Secure Operating Systems Lesson 9: Multics Where are we? We now know all the background… so it’s time to figure out why Dr. Ford likes Multics so very much Multics is pretty much the poster child for “proper” system design And we did it years ago A Little History: 1963 Cuba transactions made illegal Debut of Iron Man!!! Beatles release their first album… First James Bond movie UCF founded ZIP codes introduced IEEE founded, ASCII introduced Kevin Mitnick born ;) In the Midst… The Multics project begins The move from batch systems to timesharing Released as a commercial project in 1973… that’s a 10 year development cycle Processes We’re very comfortable with this idea, but it was newer then Processes are the things that execute stuff in Multics All the things the process accesses are stored as “segments” The “protection domain” determines the segments a process can access Segments These are created hierarchically This became the roadmap to things like the Unix file system The process has a descriptor segment which contains a set of segment descriptor words (SDWs) that refer to all the segments the process can access directly Security Three primary parts: the supervisor, protection rings, and SDWs The supervisor is the ultimate arbiter – it decides if a process can have a SDW This is isolated from other processes by protection rings (64 possible) The basic idea was to protect the supervisor from unauthorized changes Segment Access Control Simple ACL Segments: read, write, execute Directories: status, modify, append However. The SDW also includes rings and brackets – this can be a little tricky To grant access, the ACL and Access brackets must both allow… Rings/Brackets Imagine we have code running in Ring r. Access brackets define access – range of rings is r1, r2 where r1 < r2 If r < r1, the process has full access (r/w) If r1 ≤ r ≤ r2, the process can read the segment only If r2 < r, then the process has no access Call Brackets Imagine we have code running in Ring r, trying to invoke a code segment Call brackets define access – range of rings is (r2, r3) where r2 ≤ r3 If r < r1, the process can execute, but there is a loss of privilege, where r changes to r_prime If r1 ≤ r ≤ r2, the process executes with its current privilege If r2 ≤ r ≤ r3, the process executes with higher privilege IF the location is authorized by the gates If r3 < r, then the process has no access MLS Multilevel Security was pioneered by Multics – the policy prevents a subject from reading data that is “more secret” than itself, or writing to objects that are “less secret” This is part and parcel of the way the Multics protection system worked MLS is MAC, ACL and Ring Brackets are DAC Think about performance for a minute… The Gatekeeper Multics tries hard to prevent the confused deputy problem… The gatekeeper carefully (!) checks the parameters passed when privilege increases The gatekeeper sometimes copies code to avoid giving a whole segment of the caller to the callee The kernel is split between Ring 0 and 1 – the gatekeeper is Ring 0 Security Eval Need: complete mediation, tamper proofing, and verifiability How does Multics do? Discussion How does the reference monitor interface ensure that all security-sensitive operations are mediated correctly? Does the reference monitor interface mediate security-sensitive operations on all system resources? How do we verify that the reference monitor interface provides complete mediation? Discussion How does the system protect the reference monitor from modification? Does the protection system protect all of the TCB? What is the basis for the correctness of the system’s TCB? Does the protection system enforce the system’s goals? Multics Vulnerabilities Karger and Schell’s analysis is very interesting Primarily looks at implementation errors in the system Actually included a hardware error that allowed instructions to bypass the SDW Master Mode To me, this is a classic For performance, it’s ugly to have all traps dealt with by Ring 0 However, to handle that, we need a user level trap handler… which requires access to some privileged instructions And the trap handler used a register to determine where to go… and thus, disaster Lots to do! 2 weeks, large project Write an essay that compares Multics with the modern OS of your choice: Linux, Windows or iOS. Look at the trajectory of your chosen OS, not just how it is today, but how it was How does the modern OS handle the things that Multics already had? You’re aiming at 10-20 pages Resources You should read “Protection and the Control of Information Sharing in Multics” and “Thirty Years Later: Lessons from the Multics Security Evaluation” Resource (long): Final Report of the Multics Kernel Design Project We will discuss these papers a week Thursday, be ready to share your ideas Questions & Comments What do you want to know?