymous, Bell Labs Backs Out of Multics, Datamation, 1969

   I also found the attached "Look Ahead" column, probably from a 1969 Datamation, but with no bibliographic info whatever.

2. anonymous, Research Notes: Twenty-Four Million Dollar Gamble Pays Off, Naval Research Reviews Vol. 24, No. 6, pp 28-29. June 1971
3. Smith, William D., Honeywell Offers Multics, The New York Times, January 18, 1973, Page 57
4. staff, Honeywell introduces commercial version of its large Multics computer system, Wall Street Journal, p 9, January 18, 1973
5. Smalheiser, Marvin, Honeywell Plans MOS Memories for 6000 Series, ComputerWorld, page 32, August 8, 1973

   Notwithstanding the headline, the article is actually about dedication of a new Honeywell Multics center in Phoenix.

6. Alexander, Tom, Waiting for the Great Computer Rip-Off, Fortune Vol XC, No 1, , pp 143-150, July 1974

   Opens with stories about Multics security and project ZARF.

7. Whiteside, Thomas, Dead Souls in the Computer, The New Yorker, 29 Aug 1977, pp 59-62
8. Schell, R. R., "Computer Security: The Achilles' Heel of the Electronic Air Force", Air University Review, January - February 1979, p. 16, 1979

   It is not easy to make a computer system secure, but neither is it impossible. The greatest error is to ignore the problem.

9. Kornel, Amiel, Honeywell decision puts Groupe Bull in sticky situation, Computerworld Vol. XX, No. 2, p 15, January 13, 1986
10. Korzeniowski, Paul, Honeywell phasing out Multics line, Computerworld, Vol. XX, No. 2, p 1, January 13, 1986
11. Hamilton, Rosemary, Honeywell Fails to Convince Multics Users, Computerworld, Vol XX no 15 p 4
12. Verity, John W., Multics users face their maker, Datamation, Vol. 32, No. 9, 102-112, May 1, 1986
13. staff, FORD WEIGHING HONEYWELL BOYCOTT?, Datamation, In the LOOK AHEAD column, p. 10., June 1, 1986
14. Hamilton, Rosemary, Multics Future Dim Despite Honewyell/Bull Merger, Computerworld, Vol XX no 51 p 7
15. Fano, Robert M., Excerpts from "The MAC System: A Progress Report", IEEE Annals of the History of Computing, vol. 14, no. 2, pp. 10-11, Apr-Jun, 1992
16. Fano, Robert M., The Computer Utility and the Community, IEEE Annals of the History of Computing, vol. 14, no. 2, pp. 39-41, Apr-Jun, 1992
17. Lee, J. A. N., Time-Sharing at MIT: Introduction, IEEE Annals of the History of Computing vol. 14, no. 1, pp. 13-15, Jan.-Mar. 1992

    Introduction to an issue describing the beginnings of time-sharing at MIT.

18. Frankston, Robert M., Nonhistory of IBM Time-Sharing, (letter), IEEE Annals of the History of Computing, vol. 18, no. 3, pp. 72-73, Fall, 1996

    Yes, Multics was a market failure but not because the market had changed. It was because Honeywell (which bought out the GE computer division) worked hard not to sell it. ...Did the world pass Multics by? As noted above, Honeywell wounded it and then eventually killed it. But Unix, though weak as an implementation of Multics, has achieved great success in the marketplace.

19. Metcalfe, Bob, Internet services moving us back toward Multics utility computing of old, InfoWorld, 18 Oct 1999
20. Gedda, Rodney, CIO Blast from the Past: 40 years of Multics, 1969-2009, CIO, 11 Nov 2009

    October 2009 marked an important milestone in the history of computing. It was exactly 40 years since the first Multics computer system was used for information management at the Massachusetts Institute of Technology.

21. Yadron, Danny, Man Behind the First Computer Password: It's Become a Nightmare, Digits: WSJ blog, 21 May 2014

    In the early 1960s, Fernando Corbató helped deploy the first known computer password.

22. Dixon, Gary, Multics Storage System

    How Multics programs access data files.

21 Videos

1. Corbató, Fernando J., Time-Sharing: A Solution to Computer Bottlenecks, John Fitch, MIT Science Reporter, May 16, 1963 (27:38 video)

   Aired on WGBH-TV Boston. The initial sequence shows the CTSS account of M1416 786 (Bob Daley) running a square root program.

2. Fano, Robert M., Prof. Fano explaining scientific computing, ARPA film (9:28 video)

   Short film from 1964 taken in Prof. Fano's Project MAC office. He uses CTSS from a Model 35 Teletype.

3. Corbató, Fernando J., Computer Networks - The Heralds Of Resource Sharing (Arpanet, 1972), ARPA film (30:22 video)

   ARPA film about the ARPANet. Starts with Corby and Lick.

4. Saltzer, Jerome H., David D. Clark, and Sze-Ping Kuo, A Demonstration of Multics 1972 pt. 1, MIT film (27:40 video)

   Introduction by Jerry Saltzer, Co-Head of the Computer Systems research division of Project MAC. Demonstration by David Clark and Sze-Ping Kuo, graduate students of the Computer Systems research division of Project MAC.

5. Clark, David D., and Sze-Ping Kuo, A Demonstration of Multics 1972 pt. 2, MIT film (27:16 video)

   Demonstration by David Clark and Sze-Ping Kuo, graduate students of the Computer Systems research division of Project MAC.

6. Corbató, Fernando J., Richard Jay Solomon, Philip M. Morse, John McCarthy, Robert M. Fano, Herbert M. Teager, and Ed Fredkin, Switched Output: Time-sharing at MIT, Oral history project produced by Richard Jay Solomon, May 14, 1983 (15:40 video)

   Multiple segments: this is the first. Includes Corbató, Fano, Morse, Teager, Fredkin, McCarthy

7. Webber, Steven H., Webber on Multics, Feb 04, 1986 (1:47:50 video)

   Lunchtime presentation at Stratus by Steve about Multics.

8. Gintell, John W., Multics ACM Lecture Nov 16, 1989, Greater Boston ACM chapter (1:49:07 video)

   John Gintell gave a lengthy talk about the history of Multics to a combined Greater Boston ACM chapter / IEEE computer society meeting in 1989. A number of Multicians were there and there is a long comment section at the end.

9. Dixon, Gary C., Multics Reunion Salutation from Gary Dixon, May 24, 2014 (2:59 video)

   Gary's experience with Multics development, training, and support.

10. Shrobe, Howard, and Daniela Rus, Multics Reunion: Welcoming Remarks, CSAIL video, May 29, 2014 (3:50 video)

    LCS 50th Anniversary

11. Neumann, Peter G., Multics Reunion: Introduction, CSAIL video, May 29, 2014 (5:09 video)

    Peter Neumann introduces Corby.

12. Corbató, Fernando J., Multics Reunion: Early Days, Project MAC, CTSS, and Multics, CSAIL video, May 29, 2014 (49:37 video)

    Abstract: The computing climate and facilities at MIT in the early 1950's and 1960's will be briefly described. This will be followed by a sketch of the events that led to the formation of Project MAC and the decision to embark on the Multics project.
    Bio: Fernando J. Corbató, Professor Emeritus in the Department of Electrical Engineering and Computer Science at M.I.T., has achieved wide recognition for his pioneering work on the design and development of multiple-access computer systems. He was associated with the M.I.T. Computation Center from its organization in 1956 until 1966. In 1963 he was a founding member of Project MAC, the antecedent of CSAIL. An early version of the Compatible Time-Sharing System (CTSS) was first demonstrated in November 1961, at the M.I.T. Computation Center. In the fall of 1963, after further development, the system began daily operation at Project MAC.

13. DeHon, Andre, Multics Reunion: SAFE: A New Foundation for Computer Safety and Security, CSAIL video, May 29, 2014 (48:36 video)

    Abstract: At a time when computers are increasingly involved in all aspects of our lives, our computer systems are too easily broken or subverted. The current state of affairs is, no doubt, unsurprising to Multicians who are painfully aware of the design and security compromises that went into the base design of today's mainstream systems. The past 30 years has also brought vast changes in the availability and costs of computer hardware as well as significant advances in formal methods. How do we exploit these advances to make computer systems worthy of the trust we are now placing in them? We specifically take a clean-slate approach to computer architectures and system designs based on modern costs and threats. We spend now cheap hardware to reduce or eliminate traditional security-performance tradeoffs and to provide stronger hardware safety and security interlocks that prevent gross security and safety violations even when there are bugs in the code. We embrace well-known security principles of least and separate privileges and complete mediation of operations. Our system revisits many pioneering Multics concepts including gates between software components with different-privileges, small and verified system components, and formal information flow properties and guarantees.
    Project paper: http://www.crash-safe.org
    Bio: Andre DeHon received S.B., S.M., and Ph.D. degrees in Electrical Engineering and Computer Science from the Massachusetts Institute of Technology in 1990, 1993, and 1996 respectively. From 1996 to 1999, Andre co-ran the BRASS group in the Computer Science Department at the University of California at Berkeley. From 1999 to 2006, he was an Assistant Professor of Computer Science at the California Institute of Technology. In 2006 he joined the Electrical and Systems Engineering Department at the University of Pennsylvania, where he is now a Full Professor. He is broadly interested in how we physically implement computations from substrates, including VLSI and molecular electronics, up through architecture, CAD, and programming models. He places special emphasis on spatial programmable architectures (e.g. FPGAs) and interconnect design and optimization.
    Multics BIO: Andre DeHon is a bastard child of the tail end of LISP Machine and Multics eras, having been a research assistant for Knight and a teaching assistant for Saltzer. As a member of MIT's Student Information Processing Board (SIPB), he was part of the group that pushed Multics access to MIT students and was logged in during the decommissioning of MIT-Multics. So, while he never contributed to Multics, he was around in time to learn that there were computer systems that predated Unix and Windows and that did have a principled way to address safety and security. He hopes the world is now ready for many of the Multics and LISPM ideas that were ahead of their time and have mostly been forgotten during the dark ages of mainstream Internet growth.

14. Pandolfo, Michael A., Multics Reunion: Multics, The First 50 Years, CSAIL video, May 29, 2014 (18:16 video)

    Abstract: November 2015 marks the fiftieth anniversary of the 1965 Fall Joint Computer Conference at which the description of Multics was presented to the computer community. To mark this anniversary I have set for myself three initiatives to mark the event. They are:
    1. Write a follow-on book to Organick's text which will describe the second generation of Multics hardware and software;
    2. Lobby to get a technical society to sponsor a Multics fifty year anniversary conference centered on the pioneering role Multics has vis-a-vis today's commercial operating systems;
    3. Champion the completion of a Multics VM based on the current efforts to emulate the 6180/DPS-8/M. I will be describing my approaches to and current status of these three initiatives.
    Bio: After working on the data management and B2 certification projects at CISL, Michael moved to Stratus Computer where he designed and prototyped several PCBs in addition to writing firmware for other boards. At Banyan Systems Michael maintained their Unix System V kernel and implemented Intel APIC mediated multiprocessing on PC platforms. Most recently at EMC Michael supported tape library robotics and designed Linux drivers. Currently Michael has taken early retirement from EMC and is engaged in processor design utilizing FPGAs.

15. Gintell, John W., Fernando J. Corbató, Jerome H. Saltzer, Peter G. Neumann, and Robert A. Freiburghouse, Multics Reunion: Panel Discussion, CSAIL video, May 29, 2014 (1:05:14 video)
16. Green, Paul A., Multics Reunion: Closing Remarks, CSAIL video, May 29, 2014 (12:40 video)

    LCS 50th Anniversary

17. Corbató, Fernando J., Fernando J Corbató, The Heidelberg Laureate Forum Foundation presents the HLF Portraits, Oct 6, 2017 (1:05:23 video)

    Interviewed by Marc Pachter, Director Emeitus, National Portrait Gallery, Smithsonian Institution.

18. Corbató, Fernando J., and Steven H. Webber, Fernando J (Corby) Corbató, 1990 ACM Turing Award Recipient, ACM Turing Award video, April 6, 2018 (1:24:14 video)

    Interviewed by Steven H. Webber.

19. Anthony, Charles, The DPS8:M Emulator: A Personal History, VCF Pacific Northwest (60:00 video)

    I gave an hour long talk about my history with the DPS8/M emulator at the Vintage Computer Festival Pacific Northwest 2018; VCF taped the talk and have put it online. Links to slides and notes at simulator.html.

20. Jones, Stephen, Video of 6180 maintenance panel booting Multics, Living Computer Museum, Seattle (30:22 video)

    booting MR12.6e on a simulated 6180 under Linux. The system boots up to idle in just under 2 minutes, which, from what I understand, is blazingly fast.

21. Zanarotti, Stan, SIPB 50: See Multics Run, Streamed live on Sep 29, 2019 (37:40 video)

    Stan demonstrates Multics in 26-100

74 MIT Project MAC TRs and TMs

Source: LCS document handed out at the Project MAC 25th reunion, updated by Jerry Saltzer 5/8/98. The Library 2000 project at MIT scanned many old MAC TRs and the images were available on a server provided by the MIT libraries.

See also the LCS on-line list of publications.

1. Bawden, Alan, Glenn S. Burke, and Carl W. Hoffman, MacLisp Extensions, MAC-TM-203, July 1981
2. Benedict, Gordon, An Enciphering Module for Multics, (Lucifer for Multics), LCS-TM-50, July 1974
3. Benjamin, Arthur, Improving Information Storage Reliability Using a Data Network, LCS-TM-078, S. M. thesis, October 1976
4. Bratt, R. G., Minimizing the naming facilities requiring protection in a computer utility, LCS-TR-156 (S.M. thesis), September 1975 6.5M

   This thesis examines the various mechanisms for naming the information objects stored in a general-purpose computing utility, and isolates a basic set of naming facilities that must be protected to assure complete control over user interaction and that allow desired interactions among users to occur in a natural way. Minimizing the protected naming facilities consistent with the functional objective of controlled, but natural, user interaction contributes to defining a security kernel for a general-purpose computing utility. The security kernel is that complex of programs that must be correct if control on user interaction is to be assured. The Multics system is used as a test case, and its segment naming mechanisms are redesigned to reduce the part that must be protected as part of the supervisor. To show that this smaller protected naming facility can still support the complete functionality of Multics, a test implementation of the design is performed. The new design is shown to have a significant impact on the size and complexity of the Multics supervisor.

5. Clark, D. D., R. M. Graham, J. H. Saltzer, and M. D. Schroeder, The classroom information and computing service, MAC-TR-80, January 1971

   This report describes the Classroom Information and Computing Service (Clics), a pedagogical computer-based information system that is used as a case study in the subject "Information Systems" in the Department of Electrical Engineering at M.I.T. Clics is an abstraction of the Multiplexed Information and Computing Service (Multics) that is being implemented by Project MAC at M.I.T. As such, it is an example of a computer utility. Clics is derived from Multics by a combination of simplifying the mechanisms of Multics and removing some of its more exotic features; and embodies research into ways to simplify the mechanisms of Multics without sacrificing service objectives. This report is a specification of the hardware, control programs, and system implementation language of the Clics system, as developed to date. The system is specified in sufficient detail for students to develop a structural as well as a functional understanding of its operation and mechanisms. As the primary case study for an undergraduate subject, Clics provides specific examples of the complexities in a general purpose information system, and methods of coping with them.

6. Clark, D. D., An input-output architecture for virtual memory computer systems, LCS-TR-117 (Ph.D. thesis), January 1974 7.2M

   In many large systems today, input/output is not performed directly by the user, but is done interpretively by the system for him, which causes additional overhead and also restricts the user to whatever algorithms the system has implemented. Many causes contribute to this involvement of the system in user input/output, including the need to enforce protection requirements, the inability to provide adequate response to control signals from devices, and the difficulty of running devices in a virtual environment, especially a virtual memory. The goal of this thesis was the creation of an input/output system which allows the user the freedom of direct access to the device, and which allows the user to build input/output control programs in a simple and understandable manner. This thesis presents a design for an input/output subsystem architecture which, in the context of a segmented, paged, time-shared computer system, allows the user direct access to input/output devices. This thesis proposes a particular architecture, to be used as an example of a class of suitable designs, with the intention that this example serve as a tool in understanding the large number preferable form.

7. Clark, D. D., Ancillary reports: kernel design project, LCS-TM-87, June 1977

   contents:

   1. Repaired Security Bugs in Multics (2/7/73) by J. H. Saltzer. (reprint of CSR-RFC-5)
   2. A Census of Ring 0 (9/5/73) by V. L. Voydock (reprint of CSR-RFC-37)
   3. Some Multics Security Holes which were Closed by 6180 Hardware (1/28/74) by J. H. Saltzer, P. A. Janson, D. H. Hunt (reprint of CSR-RFC-46)
   4. Some Recently Repaired Security Holes of Multics (1/28/74) by J. H. Saltzer, D. H. Hunt (reprint of CSR-RFC-47)
   5. Patterns of Security Violations: Multiple References to Arguments (11/8/74) by H. C. Forsdick, D. P. Reed (reprint of CSR-RFC-59)
   6. A Two-Level Implementation of Processes for Multics (9/8/76) by R. M. Frankston (reprint of CSR-RFC-123)
   7. Further Results with Multi-Process Page Control (2/9/77) by R. F. Mabee (reprint of CSR-RFC-135)

   See individual entries for the RFCs.

8. Corbató, F. J., System requirements for multiple-access, time-shared computers, MAC-TR-3, May 1964 907K

   It is now clear that it is possible to create a general-purpose time-shared multiple access system on most contemporary computers. However, it is equally clear that none of the existent computers are well designed for multiple access systems. At present, good service to a few dozen simultaneous users is considered state-of-the-art. Discussions include: clocks, memory protection and supervisor mode, program relocation and common subroutines which expose the reader to the difficulties encountered with contemporary machines when multiple user multiple-processor systems are considered.

9. Deitel, H. M., Absentee computations in a multiple-access computer system, MAC-TR-52 (S.M. thesis), August 1968 4.0M
10. Denning, P. J., Resource allocation in multiprocess computer systems, MAC-TR-50 (Ph.D. Thesis), May 1968 6.1M
11. Denning, P. J., Queueing models for file memory operations, MAC-TR-21 (S.M. Thesis), May 1965 2.3M

    A model for the auxiliary memory function of a segmented, multiprocessor, time-shared computer system is set up. A drum system in particular is discussed, although no loss of generality is implied by limiting the discussion to drums. Particular attention is given to the queue of requests waiting for drum use. It is shown that a shortest access time first queue discipline is the most efficient, with the access time being defined as the time required for the drum to be positioned, and is measured from the finish of service of the last request to the beginning of the data transfer for the present request. A detailed study of the shortest access time queue is made, giving the minimum access time probability distribution, equations for the number in the queue, and equations for the wait in the queue. Simulations were used to verify these equations; the results are discussed. Finally, a general Markov Model for Queues is discussed in an Appendix.

12. Dennis, J. B., and E. C. Van Horn, Programming semantics for multiprogrammed computations, MAC-TR-21, 1966 2.3M
13. Dennis, J. B., Program structure in a multi-access computer, MAC-TR-11, May 1964 1.3M
14. Fillat, A. I., and A. L. Kraning, Generalized organization of large data-bases: a set-theoretic approach to relations, MAC-TR-70 (S.M. and S.B. thesis), June 1970 5.5M
15. Forsdick, H. C., and D. P. Reed, Patterns of Security Violations: Multiple References to Arguments, CSR-RFC-59, Nov 8 1974

    part 5 of LCS-TM-87

16. Frankston, R. M., A Two-Level Implementation of Processes for Multics, CSR-RFC-123, Sep 8 1976

    part 6 of LCS-TM-87

17. Frankston, R. M., The computer utility as a marketplace for computer services, LCS-TR-128 (S.M. & E.E. thesis), May 1974 5.8M
18. Gifford, D., Hardware estimation of a process's primary memory requirements, LCS-TM-81 (S.B. Thesis), May, 1976 2.3M
19. Graham, R. M., File management and related topics, LCS-TM-12, September 1970 2.3M
20. Graham, R. M., Use of high level language for systems programming, LCS-TM-13, September 1970 938K
21. Greenbaum, H. J., A simulator of multiple interactive users to drive a time-shared computer system, MAC-TR-58 (S.M. Thesis), October 1968 3.5M
22. Greenberg, B. S., An experimental analysis of program reference patterns in the Multics virtual memory, MAC-TR-127 (S.M. thesis), May 1974 8.4M

    This thesis reports the design, conducting, and results of an experiment intended to measure the paging rate of a virtual memory computer system as a function of paging memory size. This experiment, conducted on the Multics computer system at MIT, a large interactive computer utility serving an academic community, sought to predict paging rates for paging memory sizes larger than the existent memory at the time. A trace of all secondary memory references for two days was accumulated, and simulation techniques applicable to "stack" type page algorithms (of which the least-recently-used discipline used by Multics is one) were applied to it. A technique for interfacing such an experiment to an operative computer utility in such a way that adequate data can be gathered reliably and without degrading system performance is described. Issues of dynamic page deletion and creation are dealt with, apparently for the first reported time. The successful performance of this experiment asserts the viability of performing this type of measurement on this type of system. The results of the experiment are given, which suggest models of demand paging behavior.

23. Grochow, J. M., The graphic display as an aid in the monitoring of a time-shared computer system, MAC-TR-54 (S.M. thesis), November 1968 2.3M

    The problem of dynamic observation of the state of a time-shared computer system is investigated. The Graphical Display Monitoring System was developed as a medium for this experimental work. It is an integrated system for creating graphic displays, dynamically retrieving data from Multics Time-Sharing System supervisor data bases, and on-line viewing of this data via the graphic displays. On-line and simulated experiments were performed with various members of the Multics staff at Project MAC in an effort to determine what data is most relevant for dynamic monitoring, what display formats are most meaningful, and what sampling rates are most desirable. The particular relevance of using a graphic display as an output medium for the monitoring system is noted. As a guide to other designers, a generalized description of the principles involved in the design of this on-line, dynamic monitoring device includes special mention of those areas of particular hardware or software system dependence. Several as yet unsolved problems relating to time-sharing system monitoring, including those of security and data base protection, are discussed.

24. Huber, A. R., A multi-process design of a paging system, LCS-TR-171 (S.M. thesis), December 1976 5.7M

    This thesis presents a design for a paging system that may be used to implement a virtual memory on a large scale, demand paged computer utility. A model for such a computer system with a multi-level, hierarchical memory system is presented. The functional requirements of a paging system for such a model are discussed, with emphasis on the parallelism inherent in the algorithms used to implement the memory management functions. A complete, multi-process design is presented for the model system. The design incorporates two system processes, each of which manages one level of the multi-level memory, being responsible for the paging system functions for that memory. These processes may execute in parallel with each other and with user processes. The multi-process design is shown to have significant advantages over conventional designs in terms of simplicity, modularity, system security, and system growth and adaptability. An actual test implementation on the Multics system was carried out to validate the proposed design.

25. Hunt, D. H., A case study of intermodule dependencies in a virtual memory, system, LCS-TR-174 (S.M. thesis), December 1976 5.5M

    A problem currently confronting computer scientists is to develop a method for the production of large software systems that are easy to understand and certify. The most promising methods involve decomposing a system into small modules in such a way that there are few intermodule dependencies. In contrast to previous research, this thesis focuses on the nature of the intermediate module dependencies, with the goal of identifying and eliminating those that are found to be unnecessary. Using a virtual memory subsystem as a case study, the thesis describes a structure in which apparent dependencies can be eliminated. Owing to the nature of virtual memory subsystems, many higher level functions can be performed by lower level modules that exhibit minimal interaction. The structuring methods used in this thesis, inspired by the structure of the LISP world of atomic objects, depend on the observation that a subsystem can maintain a copy of the name of an object without being dependent upon the object manager. Since the case study virtual memory subsystem is similar to that of the Multics system, the results reported here should aid in the design of similar sophisticated virtual memory subsystems in the future.

26. Janson, P. A., Removing the dynamic linker from the security kernel of a computing utility, MAC-TR-132 (S.M. thesis), June 1974 6.8M
27. Janson, P. A., Using type extension to organize virtual memory mechanisms, LCS-TR-167 (Ph.D. thesis), September 1976 9.1M
28. Jones, Malcolm, Incremental Simulation on a Time-Shared Computer, MAC-TR-48 (OPS/3 language), 1-1-1968 7.5M
29. Karger, P. A., Non-discretionary access control for decentralized computing systems, LCS-TR-179 (S.M. thesis), May 1977 3.8M

    (Also available as NTIS AD-A040 808/8)

30. Kent, Steve, Encryption-Based Protection Protocols For Interactive User-Computer Communication, LCS-TR-162, 6-1-1976 5.9M

    This thesis develops a complete set of protocols, which utilize a block cipher, e.g., the NBS data encryption standard, for protection interactive user-computer communication over physically unsecured channels. The use of the block cipher protects against disclosure of message contents to an intruder, and the protocols provide for the detection of message stream modification and denial of message service by an intruder. The protocols include facilities for key distribution, two-way login authentication, resynchronization following channel disruption, and expedition of high priority messages. The thesis presents designs for modules to implement the protocols, both in the terminal and in a host computer system, and discusses the results of a test implementation of the modules on Multics.

31. Luniewski, A. W., A simple and flexible system initialization mechanism, LCS-TR-180 (S.M. thesis), May 1977 3.8M
32. Mabee, R. F., Further Results with Multi-Process Page Control, CSR-RFC-135, Feb 9 1977

    part 7 of LCS-TM-87

33. Project MAC, Project MAC Progress Report I, July 1963 - July 1964, Massachusetts Institute of Technology, Cambridge MA, July 1964 DTIC AD-465088
34. Project MAC, Project MAC Progress Report X, July 1972 - July 1973, Massachusetts Institute of Technology, Cambridge MA, July 1973 DTIC AD-0771428
35. Project MAC, Project MAC Progress Report XI, July 1973 - July 1974, Massachusetts Institute of Technology, Cambridge MA, July 1974 DTIC AD-A004966
36. Project MAC, Project MAC Progress Report II, July 1964 - July 1965, Massachusetts Institute of Technology, Cambridge MA, July 1965 DTIC AD-629494
37. Project MAC, Project MAC Progress Report III, July 1965 - July 1966, Massachusetts Institute of Technology, Cambridge MA, July 1966 DTIC AD-648346
38. Project MAC, Project MAC Progress Report IV, July 1966 - July 1967, Massachusetts Institute of Technology, Cambridge MA, July 1967 DTIC AD-681342
39. Project MAC, Project MAC Progress Report V, July 1967 - July 1968, Massachusetts Institute of Technology, Cambridge MA, July 1968 DTIC AD-687770
40. Project MAC, Project MAC Progress Report VI, July 1968 - July 1969, Massachusetts Institute of Technology, Cambridge MA, July 1969 DTIC AD-705534
41. Project MAC, Project MAC Progress Report VII, July 1969 - July 1970, Massachusetts Institute of Technology, Cambridge MA, July 1970 DTIC AD-732767
42. Project MAC, Project MAC Progress Report VIII, July 1970 - July 1971, Massachusetts Institute of Technology, Cambridge MA, July 1971 DTIC AD-735148
43. Project MAC, Project MAC Progress Report IX, July 1971 - July 1972, Massachusetts Institute of Technology, Cambridge MA, July 1972 DTIC AD-756689
44. Mason, A. H., A layered virtual memory manager, LCS-TR-177 (S.M. & E.E. thesis), May 1977 4.4M
45. Montgomery, W. A., A secure and flexible model of process initiation for a computer utility, LCS-TR-163 (S.M. & E.E. thesis), June 1976 6.4M

    This thesis demonstrates that the amount of protected, privileged code related to process initiation in a computer utility can be greatly reduced by making process creation unprivileged. The creation of processes can be controlled by the standard mechanism for controlling entry to a domain, which forces a new process to begin execution at a controlled location. Login of users can thus be accomplished by an unprivileged creation of a process in the potential user's domain, followed by authentication of the user by an unprivileged initial procedure in that domain. The thesis divides the security constraints provided by a computer utility into three classes: Access control, prevention unauthorized denial of service, and confinement. We develop a model that divides process changing, resource control, authentication, and environment initialization. We show which classes of security constraints depend on each of these functions and show how to implement the functions such that these are the only dependencies present. The thesis discusses an implementation of process initiation for the Multics computer utility based on the model. The major problems encountered in this implementation are presented and discussed. We show that this implementation is substantially simpler and more flexible than that used in the current Multics system.

46. Pitman, K. M., The Revised MacLisp Manual, LCS-TR-295, 1 Jun 1983

    MACLISP is a dialect of Lisp developed at M.I.T.'s Project MAC (now the MIT Laboratory for Computer Science) and the MIT Artificial Intelligence Laboratory for use in artificial intelligence research and related fields. Maclisp is descended from Lisp 1.5, and many recent important dialects (for example Lisp Machine Lisp and NIL) have evolved from Maclisp. David Moon's original document on Maclisp, The Maclisp Reference Manual (alias the Moonual ) provided in-depth coverage of a number of areas of the Maclisp world. Some parts of that document, however, were never completed (most notably a description of Maclisp's I/O system); other parts are no longer accurate due to changes that have occurred in the language over time. This manual includes some introductory information about Lisp, but is not intended as tutorial. It is intended primarily as a reference manual; particularly, it comes in response to user's please for more up-to-date documentation. Much text has been borrowed directly from the Moonual, but there has been a shift in emphasis. While the Moonual went into greater depth on some issues, this manual attempts to offer more in the way of examples and style notes. Also, since Moon had worked on the Multics implementation, the Moonual offered more detail about compatibility between ITS and Multics Maclisp. While it is hoped that Multics users will still find the information contained herein to be useful, this manual focuses more on the ITS and TOPS-20 implementations since those were the implementations most familiar to the author.

47. Rappaport, R. L., Implementing multi-process primitives in a multiplexed computer system, LCS-TR-55 (S.M. thesis), November 1968 3.6M

    In any computer system primitive functions are needed to control the actions of processes in the system. This thesis discusses a set of six such process control primitives which are sufficient to solve many of the problems involved in parallel processing as well as in the efficient multiplexing of system resources among the many processes in a system. In particular, the thesis documents the work performed in implementing these primitives in a computer system, the Multics system, which is being developed at Project MAC of M.I.T. During the course of work that went into the implementation of these primitives, design problems were encountered which caused the overall design of the programs involved to go through two iterations before the performance of these programs was deemed acceptable. The thesis discusses the way design of these program evolved over the course of work.

48. Reed, D. P., Processor multiplexing in a layered operating system, LCS-TR-164 (S.M. thesis), July 1976 7.1M

    This thesis presents a simply structured design for the implementation of process in a kernel-structured operating system. The design provides a minimal mechanism for the support of two distinct classes of processes found in the computer system - those which are part of the kernel operating system itself, and those used to execute user-specified computations. The design is broken down into two levels, one which implements a fixed number of virtual processors, which are then used to run kernel processes, and are multiplexed to provide processes for user computation. Eventcount primitives are provided, in order to provide a simple unified interprocess control communication mechanism. The design is intended to be used in the creation of a secure kernel for the Multics Operating System.

49. Richards, M., A. Evans, and R. Mabee, The BCPL reference manual, MAC-TR-141, December 1974 https://apps.dtic.mil/sti/citations/ADA003599

    BCPL is a language which is readable and easy to learn, as well as admitting of an efficient compiler capable of generating efficient code. It is made self consistent and easy to define accurately by an underlying structure based on a simple idealized object machine. The treatment of data types is unusual and it allows the power and convenience of a language with dynamically varying types and yet the efficiency of FORTRAN. BCPL has been used successfully to implement a number of languages and has proved to be a useful tool for compiler writing. The BCPL compiler itself is written in BCPL and has been designed to be easy to transfer to other machines; it has already been transferred to more than ten different systems.

50. Rodriguez Jr, H., Measuring user characteristics on the Multics system, LCS-TM-89 (S. B. Thesis), August 1977
51. Rotenberg, Leo J., Making Computers Keep Secrets, MAC TR-115, PH.D. thesis, 1 February 1974
52. Saltzer, J. H., Traffic control in a multiplexed computer system, MAC-TR-30 (Sc.D. Thesis), July, 1966 3.3M
53. Saltzer, J. H., Introduction to Multics, MAC-TR-123, February 1974 14.2M

    The Multics project was begun in 1964 by the Computer Systems Research group of M.I.T. Project MAC. The goal was to create a prototype of a computer utility. This technical report represents the Introduction to the users manual for the Multics System. It is published in this form as a convenient method of communications with researchers and students of computer system design. It is divided into three major parts: 1) Introduction to Multics, 2) Reference Guide to Multics and 3) Subsystems Writers' Guide to Multics.

54. Saltzer, J. H., Repaired Security Bugs in Multics, CSR-RFC-5, Feb 27 1973

    part 1 of LCS-TM-87

55. Saltzer, J. H., P. A. Janson, and D. H. Hunt, Some Multics Security Holes which were Closed by 6180 Hardware, CSR-RFC-46, Jan 28 1974

    part 3 of LCS-TM-87

56. Saltzer, J. H., and D. H. Hunt, Some Recently Repaired Security Holes of Multics, CSR-RFC-47, Jan 28 1974

    part 4 of LCS-TM-87

57. Saltzer, J. H., Measurements of Hardware Speed of the 6180, CSR-RFC-19, May 4, 1973
58. Saltzer, J. H., 645/6180 Performance Comparison Tests, CSR-RFC-20, May 17, 1973
59. Saltzer, J. H., Some System Certification Tasks, CSR-RFC-34, Sep 5, 1973
60. Saltzer, J. H., The "Principle of Least Privilege" and Multics, CSR-RFC-35, Feb 14, 1973
61. Saltzer, J. H., A CPU Speed Measurement Tool, CSR-RFC-39, Oct 9, 1973
62. Saltzer, J. H., Measurements of USL Multics, CSR-RFC-103, Dec 1, 1975
63. Saltzer, J. H., On the Modeling of Paging Algorithms, CSR-RFC-106, Feb 13, 1976
64. Saltzer, J. H., Problems of Office Automation, or Why We Don't Use Multics for Typing Important Documents, CSR-RFC-121, Jul 12, 1976
65. Schell, R. R., Dynamic reconfiguration in a modular computer system, MAC TR-86, 1971 5.9M

    This thesis presents an orderly design approach for dynamically changing the configuration of constituent physical units in a modular computer system. Dynamic reconfiguration contributes to high system availability by allowing preventative maintenance, development of new operating systems, and changes in system capacity on a non-interference basis. The design presented includes the operating system primitives and hardware architecture for adding and removing any (Primary or secondary) storage module and associated processing modules while the system is running. Reconfiguration is externally initiated by a simple request from a human operator and is accomplished automatically without disruption to users of the system. This design allows the modules in an installation to be partitioned into separate non-interfering systems. The viability of the design approach has been demonstrated by employing it for a practical implementation of processor and primary memory dynamic reconfiguration in the Multics system at M.I.T.

66. Schroeder, M. D., Cooperation of mutually suspicious subsystems in a computer utility, MAC-TR-104 (Ph.D. Thesis), September 1972 4.9M
67. Schroeder, M. D., D. D. Clark, J. H. Saltzer, and D. M. Wells, Final report of the Multics kernel design project, LCS-TR-196, March 1978 3.7M
68. Sekino, A., Performance evaluation of multiprogrammed time-shared computer systems, MAC-TR-103 (Ph.D. thesis), September 1972

    This thesis presents a comprehensive set of hierarchically organized modular analytical models developed for the performance evaluation of multiprogrammed virtual-memory time-shared computer systems using demand paging. The hierarchy of models contains a user behavior model, a secondary memory model, a program behavior model, a processor model, and a total system model. This thesis is particularly concerned with the last three models. The program behavior model developed in this thesis allows us to estimate the frequency of paging expected on a given processing system. The processor model allows us to evaluate the throughput of a given multi-processor multi-memory processing system under multiprogramming. Finally, the total system model allows us to derive the response time distribution of an entire computer system under study. Since all major factors (such as various system overhead times and idle times) which may decrease a system's computational capacity available for users' useful work are explicitly considered in the analyses using the above models, the performance predicted by these analyses is very realistic. A comparison of the performance of an actual system, the Multics system of M.I.T., and the corresponding performance predicted by these analyses confirms the accuracy of performance prediction by these models. Then, these analyses are applied to the optimization of computer systems and to the selection of the best performing system for a given budget. The framework of a performance evaluation using these hierarchically organized analytical models guides human intuition in understanding the actual performance problems and provides us with reliable answers to most of the basic quantitative performance questions concerning throughput and response time of actual modern large-scale time-shared computer systems.

69. Smith, A. A., Input-output in time-shared, segmented multiprocessor systems, MAC-TR-28 (S.M. thesis), June 1966 1.5M
70. Stern, J. A., Backup and recovery of on-line information in a computer utility, MAC-TR-116 (S.M. & E.E. thesis), January 1974 4.2M

    This thesis describes a design for an automatic backup mechanism to be incorporated in a computer utility for the protection of on-line information against accidental or malicious destruction. This protection is achieved by preserving on magnetic tape recent copies of all items of information known to the on-line file system. In the event of a system failure, file system damage is automatically assessed and missing information is recovered from backup storage. For isolated mishaps, users may directly request the retrieval of selected items of information. The design of the backup mechanism presented in this thesis is based upon existing backup mechanism contained in the Multics system. As compared to the present Multics backup system, the new design lessens overhead, drastically reduces recovery time from system failures, eliminates the need to interrupt system operation for backup purposes, and scales up significantly better with on-line storage growth.

71. Strnad, A. L., The Relational Approach to the Management of Data Bases, LCS-TM-23, April 1971
72. Van Horn, E. C., Computer design for asynchronously reproducible multiprocessing, MAC-TR-34 (Ph.D. thesis), November 1966 7.3M
73. Vogt, C. M., Suspension of processes in a multiplexed computer system, LCS-TM-14, September 1970
74. Voydock, V. L., A Census of Ring 0, CSR-RFC-37, Sep 5 1973

    part 2 of LCS-TM-87

140 Multics Manuals

Published by GE/Honeywell.

Al Kossow at bitsavers.org has scanned many GE and Honeywell Multics manuals and placed them online.

1. 43A239851 DSS181-DSS190 Specification, May 1974 (5.5 MB pdf)
2. 43A239854 600B IOM Specification, Jul 1975 (6.2 MB pdf)
3. 58009906 DPS8 System Manual, Freestanding DPS8 Multics, Aug 1982 This manual is intended as a general system review and maintenance aid for TAC personnel in analyzing and diagnosing system problems beyond level 1 procedure. (4.4 MB pdf)
4. 58009917 DPS8 CPU Installation Instructions, Aug 1984 Installation instructions for a DPS8 CPU. Unpacking, inspection, cable routing, and power-up. (1.5 MB pdf)
5. 60132445 FEP Coupler Specification, Nov 1977 (3.7 MB pdf)
6. AG90 Multics Programmer's Manual: Introduction to Programming on Multics, Dec 1981 (7 MB pdf)
7. AG91 Multics Programmer's manual: Reference Guide, Dec 1975 (11 MB pdf)
8. AG91 Multics Programmer's manual: Reference Guide, Jan 1987 (36 MB pdf)
9. AG92 Multics Programmer's manual: Commands and Active Functions, Nov 1987 (60 MB pdf)
10. AG92 Multics Programmer's manual: Commands and Active Functions, Feb 1980 861 pages. (39 MB pdf)
11. AG93 Multics Programmer's manual: Subroutines and I/O Modules, Nov 1986 (64 MB pdf)
12. AG94 Multics PL/I Language Specification, Mar 1981 (14 MB pdf)
13. AG95 The Multics Virtual Memory, Jun 1972 (reprint of Bensoussan, Clingen, and Daley paper; "Access Control to the Multics Virtual Memory"; and "Series 6000 Features for the Multics Virtual Memory") (11 MB pdf)
14. AK15 The Multics System Summary Description, (brochure), 1974
15. AK24 Multics Software Overview Product Brief, 1973
16. AK26 Multics Model 6180 Hardware Product Brief, 1973
17. AK27 The Multics System, (brochure), 1973
18. AK27-2 The Multics System, (brochure), 1975
19. AK27-3 The Multics System, (brochure), 1977
20. AK50 Multics System Administration Procedures, Dec 1987 The Trusted Facilities Manual required for B2 certification is contained in Part VI "Assuring System Security" and Appendix B "Audit Tables and Include Files" of AK50-03 (Renamed the "Multics System Administration Procedures Manual", May 1985). Part VI consists of Chapters 18 through 26 of the manual and provides guidelines for the system administrator on how to manage Multics as a secure system. [info from Ed Ranzenbach] (21 MB pdf)
21. AK50 Multics System Administrators' Manual, Feb 1973 An early version of the MSAM. (4 MB pdf)
22. AK51 Multics Project Administrators' Guide, Feb 1985 (4 MB pdf)
23. AK52 Multics Administrative Functions Product Brief, 1973
24. AK92 Multics Programmer's manual: Subsystem Writer's Guide, Mar 1979 (20 MB pdf)
25. AK95 Multics APL Users' Guide, Dec 1985 (11 MB pdf)
26. AK96 Multics Programmer's manual: System Programmer's Supplement, no date
27. AL39 Multics Processor Manual, Nov 1985 461 pages. (18 MB pdf)
28. AL39-01C Multics Processor Manual, Nov 1985 358 pages. (1.5 MB searchable pdf thanks to Bob Mabee)
29. AM81 Multics Operator's Handbook, Nov 1986 (29 MB pdf)
30. AM82 Multics BASIC, Feb 1981 (29 MB pdf)
31. AM82 Multics BASIC Update, Dec 1984 (2 MB pdf)
32. AM83 Multics PL/I Reference Manual, Sep 1978 (31 MB pdf)
33. AN05 GCOS Environment Simulator, Dec 1985 (6 MB pdf)
34. AN50 Guide to Multics Manuals, July 1985 Description of the Contents of All Multics Manuals Including Lists Showing Where Individual Modules are Documented
35. AN51 System Tools PLM, 1979 This Program Logic Manual (PLM) is not structured in the same manner as most others in this series. The System Tools PLM consists only of a number of command and subroutine descriptions with no design motivation, implementation description, or data structure description except what is needed to describe the use of the command or subroutine as a tool. (source at web.mit.edu)
36. AN52 Multics System Metering, Feb 1979 (5 MB pdf)
37. AN53 Multics System Dump Analysis, June 1975 (5 MB pdf) (source at web.mit.edu)
38. AN54 PL/I Compiler PLM, Aug 1974 The PL/1 compiler translates a source program written in the PL/1 language into an equivalent Multics standard object segment. This compiler represents an implementation of the PL/1 language as defined in the PL/1 Language Manual (Order No. AG94). The entire compiler is written in the same language, and therefore, is self reproducible. (compiled from runoff source at https://web.mit.edu/multics-history/source/Multics/doc/PLM/archives)
39. AN57 Multics User Ring Input/Output System PLM, May 1977 (13 MB pdf) (source at web.mit.edu)
40. AN61 Multics Storage System: Program Logic Manual, Sep 1978 Internal logic of the Multics Storage System. (23 MB pdf) (source at web.mit.edu)
41. AN63 Multics ALM Assembler SDN, February 1975 (1 MB pdf)
42. AN69 Multics Message Segment Facility SDN, Oct 1979 (3 MB pdf) (source at web.mit.edu)
43. AN70 System Initialization Program Logic Manual, May 1984 (8 MB pdf) (source at web.mit.edu)
44. AN70 System Initialization Program Logic Manual, Feb 1975 (8 MB pdf)
45. AN71 Reconfiguration Program Logic Manual, Apr 1977 (2 MB pdf) This document describes the implementation and design of the Multics dynamic reconfiguration software for the major hardware modules of the system. This document is limited to processor, system controller and bulk store memory reconfiguration although there are many more hardware and software switchable modules in the system. (source at web.mit.edu)
46. AN71 Reconfiguration Program Logic Manual, June 1974 (2 MB pdf)
47. AN76 Multics Carry Facility, Feb 1981 (1 MB pdf)
48. AN77 Multics GCOS Environment Simulator, Apr 1977 (source at web.mit.edu)
49. AN80 Level 68 & DPS8/M Library Maintenance SDN, May 1979 (6 MB pdf) (source at web.mit.edu)
50. AN82 Multics Standards SDN, June 1980 (3 MB pdf) Description of the Standards, Conventions, and Guidelines Used in the Software and Documentation of the Multics Operating System. (source at web.mit.edu)
51. AN83 FORTRAN Compiler PLM, Mar 1979 The FORTRAN Program Logic Manual (PLM) deals solely with the parse and semantic translation phases of the Multics FORTRAN Compiler. (source at web.mit.edu)
52. AN85 Multics Communication System SDN, Oct 1979 (14 MB pdf)
53. AN87 Multics Hardware and Software Formats PLM, March 1980 (7 MB pdf) (source at web.mit.edu)
54. AR97 Multics System Diagnostic Aids, Dec 1983 (7 MB pdf)
55. AS40 Multics Graphics System, Aug 1981 (12 MB pdf)
56. AS43 Multics COBOL Users' Guide, Jul 1981 (12 MB pdf)
57. AS44 Multics COBOL Reference Manual, Jul 1981 (20 MB pdf)
58. AS68 Multics Administrator's Manual - Registration and Accounting, Jul 1982
59. AT58 Multics FORTRAN, Dec 1983 (8 MB pdf)
60. AT59 Multics DFAST Subsystem Users' Guide, Mar 1976 (3 MB pdf)
61. AT71 MSU0402 Manual, Oct 1983 (1 MB pdf)
62. AU25 Multics FAST Subsystem Reference Guide, Sep 1979 (5 MB pdf)
63. AU77 Multics Online Test and Diagnostics Reference Manual, Mar 1984 (7 MB pdf)
64. AW17 Multics Pocket Guide: Commands and Active Functions, Apr 1976 (2 MB pdf)
65. AW32 Multics SORT/MERGE, Jul 1976 (2 MB pdf)
66. AW53 Multics Relational Data Store (MRDS) -- Reference Manual, Mar 1984 (15 MB pdf)
67. AX31 VIP 72xx Operator Manual, May 1981 (3 MB pdf)
68. AX49 Multics Peripheral Input/Output, Jul 1982 (10 MB pdf)
69. AY03 MSU0500 Manual, Dec 1979 (1 MB pdf)
70. AY34 Datanet Operator Manual, May 1980 (7 MB pdf)
71. AZ03 System Programming Tools, (includes TECO), Jul 1982 (16 MB pdf)
72. AZ49 Logical Inquiry and Update System (LINUS), Aug 1986 (7 MB pdf)
73. AZ98 Multics WORDPRO Reference Guide, Jul 1983 (13 MB pdf)
74. CC34 Multics Bulk Input/Output, Jul 1982
75. CC69 Multics Report Program Generator (MRPG) Reference Manual, Nov 1982 (7 MB pdf)
76. CC70 FORTRAN Users' Guide, Dec 1983 (9 MB pdf)
77. CC74 Multics Administrator's Manual - Resource Control, Feb 1983
78. CC75 Multics Administrator's Manual - Communications Administration, Feb 1985 (6 MB pdf)
79. CC75 Multics Administrator's Manual - Communications Administration, Dec 1983 (6 MB pdf)
80. CC92 Multics Communications Input/Output, Jul 1982 (8 MB pdf)
81. CC96 Multics Transaction Processing Reference Manual, Jun 1979 (3 MB pdf)
82. CG18 Multics Remote Batch Facility (Level 68 to Level 6), Jul 1979 (2 MB pdf)
83. CG40 QEDX Text Editor User's Guide, Feb 1983 (6 MB pdf)
84. CH23 Multics Extended Mail System User's Guide, Feb 1982 (8 MB pdf)
85. CH24 New Users' -- Part I, Nov 1979 (4 MB pdf)
86. CH25 New Users' Introduction to Multics -- Part II, Nov 1979 (4 MB pdf)
87. CH26 Multics Error Messages: Primer and Reference Manual, Sep 1980 ( MB pdf)
88. CH27 Emacs Manual, December 1979 (14 MB pdf)
89. CJ27 Emacs Text Editor User's Guide, December 1979 (7.6 MB pdf)
90. CJ52 Emacs Extension Writer's Guide, January 1980 (3.5 MB pdf)
91. CJ52 Emacs Extension Writer's Guide, Jul 1982 (9.4 MB pdf)
92. CJ97 Multics Page Processing System Utility Manual, May 1980 (1 MB pdf)
93. CP31 Level 68 Introduction to Emacs, no date
94. CP50 Multics Text Editor (TED) Reference Manual, Oct 1985 (7 MB pdf)
95. CP51 Multics Menu Creation Facilities, Feb 1985 (8 MB pdf)
96. CP92 VIP7201 Reference Manual, Jul 1983 (6 MB pdf)
97. CT38 Resource Control User Guide, Jun 1981 (3 MB pdf)
98. CW99 PRU901 Manual, May 1982 (4 MB pdf)
99. CX20 Fundamentals of Multics Executive Mail, no date
100. CX72 Executive Facilities Editing Operations Ref Card, no date
101. CY73 Inter-Multics File Transfer Facility Ref Manual, Dec 1983 (3 MB pdf)
102. CY74 Multics Forum Interactive Meeting System Users' Guide, Feb 1985 (10 MB pdf)
103. CY93 PRU7070 Handbook, Dec 1982 (5 MB pdf)
104. DB37 DSS190 Reference, May 1974 (2.6 MB pdf)
105. DF48 Series 60 Level 68 DPS Pocket Guide, June 1978 (1.7 MB pdf)
106. DJ18 Guide to Multics Wordpro for New Users, no date
107. DL92 Honeywell Multics Distributed Processing System, Summary Overview, 1982
108. DL92 Multics brochure, 1982 (21.5 MB pdf)
109. DOD 1100.19-M Wartime Manpower Planning System (WARMAPS), ADP System Users Manual, Mar 1987 1 MB PDF, 60 pages
110. DS44 Honeywell Multics, (brochure), 1983
111. DS45 Honeywell DPS8/Multics, (brochure), 1983
112. DU06 Fundamentals of Multics Forum Interactive Meeting System, no date
113. DU34 DPS8 Site Preparation Manual, Jan 1986 (5 MB pdf)
114. DV74 Texto Reference Manual, no date
115. DW19 Multics MegaCalc User's Guide, no date
116. DX71 Fundamentals of Multics Executive Forum, no date
117. F01 Introduction to Multics Course Notes, Oct 1978 (20 MB pdf)
118. F15C Multics Course Notes F15C, Sep 1983 (7 MB pdf)
119. F15D Multics Course Notes F15D, May 1981 (15 MB pdf)
120. F21 Multics Course Notes F21, Jul 1981 (11 MB pdf)
121. F80 Multics Course Notes F80, Mar 1983 (18 MB pdf)
122. F86 Multics Course Notes F86, no date (7 MB pdf)
123. F88 Multics Course Notes F88, no date (10 MB pdf)
124. GA01 Multics Data Security, (brochure), 1983 Based on Dave Jordan's article in Scientific Honeyweller, June 1981
125. GB58 Multics Common Commands Manual, (GB18?), Feb 1983 (10 MB pdf)
126. GB59 DPS 6/Multics Satellite 6M Reference Manual, no date
127. GB60 Multics HASP Service and Utility, Oct 1983
128. GB61 Operator's Guide to Multics, Dec 1987 (13 MB pdf)
129. GB62 Multics Pascal User's Guide, Mar 1984
130. GB63 Multics Report Writer Reference Manual, Jan 1985 (5 MB pdf)
131. GB64 Administration, Maintenance, and Operations Commands, Nov 1986 (26 MB pdf)
132. GB65 Multics/Personal Computer File Transmission Facility, no date
133. GB66 Multics On-Line Work Station Environment User's Guide, no date
134. GL71 Multics Simplified Computing and Filing Facility, Feb 1984
135. GN08 Multics Emacs Reference Card, no date
136. HH07 Multics C User's Guide, Nov 1987 (7 MB pdf)
137. HM28 MOWSE Application Programmer's Manual, (online only in >udd>Doc>userd), 02/87
138. LSB 0468 System Manual GE-645, Jan 1968 (14 MB pdf)
139. Vform Multics Virtual Forms Reference Guide, Oct 1985 9.4 MB PDF
140. YL77 Multics Cray Station Users' Guide, no date

130 Multics Repository Documents

Internal design documents used by the development team in the 1960s. Three series, M, G, and B, for MIT, GE, and Bell Labs. This table is derived from TOC memos M0116, M0117, M0118, and M0119.

1. B0005 EPL Design Journal #4, 1965-08-09, McIlroy, M. D.
2. B0008 FJCC: Structure of Multics Supervisor, 1965-09-16, Vyssotsky, V. A., F. J. Corbató, and R. M. Graham
3. B0009 FJCC: General Purpose File System, 1965-09-16, Daley, R. C., and P. G. Neumann
4. B0010 FJCC: Communication in I/O Switching, 1965-09-17, Ossanna, J. F., L. Mikus, and S. D. Dunten
5. B0015 Multics Personnel and Work Assignments at BTL, 1965-12-29, B. A. Tague
6. B0021 Debugging and Multics (supersedes M0039), 1965-11-09, Brown, W. S.
7. B0039 Software Tools for Monitoring and Tracing in Multics, 1966-02-15, Gimpel, J. F.
8. B0043 Big Computing and Multics, 1966-03-30, McIlroy, M. D.
9. B0044 EPL Manual -Reprint IBM Operating System/360 PL/I: Language Specifications, 1966-04-01, IBM
10. B0045 A Proposed Outerview of Performance Monitoring in Multics, 1966-04-13, Gimpel, J. F.
11. B0057 Character Conversion for PRT-202 Line Printer, 1966-05-10, Vyssotsky, V. A.
12. B0057 Character Conversion for PRT-202 Line Printer, 1966-05-10, V. A. Vyssotsky
13. B0060 Fault Tags and the IT modifier in the 645 Processor, 1966-06-03, Tague, B. A.
14. B0066 Proposed Context Editor Edit(Audit), 1966-07-22, Kaiman, A.
15. B0067 Some Thoughts and Ideas Pertaining to Tasking, 1968-01-08, Farber, D. J., and R. L. Wexelblat
16. B0081 Service Routines for Debugging Multics - Case 27131-41, 1967-03-02, L. D. Whitehead
17. B0086 Compendium of PL/I (EPL) Run-Time Library, 1967-06-15, Hyde, J. P.
18. B0088 QED Text EdItor, 1967-08-05, Thompson, K. L.
19. B0092 Manually Aborting an IMCV Job, 1967-03-02, R. K. Rathbun
20. B0093 645 Standard Multics Checksum, 1967-11-02, R. K. Rathbun
21. B0095 Current History Permuted Index BTL/GE/MIT, 1966-08-01, Serido, J.
22. B0097 CURRENT BTL, GE, MIT MULTICS PERMUTED INDEX, 1968-05-17, Serido, J.
23. B0099 BTL, GE, MIT MULTICS PERMUTED INDEX -- LISTING OBSOLETE DOCUMENTS ONLY , 1968-05-17, Serido, J.
24. B0100 The Multics Device Utility Package (DUP), OS/27/68, Jones, S. W.
25. G0004 636 Simulation Package, 1965-08-30, Ziegler, G. G.
26. G0006 Free Standing GECOS - GIOC Version, nd, McGee, R. C.
27. G0007 Proposal for Developing Multics Documentation, 1965-10-11, Haig, H. C., B. A. Tague, and R. C. McGee
28. G0012 GE-645 Bootstrap Assembler(BSA), 1966-01-01, anonymous
29. G0013 Peripheral T and D Interface with 645 Software, 1966-02-03, Matthews, H. D.
30. G0015 On-Line Testing in a 636 Time-Sharing System, 1965-10-21, Mikus, L. E.
31. G0016 Memo on 645 Mnemonics, 1966-01-18, McGee, R. C.
32. G0029 Design Notebook Appendix C.Rev., 1965-03-11, Oliver, G. A.
33. G0030 Memo on Las Vegas Changes, 1966-04-19, McGee, R. C.
34. G0031 Definition of Inactive Mode in the GIOC, 1966-04-20, McGee, R. C.
35. G0034 645 Utility Program, 1966-05-12, Hobbs, R. J., and R. M. Foster
36. G0035 Initial Utilization of the GE-645 at Project MAC, 1966-05-20, McGee, R. C., V. B. Nguyen, D. H. Slosberg, and D. E. Joel
37. G0036 M50EB00131 -Performance Specification -Multics Assembler, 1966-06-15, McGee, R. C.
38. G0037 SPS-B-645 Simulator, 1966-08-09, McGee, R. C.
39. G0038 SPS-B Multics Assembler (M50EB00131), 1966-08-22, McGee, R. C.
40. G0039 SPSB 645 Free-Standing Simulator (M50EB00171), 1966-08-22, McGee, R. C.
41. G0040 EPS MTH211 and MTH311 Magnetic Tape Units, 1966-08-22, McGee, R. C.
42. G0041 SPS GE-645 Gecos-IOC Version (M50EB00006), 1966-08-22, McGee, R. C.
43. G0042 SCU Instruction Format, 1966-11-22, Stoller, G. S.
44. G0043 SPS-C Multics/Gecos Monitor (M50EB00188), 1966-09-01, McGee, R. C.
45. G0044 SPS-B GE-645 PL/I Compiler (M50EB00175), 1966-09-01, McGee, R. C.
46. G0045 EPS Extended Character Set Printer Subsystem (PRT202) (M50EB00070), 1966-09-01, McGee, R. C.
47. G0046 Errata G0042, 1966-12-05, Stoller, G. S.
48. G0047 600 Series GE Specifications, 1966-12-08, Bash, J. L.
49. G0048 Distribution of Specifications, 1966-12-12, Bash, J. L.
50. G0049 Fortran IV Language Manual, 1967-01-12, Bash, J. L.
51. G0050 GIOC Manual, 1967-01-12, Bash, J. L.
52. G0051 Correction to G0049, 1967-01-12, Bash, J. L.
53. G0053 Renumbering of Repository Document, INDEX, 1967-05-11, Bash, J. L.
54. G0054 Revised INDEX, 1967-06-16, Bash, J. L.
55. G0055 Compendium of PL/I (EPL) Run-Time Mathematics Library, 1967-09-01, Goldberg, I. B.
56. G0056 Current INDEX Revision, 1967-09-13, Bash, J. L.
57. G0057 Current VOCAB Revision, 1967-09-25, Bash, J. L.
58. G0058 Phase I Test Experiment, 1967-10-02, Shy, I.
59. G0059 The Multics Operating System, 1967-05-01, CISL
60. G0060 EPL User's Reference Manual, 1967-12-01, CISL
61. G0061 CISL User Manuals on MULTICS (memo), no date, Bash, J. L.
62. G0062 Current INDEX Revision, 1968-01-26, Bash, J. L.
63. G0063 CTSS Console User's Manual, 1968-01-01, CISL
64. G0065 Errata to EPL User's Reference Manual, 1968-02-05, Benjafield, G.
65. G0066 Memo Re: G0067, 1968-02-12, CISL
66. G0067 Handbook of Operating Information, Configuration A/Multics, 1968-11-01, CISL
67. G0068 Current Revision of VOCAB, 1968-02-15, Bash, J. L.
68. G0069 Intermediate Update of INDEX and VOCAB, 1968-03-08, Bash, J. L.
69. G0070 EPL User's Reference Manual, Revision 1, 1968-04-01, CISL
70. G0071 Multics PL/I Language Reference Manual Questionnaire, 1969-05-09, Bash, J. L.
71. G0072 EPLBSA Manual, 1968-04-01, CISL
72. G0073 Initial Multics Console User's Manual, 1968-07-01, CISL
73. G0074 EPL Glossary of Terms, 1968-08-01, Hart, J. E.
74. G0075 GE-645 Address Modification, 1968-09-01, Riesenberg, D. J.
75. G0076 Updates to the Glossary of Multics Terms (Vocabulary), 1968-09-04, Bash, J. L.
76. G0077 Interim FL Reference Manual, 1968-10-29, Riesenberg, D. J.
77. G0078 Interim I/O Document, 1968-12-20, Goudy, M. L.
78. G0080 Significant Features of Multics PL/I, 1969-01-21, Freiburghouse, R. A.
79. G0081 Compatibility Consideration of the PL/I Implementation, 1969-01-21, Freiburghouse, R. A.
80. G0082 Update to EPL Manual G0070, 1969-01-22, Bash, J. L.
81. G0084 MULTICS Condensed Guide, 1969-06-01, CISL
82. G0085 Chapter I of MULTICS User Procedures (Calls to the File System), 1969-07-01, Hart, J. E.
83. G0086 Multics User Procedures Update (Chapter 1), 1969-07-28, Hart, J. E.
84. G0087 Chapter II of MULTICS User Procedures (Interim Document on I/O Calls), 1969-08-06, Bash, J. L.
85. G0088 Multics User Procedures Update (Chapter I), 1969-08-15, Hart, J. E.
86. G0089 Update to G0087, Interim Document on I/O Calls, no date, Bash, J. L.
87. G0090 Working paper on Program Naming Problems in a Shared Tree Structured Hierarchy, 1969-08-22, Clingen, C. T.
88. G0091 A User's Guide to the MULTICS Fortran Implementation, 1969-10-01, Freiburghouse, R. A.
89. G0092 A User's Guide to the MULTICS PL/I Implementation, 1969-10-01, Freiburghouse, R. A.
90. M0047 FJCC: Intro. & Overview of Multics, 1965-09-17, Corbató, F. J., and V. A. Vyssotsky
91. M0048 FJCC: System Design of a Computer for Time Sharing Applications, 1965-09-17, Glaser, E. L., J. F. Couleur, and G. A. Oliver
92. M0049 FJCC: Some Thoughts about the Social Implications of Accessible Computing, 1965-09-17, David, E. E.
93. M0052 Debugging Aids for the Multics System (Revised), 1965-11-09, Wagner, D. B.
94. M0054 Proposal for a System of Clocks for Multics, 1965-11-16, Saltzer, J. H.
95. M0058 Outline of Proposed Interactive Debugging Aids for Multics, 1966-01-19, Wagner, D. B.
96. M0060 Thoughts About Operating Multics, 1965-12-17, Oppert, D. E.
97. M0062 System Metering, 1966-03-17, Widrig, D. R.
98. M0063 Conversion of Typset Files to Flexowriter Tapes, 1966-03-11, Magnuski, H. S.
99. M0065 Operational Description of the EPLBSA Assembler, 1966-05-26, Poduska, J. W.
100. M0066 Resource Management and Accounting for Multics, 1966-06-26, Van Vleck, T. H.
101. M0070 Character Handling and PL/I, 1966-06-30, Saltzer, J. H.
102. M0071 ASCII Graphics on Multics, 1966-06-30, Saltzer, J. H.
103. M0076 Operating Procedures for the Model 2201 Flexowriter to Prepare Documents for Multics, 1966-08-25, Selwyn, L. L.
104. M0077 Traffic Control in a Multiplexed Computer System, 1966-00-22, Saltzer, J. H.
105. M0082 Examples of PL/I Subroutines, 1966-11-22, Corbató, F. J., and A. Evans
106. M0085 Use of QED and ROFF, 1967-01-19, Graham, R. M.
107. M0086 A Guide to Multics for Subsystem Writers-I, 3/67, Organick, E. I.
108. M0087 A Guide to Multics for Subsystem Writers-II, 4/67, Organick, E. I.
109. M0089 Error in hash-coding algorithm, 1967-04-10, Corbató, F. J., and A. Evans
110. M0090 A Guide to Multics for Subsystem Writers Chapter III, 8/67, Organick, E. I.
111. M0094 Virtual Memory, Processes, and Sharing in Multics, 1967-10-14, Daley, R. C., and J. B. Dennis
112. M0095 Protection in an Information Processing Utility, 1967-10-14, Graham, R. M.
113. M0103 PL/I As a Tool for System Programming, 1968-07-02, Corbató, F. J.
114. M0104 A Paging Experiment with the Multics System, 1968-07-01, Corbató, F. J.
115. M0105 Sensitive Issues in the Design of Multi-Use Systems, 1968-11-12, Corbató, F. J.
116. M0106 A Guide to Multics for Subsystem Writers Chapter IV, 1969-01-01, Organick, E. I.
117. M0107 A Guide to Multics for Subsystem Writers -Chapter V, 1969-02-01, Organick, E. I.
118. M0108 A Guide to Multics for Subsystem Writers -Chapter VI, 1969-03-01, Organick, E. I.
119. M0109 Annotated Bibliography of Multics, 1969-04-16, Saltzer, J. H., and R. M. Graham
120. M0110 BCPL Manual for Multics, 1969-07-30, Evans, A.
121. M0111 The Multics Virtual Memory, 1969-10-01, Bensoussan, A., C. T. Clingen, and R. C. Daley
122. M0112 The Instrumentation of Multics, 1969-10-01, Saltzer, J. H., and J. W. Gintell
123. M0113 The Role of Motherhood in the Pop Art of System Programming, 1969-08-21, Neumann, P. G.
124. M0114 The Multics Interprocess Communication Facility, 1969-07-29, Spier, M. J., and E. I. Organick
125. M0115 System performance effects of the new PL/I compiler, 1969-10-14, Corbató, F. J.
126. M0116 MAC Repository list, 1969-12-01, Gardner, R.
127. M0117 GE Repository List, 1969-07-19, Gardner, R.
128. M0118 GE Repository list, 1969-12-01, Gardner, R.
129. M0119 BTL Repository list, 1969-12-01, Gardner, R.
130. M0132 A Multics Process (System 17.11a), 1972-12-08, Greenberg, B., and M. Miyazaki

29 Multics Design Document Series

The Multics Design Document series, specifically produced by Honeywell for the B2 evaluation effort, includes some documents written for the project. Others were existing manuals that were found to be adequate for the evaluation but were to eventually be re-written for consistency. [info from Ed Ranzenbach]

1. MDD-001 Overview and Index of Multics Design Documents (Margulies, B.) Introduction to Multics Design Documents. The index of all Multics Design Documents.
2. MDD-002-01 Multics Security Model -- Bell and La Padula (Tague, R. Michael) The Multics system enforces a security policy that is an implementation of the security model described by Bell and La Padula. This Multics Design Document (MDD) presents the relationship between the actual implementation in Multics and the model.
3. MDD-003 Overview of the Multics TCB (Sibert, W. Olin) Overview of the Multics Virtual Memory System, Metering, and the Supervisor.
4. MDD-004-01 Multics Functional Testing (Dickson, Paul) This MDD contains documentation on the Multics Functional Testing Suite.
5. MDD-005-02 System Initialization (Farley, Paul) The internal organization of Multics System Initialization.
6. MDD-006-01 Directory Control (Dixon, Gary C.) Internal Organization of the Directory Control and the Address and Name Space Management functions within the Multics system.
7. MDD-007-01 VTOCE File System (Margulies, Benson I., and Ed Sharpe) The management and internal organization of storage system physical disk volumes on Multics.
8. MDD-008 Online Storage Volume Management (Sharpe, Ed) This MDD describes the management of Online Storage Volumes.
9. MDD-009 Resource Control Package (Pozzo, Maria M.) This MDD covers the management and internal organization of resources (devices and volumes) on Multics.
10. MDD-010-01 System / User Control (Swenson, E., and Jim Lippard) The management and internal description of the system/user control subsystem on Multics.
11. MDD-011 Page Control (Honeywell) unpublished
12. MDD-012-01 I/O Interfacer (IOI) (Jones, Chris) This MDD describes the features and operations of the I/O interfacer (IOI), as well as those hardware features which make its operation possible.
13. MDD-013 Multics Message Segment Facility (Pandolf, Michael A.) Description and documentation of the internal and user interfaces of the Multics Message Segment Facility.
14. MDD-014 Hierarchy Backup Dumper (Honeywell) unpublished
15. MDD-015 Interprocess Communication (Honeywell) unpublished
16. MDD-016 Volume Backup Dumper (Honeywell) unpublished
17. MDD-017 Multics I/O SysDaemon (Gilcrease, George) An overview of the operation of the I/O SysDaemon. The scope of this document is a synopsis of the I/O SysDaemon software: a description of the primary associated databases, and a narrative of the order of events and communication between the I/O SysDaemon coordinator process and a representative driver process.
18. MDD-018 Reconfiguration (Honeywell) unpublished
19. MDD-019 Traffic Control (Coren, Robert S.) This document describes the policies and algorithms of Multics Traffic Control, which is that part of the supervisor that manages the allocation of processors among processes.
20. MDD-020 Multics Runtime Environment (Weaver, Melanie) Explanation of the runtime environment, including process structure and initialization, ring crossing mechanisms, object format and dynamic linking, area management, and condition signalling and handling.
21. MDD-021 Fault and Interrupt Handling (Honeywell) unpublished
22. MDD-022 System Administration (Honeywell) unpublished
23. MDD-023 Online T&D (Honeywell) unpublished
24. MDD-024 System Logging (Sharpe, Ed) Describes the system logging mechanisms. This document also provides a foundation for MDD-029 "Security Auditing".
25. MDD-025 Hardcore I/O (Honeywell) unpublished
26. MDD-026 Salvaging and Scavenging (Honeywell) unpublished
27. MDD-027 MCS (Honeywell) unpublished
28. MDD-028 SysDaemons (Honeywell) unpublished
29. MDD-029 Security Auditing (Sharpe, Ed) Describes the system security audit trail. Some descriptions in this document are dependent upon the contents of MDD-024 "System Logging".

27 Multics Design Notebook Sections

Documents produced by Project MAC and BTL people at the beginning of Multics design.

1. MDN cover Multics Design Notebook - cover (Corbato, F. J.)
2. MDN 1 Multics Design Notebook - Introduction (Corbato, F. J.)
3. MDN 2 A Proposal for GE 636 Segment Conventions (Corbato, F. J.)
4. MDN 4 The Shell: A Global Tool for Calling and Chaining Procedures in the System (Pouzin, Louis)
5. MDN 4 A Proposal for a Minimal Assembler, GAP, for the GE 636 (Graham, R. M.)
6. MDN 5 RUNCOM - A Macro-Procedure Processor for the 636 System (Pouzin, Louis)
7. MDN 6 General Comments on Scheduling, Resource Allocation, and Storage Management (Corbato, F. J., and J. H. Saltzer)
8. MDN 7 A Proposal for the GE 636 File System (Daley, R. C.)
9. MDN appA, MAC-M-182 Preliminary Notes on the Hard Matter for the MAC 635 (Glaser, E. L.)
10. MDN appB MAC System Proposal Installation Summary (Corbato, F. J.)
11. MDN appC Segmentation in the 636 (Couleur, J. F.)
12. MDN appD, CC-241 A Generalized File Structure and Input/Output System (Daley, R. C., R. J. Creasy, and R. M. Graham)
13. MDN appE, PSN-32 A CTSS Secondary Storage Back-up and File Retrieval Scheme (Bailey, M. J., and R. C. Daley)
14. MDN appF Library Subroutines, Commands, File Organization (Pouzin, Louis)
15. MDN appG User Interrupts, Commands, Console I/O, and User Option Switches (Saltzer, J. H.)
16. MDN appH On the Format of Files Containing Programs (Saltzer, J. H.)
17. MDN appI A Proposed Character Set for the GE 636 (Corbato, F. J., and R. Morris)
18. MDN appJ Assembly Programs in a Time-Sharing System (Graham, R. M.)
19. MDN appK On Providing a Keypunch Facility for the 636 (Saltzer, J. H.)
20. MDN appL, MAC-M-229 Proposed Datanet-30 Program (Dunten, S. D.)
21. MDN appM Allocation of Time-Sharing System Resource (Saltzer, J. H.)
22. MDN appN Notes on 636 Simulation (Ziegler, G. G., and J. Myers)
23. MDN appO Plan for Using the 6.36 (Ziegler, G. G., and J. Myers)
24. MDN B.1 Early NPL Subset (Morris, R., and M. D. McIlroy)
25. MDN B.2 A Survey of the Software for the GE636 (Neumann, P. G., and V. A. Vyssotsky)
26. MDN B.3 Data Layouts in ENPL for the GE636 (McIlroy, M. D.)
27. MDN G.1 Thoughts on Paging (Joel, D. E.)

61 Multics Planning Notebook Sections

A multi-section management document describing Multics production milestones and tasks in 1967-69.

1. MPN-Benchmarks-1 Initial Multics: Major Demonstratable Benchmarks (GE Staff)
2. MPN-Benchmarks-2 Initial Multics: Major Demonstratable Benchmarks (GE Staff)
3. MPN-coding-1 Initial Multics: Coding Status (GE Staff)
4. MPN-coding-2 Initial Multics: Coding Status (GE Staff)
5. MPN-coding-3 Initial Multics: Coding Status (GE Staff)
6. MPN-coding-4 Initial Multics: Coding Status (GE Staff)
7. MPN-coding-5 Initial Multics: Coding Status (GE Staff)
8. MPN-coding-6 Initial Multics (including Phase I) Coding Status (GE Staff)
9. MPN-coding-7 Initial Multics (including Phase I) Coding Status (GE Staff)
10. MPN-intro Status of Multics Tasks (Bennett, G. D.)
11. MPN-IS-01 Initial Multics: Integration Strategy (GE Staff)
12. MPN-IS-02 Initial Multics: Integration Strategy (GE Staff)
13. MPN-IS-03 Initial Multics: Integration Strategy (GE Staff)
14. MPN-IS-04 Initial Multics: Integration Strategy (GE Staff)
15. MPN-IS-05 Initial Multics: Integration Strategy (GE Staff)
16. MPN-IS-06 Initial Multics: Integration Strategy (GE Staff)
17. MPN-IS-07 Initial Multics: Integration Strategy (GE Staff)
18. MPN-IS-08 Initial Multics: Integration Strategy (GE Staff)
19. MPN-IS-09 Initial Multics: Integration Strategy (GE Staff)
20. MPN-IS-10 Initial Multics: Integration Strategy (GE Staff)
21. MPN-Minutes-01 Weekly Planning Meeting (January 22, 1968) (Bennett, G. D.)
22. MPN-Minutes-02 Multics Planning Meeting Held January 29, 1968 (Bennett, G. D.)
23. MPN-Minutes-03 Multics Planning Meeting Held 2/5/68 (Bennett, G. D.)
24. MPN-Minutes-04 Weekly Planning Meeting 2/12/68 (Bennett, G. D.)
25. MPN-Minutes-05 Multics Planning Meeting - February 19, 1968 (Bennett, G. D.)
26. MPN-Minutes-06 Multics Planning Meeting - February 26, 1968 (Bennett, G. D.)
27. MPN-Minutes-07 Multics Planning Meeting - March 4, 1968 (Bennett, G. D.)
28. MPN-Minutes-08 Multics Planning Meeting - March 11, 1968 (Bennett, G. D.)
29. MPN-Minutes-09 Multics Planning Meeting - March 18, 1968 (Bennett, G. D.)
30. MPN-Minutes-10 Multics Planning Meeting - March 25, 1968 (Bennett, G. D.)
31. MPN-Minutes-11 Multics Planning Meeting - April 1, 1968 (Bennett, G. D.)
32. MPN-Minutes-12 MPN Updating (Bennett, G. D.)
33. MPN-Minutes-13 Multics Planning Meeting - April 8, 1968 (Bennett, G. D.)
34. MPN-Minutes-14 Multics Planning Meeting - April 15, 1968 (Bennett, G. D.)
35. MPN-Minutes-15 Updating - MPN (Bennett, G. D.)
36. MPN-Minutes-16 Multics Planning Meeting - April 22, 1968 (Bennett, G. D.)
37. MPN-Minutes-17 Multics Planning Meeting - 4/29/68 (Bennett, G. D.)
38. MPN-Minutes-18 Multics Planning Meeting - May 6, 1968 (Bennett, G. D.)
39. MPN-Minutes-19 Status of Multics Tasks (Bennett, G. D.)
40. MPN-Minutes-20 Multics Tasks - May 27, 1968 0 June 1, 1968 (Bennett, G. D.)
41. MPN-Misc-1 System Schedule for the Week: Wed 6 thru Tue 12/March 1968 (GE Staff)
42. MPN-Misc-2 Hardware on Site as of 1967-12-04 (MIT) (GE Staff)
43. MPN-Misc-3 Hardware on Site as of 1967-12-14 (BTL) (GE Staff)
44. MPN-Misc-4 Checkout and Consolidation (GE Staff)
45. MPN-SI-1 Segment Inventory Initial Multics (GE Staff)
46. MPN-SI-2 Segment Inventory Initial Multics (GE Staff)
47. MPN-SI-3 Segment Inventory Initial Multics (GE Staff)
48. MPN-SI-P1-1 Segment Inventory Phase I (GE Staff)
49. MPN-SI-P1-2 Segment Inventory Phase I (GE Staff)
50. MPN-Tasks-01 Multics Tasks (GE Staff)
51. MPN-Tasks-02 Multics Tasks (GE Staff)
52. MPN-Tasks-03 Multics Tasks (GE Staff)
53. MPN-Tasks-04 Multics Tasks (GE Staff)
54. MPN-Tasks-05 Multics Tasks (GE Staff)
55. MPN-Tasks-06 Multics Tasks (GE Staff)
56. MPN-Tasks-07 Multics Tasks (GE Staff)
57. MPN-Tasks-08 Multics Tasks (GE Staff)
58. MPN-Tasks-09 Multics Task Area Reports (Bennett, G. D.)
59. MPN-Tasks-10 Multics Tasks (GE Staff)
60. MPN-Tasks-11 Multics Tasks (GE Staff)
61. MPN-toc Multics Planning Notebook - Table of Contents (GE Staff)

88 Multics Operating Staff Notes

Documents given to machine operators at the MIT and GE/Honeywell development sites. Later incorporated into Honeywell manuals.

1. MOSN-1.0 Target Table of Contents for Model 6180 MOSNs (Goudy, Maxon L.)
2. MOSN-10.1.2 Memory read Procedures for Memory Parity Errors (Fakoury, Richard E.)
3. MOSN-10.1.5 Problems Returning to BOS (Morris, Noel I.)
4. MOSN-10.1.7 How to Dump Bos (Waclawski, John W., and Noel I. Morris)
5. MOSN-10.3.2 New Tape Drive Recovery Procedure (Grady, Michael J.)
6. MOSN-11.1 Answerback Coding Requirements for Multics I/O Terminals (Vinograd, David R.)
7. MOSN-11.2 Interface Requirement for Low Speed Data Access to Multics (Vinograd, David R.)
8. MOSN-11.3 Changes to the Operation of the Operator's Console (Silver, Bill)
9. MOSN-111 Memory read procedure for parity errors (Waclawski, John W.)
10. MOSN-118 Tours of GE 645 Machine Room (Ryan, Leo J.)
11. MOSN-132 Operation With Varying Multics Configurations (Schell, Roger R.)
12. MOSN-149 Dump w*, Save and Restor Deaths (Waclawski, John W.)
13. MOSN-156 Complete Dumps (Waclawski, John W.)
14. MOSN-157 Incremental Backup (Waclawski, John W.)
15. MOSN-160 Revision of MOSN-141 (Use of Dynamic Reconfiguration on Multics) (Schell, Roger R.)
16. MOSN-169 New command "set_timax" (Roach, Roger A.)
17. MOSN-171 2 Channel Operation of the DSU-270 (Morris, Noel I.)
18. MOSN-190 Static File Migration (Roach, Roger A.)
19. MOSN-207 On-line Process of Multics "FDUMPS"s (Jordan, David M.)
20. MOSN-209 Instructions for operating the initializer and answering service (Van Vleck, Thomas H.)
21. MOSN-210 Non Obvious Multics Switch Settings (Vinograd, David R.)
22. MOSN-216 Operation of the IOM (Morris, Noel I.)
23. MOSN-219 Retrievals (Tilden, Richard A.)
24. MOSN-222 Instructions for operating the DATANET 355 (Snyder, Richard B.)
25. MOSN-224 Interrupt Cell Assignments (Ohlin, James R.)
26. MOSN-225 Procedure for Performing SAVE of DSU-270 on the Development Machine (Effective with the installation of system 16.0) (Morris, Noel I.)
27. MOSN-229 Drum/Disk Error and Status Codes (Goudy, Maxon L.)
28. MOSN-230 BOS Configuration Deck (Goudy, Maxon L.)
29. MOSN-231 Operator's Guide to BOS (Morris, Noel I.)
30. MOSN-232 New 355 Dumper (Snyder, Richard B.)
31. MOSN-233 Instructions for operating the Multics ARPA Network Software (Wells, Douglas M.)
32. MOSN-234 IMP Configuration Cards (Wells, Douglas M.)
33. MOSN-235 Additions to BOS Configuration Deck for Tapes (Weaver, Melanie B.)
34. MOSN-236 New Tape Drive Recovery Procedure (Weaver, Melanie B.)
35. MOSN-239 New Drum DIM (Morris, Noel I.)
36. MOSN-240 Processor Data Switches used by Multics, et. al. (Roach, Roger A.)
37. MOSN-241 BOS Runcom Files (Roach, Roger A.)
38. MOSN-242 Problems Returning to BOS (Morris, Noel I.)
39. MOSN-245 Simulating BOS PATCH for PML Systems (Webber, Steven H.)
40. MOSN-246 Operation of the Multics Salvager (Morris, Noel I., and D. R. Vinograd)
41. MOSN-247 The DEBG Configuration Card (Vinograd, David R.)
42. MOSN-248 Changes to BOS Toehold (Morris, Noel I.)
43. MOSN-250 New PRPH Card for Printer (Meer, Moseley A.)
44. MOSN-251 355 Dumper/Patcher (Snyder, Richard B.)
45. MOSN-253 New DSU-170 DIM (Scheffler, Lee J.)
46. MOSN-255 Current Channel Assignments for Peripheral Devices (Goudy, Maxon L.)
47. MOSN-256 Device Identification Used on Configuration Cards (Goudy, Maxon L.)
48. MOSN-261 Service System "lines" File (Jordan, David M.)
49. MOSN-263 I/O Daemon Operations (Garman, Charles C., and Maxon L. Goudy)
50. MOSN-266 Operation of the Carry Tape Facility (Jordan, David M.)
51. MOSN-267 MOSN Index for February (Jones, Dorothy L.)
52. MOSN-268 Revised config cards for tapes (Grady, Michael J.)
53. MOSN-269 Multics Configuration Dependence (Gintell, John W.)
54. MOSN-270 Changes to Initializer for Message Coordinator (Van Vleck, Thomas H., and Dennis Capps)
55. MOSN-271 Instructions for operating the initializer and answering service (Van Vleck, Thomas H.)
56. MOSN-272 Initializer Messages (Van Vleck, Thomas H.)
57. MOSN-273 Special I/O Daemon Operations (Coren, Robert S.)
58. MOSN-4.1.1 Multics Configuration Dependence (Gintell, John W.)
59. MOSN-4.1.3 Adding more disks to Multics via Salvager (Kobziar, Andrew M.)
60. MOSN-4.2.2 Interrupt Cell Assignments (Ohlin, James R.)
61. MOSN-4.2.3 Use of the Bulk Store (Snyder, Richard B.)
62. MOSN-4.3 BOS Configuration Deck (Goudy, Maxon L.)
63. MOSN-4.3.1 New Configuration Cards (Silver, Bill)
64. MOSN-4.3.1t New configuration cards for tape (Morris, Noel I.)
65. MOSN-4.3.2 Change to PRPH cards (Morris, Noel I.)
66. MOSN-4.4.1 Operation of the IOM (Morris, Noel I.)
67. MOSN-4.4.2 Instructions for operating the DATANET 355 (Snyder, Richard B.)
68. MOSN-4.4.3 Use of the Bulk Store (Snyder, Richard B.)
69. MOSN-4.4.4 Reconfiguration of the Bulk Store (Webber, Steven H.)
70. MOSN-4.5 Setting the Calendar Clock (Morris, Noel I.)
71. MOSN-5 Operator's Guide to BOS (Morris, Noel I.)
72. MOSN-5.1 New BOS 5-card loader (Morris, Noel I.)
73. MOSN-6.2.2 Instructions for operating the initializer and answering service (Van Vleck, Thomas H.)
74. MOSN-6.4.3 Operation of the IO Daemon (Coren, Robert S.)
75. MOSN-6.4.3.2 Maintenance of the I/O Daemon and Associated Data Bases (Coren, Robert S.)
76. MOSN-6.4.4 Operating Instructions for the Network Daemon (Van Vleck, Thomas H., and Edwin W. Meyer)
77. MOSN-6.6 Reconfiguration of Memories, Processors and Bulk Store (Webber, Steven H.)
78. MOSN-6.7 Helpful Hints for Multics System Operators (Goudy, Maxon L., and Roger A. Roach)
79. MOSN-8.2.1 VFU Printer Tape (Goudy, Maxon L.)
80. MOSN-9.2 Operation of the Multics Salvager (Goudy, Maxon L.)
81. MOSN-99-4 Changes to BOS (Morris, Noel I.)
82. MOSN-99.1 Changes to operator command interface (Van Vleck, Thomas H.)
83. MOSN-99.2 METR configuration card (Scheffler, Lee J.)
84. MOSN-99.3 PRPH card for the IMP (Kanodia, R. K.)
85. MOSN-99.5 Use of dual DSU-190 Subsystem on Multics (Morris, Noel I.)
86. MOSN-99.6 MIT IPC-specific ARPA Network Information (Van Vleck, Thomas H., and Michael A. Padlipsky)
87. MOSN-99.7 Tape DCM Changes (Morris, Noel I.)
88. MOSN-A001 Operational Changes for MR4.0 (Van Vleck, T. H.) Initial operator documents for NSS, describing BOS changes and operator command changes. (2.0M pdf)

27 Multics Alternative Documents

Here is a list, thanks to Bruce Sanderson, of documents produced by Warren Johnson and Jim Homan, describing operational lore useful to site analysts and operators.

1. MAD-001 Multics Alternative Documentation, 1980-10-29, Johnson, W.
2. MAD-001.A Multics Alternative Documentation, 1981-02-20, Johnson, W.
3. MAD-001.B Multics Alternative Documentation, 1981-03-03, Johnson, W.
4. MAD-002 Reading Processor Lights, 1980-10-29, Johnson, W.
5. MAD-003 Multics Metering and Tuning, 1980-10-30, Johnson, W.
6. MAD-003.A Multics Metering and Tuning, 1981-02-24, Johnson, W.
7. MAD-004 Channel Master File, 1980-11-05, Johnson, W.
8. MAD-004.A Channel Master File, 1981-04-17, Johnson, W.
9. MAD-005 Disk Space Monitoring, 1980-11-10, Homan, J.
10. MAD-005.A Disk Space Monitoring, 1981-07-07, Homan, J.
11. MAD-006 So you're going to 6250 bpi..., 1980-11-13, Homan, J.
12. MAD-007 Operator Message Facility, 1980-11-18, Homan, J.
13. MAD-008 Recovery from ESD Failure, 1980-11-18, Homan, J.
14. MAD-009 Knocking the Initializer out of a loop, 1980-11-19, Johnson, W.
15. MAD-010 Sending Interrupt from IOM to System Console, 1981-02-25, Johnson, W.
16. MAD-011 Fac_Totum.SysDaemon, 1981-04-22, Johnson, W., and J. Homan
17. MAD-011.A Factotum.SysDaemon, 1981-07-07, Johnson, W., and J. Homan
18. MAD-011.B Factotum.SysDaemon, 1981-07-21, Johnson, W., and J. Homan
19. MAD-012 Multics Failure Analysis, 1981-05-21, Johnson, W.
20. MAD-013 RCPRM For Tape Library Management, 1981-06-01, Homan, J.
21. MAD-014 Setting SAT Bit Count, 1981-08-03, Johnson, W.
22. MAD-015 Site Library Maintenance, 1982-05-10, Johnson, W., and J. Homan
23. MAD-016 Auto-Reboot Redone, 1982-07-30, Homan, J.
24. MAD-017 Yet Another start_up.ec Spiel, 1983-03-29, Homan, J.
25. MAD-018 Tools For Maintaining System Tables And Exec_coms, 1983-03-29, Homan, J.
26. MAD-019 Installing A New Multics Site, 1983-05-31, Homan, J.
27. MAD-020 Survey of Privileged Accesses, 1983-03-28, Homan, J.

6 Local Site Memos

Memos local to particular sites.

1. University of Calgary, Computing Facilities Requirements and Evaluations, University of Calgary internal document
2. University of Calgary, Multics Computer Manual: Introductory Guide, University of Calgary internal document MG-030

   Designed for Chemical and Petroleum Engineering students.

3. University of Calgary, Multics Computer Manual: Introductory to Advanced, University of Calgary internal document MG-031-C
4. Lee, J. A. N., so! you want to use Multics, Virginia Tech internal document

   Introductory document for Virginia Tech students

5. MIT IPC, MIT Author Maintained Library, April 1975

   Documentation for 34 commands, 7 active functions, and 25 subroutines contributed by the MIT user community, including XPL, TECO and BCPL. (5.6M pdf)

6. MIT IPC, MIT Installation Maintained Library, July 1974

   Documentation for 5 commands and 2 subroutines installed locally at the MIT site, including Multics versions of BMD and SSP. (1.8M pdf)

8 Simulator Memos

Documentation of the Multics Simulator.

1. Changing Multics for the Simulator, 2023-08-29, Swenson, Eric How to propose and make a Multics change
2. Multics Simulator Frequently Asked Questions, 2023-08-29, Swenson, Eric
3. Getting Started, 2023-08-29, Swenson, Eric Multics Simulator usage
4. DPS8M home page, 2023-08-29, Swenson, Eric Multics Simulator introduction
5. Multics Simulator 12.8 How-To, 2023-08-29, Swenson, Eric latest release usage instructions
6. Multics simulator overview, 2023-08-29, Swenson, Eric
7. Multics release info, 2023-08-29, Swenson, Eric Releases for the simulator
8. Using Multics, 2023-08-29, Swenson, Eric Simulator usage