A brief description of privacy measures in the Multics operating system

Edward L. Glaser
Massachusetts Institute of Technology
Cambridge, Massachusetts

INTRODUCTION

The problem of maintaining information privacy in a multi-user, remote-access system is quite complex. Hopefully, without going into detail, some idea can be given of the mechanisms that have been used in the Multics operating system at MIT.

The heart and soul of any on-line system is the file subsystem, which is charged with the maintenance of all on-line data bases and with their safekeeping from accidental or malicious damage. The salient features of the Multics file system* are: (1) all references to data are by symbolic name and never by physical address; (2) associated with each file or substructure within the system is an access-control list that defines each authorized user and how he may gain access to the substructure or file. (User class identifiers may be employed as well as individual user names.) Because this file-system mechanism also safeguards much of the operating system itself, substructures of directories and files are used to store the system and the state of individual user programs during execution. There is no other special "swapping" on-line file structure.

In order to make the file system effective, each user must carry an identification. This identification is made when he logs into the system, and is held as part of the user data base during the logged time period. Determining that a user is who he says. is accomplished by means of a log-in routine which may include passwords, special log-in algorithms, etc.

Even with the protection supplied by the file system, a central portion of the supervisor must be protected against accidental or overt tampering. A combination of hardware and software means to prevent gaining an unusual privilege is employed. In part, these safeguards include hardware locks that prevent execution, reading, or modification of certain key portions of the supervisor except when responding to a generated interrupt. (Locks that are more complex than can be explained in this short account are also employed.) Two basic principles are applied within this part of the supervisor:

  1. Compartmentalization -- functionally separating the various activities of the supervisor into program modules. Since it is assumed that there will be accidents, or that individuals may on occasion be able to thwart the supervisor, compartmentalization insures a minimum amount of damage or a minimum loss of privileged information.
  2. Auditability --By properly identifying each module of the operating system, so that it is possible at any time to determine that the system currently running is the intended one.

It is also possible to include the ability to determine whether a user has violated the system, and if he has, to observe his malpractice by means of a special high-privilege system function. The latter mechanism includes an additional set of safeguards that provide an audit trail indicating the observer, who was observed, and the date of observation. This auditing information is recorded in such a way as to make it extremely difficult for one or two individuals to destroy it without being observed.

The maintenance of privacy and informational integrity within systems that are still not fully comprehended is a large and intricate problem. The present discussion suggests only some key considerations.


* Work reported herein was supported (in part) by Project MAC, an M.I.T. research program sponsored by the Advanced Research Projects Agency, Department of Defense, under Office of Naval Research Contract Number Nonr-4102(01).
* The Multics file system is described by R. C. Daley and P. G. Neumann in "A General-Purpose File System for Secondary Storage," presented at the 1965 Fall Joint Computer Conference (AFIPS Conf. Proc., Vol.27, Part I).

1967 Spring Joint Computer Conference