thirty years later: lessons from the multics security evaluation
DESCRIPTION
Thirty Years Later: Lessons from the Multics Security Evaluation. Paul A. Karger & Roger R. Schell. Presented by: Sulaiman Alkhezi. Outlines. About Multics. Multics security compared to now. Multics security evaluation. What happened next?. Thirty years later. What are their conclusions?. - PowerPoint PPT PresentationTRANSCRIPT
Thirty Years Later: Lessons from the Multics Security Evaluation
Paul A. Karger & Roger R. Schell
Presented by: Sulaiman Alkhezi
Outlines
Multics security compared to now
Multics security evaluation
Thirty years later..
What happened next?
What are their conclusions?
About Multics
About Multics
+ Multics (Multiplexed Information and Computing Service)
+ Timesharing OS begun in 1965 and used until 2000
+ Started as a joint project by MIT, Bell’s Lab, and General Electric Company (Bell’s Lab withdrew in 1969)
+ In 1970 GE sold its computer business to Honeywell, which offered Multics as a commercial product and sold a few dozen systems.
About Multics.. (Cont.)
+ What is special in Multics?
It was probably the first attempt to integrate so many ideas effectively into one OS:- Virtual memory,- A hierarchical file system,- Shared memory multiprocessing,- Online reconfiguration, and
- Security
Multics Security Compared to Now
Multics offered considerably stronger security than most systems commercially available today. What factors contributed to this?
Multics Security Compared to Now
Multics offered considerably stronger security than most systems commercially available today. What factors contributed to this?
Multics Security Compared to Now (Cont.)
1. Security as a Primary Original Goal
Multics had a primary goal of security from the very beginning of its design
Multics Security Compared to Now (Cont.)
2. Security as a Standard Product Feature
The US Air Force’s developed a set of security enhancements for Multics
+ Became a standard part of Multics
+ Shipped to ALL Multics users+ Forced all application developers to follow those security rules.
Multics Security Compared to Now (Cont.)
3. No Buffer Overflows
- Programming in PL/I for Better Security>> PL/I handles buffer overflows in a natural way, while a C programmer, for example, has to work very hard to avoid programming a buffer overflow error.
Multics Security Compared to Now (Cont.)
4. Minimizing Complexity
Multics vs Security Enhanced Linux (SELinux)
628 KB 1,767 KB<
Multics Security Evaluation
One of the major themes of the Multics Security Evaluation was to demonstrate the feasibility of malicious software attacks.
>> sadly too successful !!!
Published by Paul A. Karger & Roger R. Schell, 1974
Multics Security Evaluation (Cont.)
Malicious Software:+ Installed in 645 processors, none of them were discovered either by quality assurance or other testing
+ Failed to discover any kinds of malicious software (e.g. Trap doors during distribution, Boot-sector viruses, Compile Trap doors...etc)
What Happened Next?
By US Air Force’s1. Multics Security Enhancements
A project start by Honeywell, MIT, MITRE corporation and US Air Force’s
2. Multics Kernel Design Project
despite the fact that the work was quite successful, DoD was commanded by US Air Force to stop the project due to project costs >> Too expensive!!
3. Direction to stop the work
Thirty Years Later..
+ Security has gotten worse, not better
>> Weak Solutions in Open Environments !!
- Systems that are weaker than Multics are considered for use in environments in excess of what even Multics could deliver without working around a security kernel.
- Multics was designed to operate on closed environments.
Thirty Years Later.. (Cont.)
+ either (1) today’s systems are really much more secure than we claim;(2) today’s potential attackers are much less capable or motivated;(3) the information being processed is much less valuable; or(4) people are unwilling or unable to recognize the compelling need to employ much better technical solutions.
What They Concluded..
+ In the nearly thirty years since the report, it has been demonstrated that the new technology some how provides an effective solution to many of today’s problems (e.g. malicious software)
>> Unfortunately, the mainstream products of major vendors largely ignore these demonstrated technologies!!
What They Concluded.. (Cont.)
+ vendors would claim that the marketplace is not prepared to pay for a high assurance of security, while customers have said they have never been offered mainstream commercial products that give them such a choice.
What They Concluded.. (Cont.)
+ What about after another thirty years?
either (1) there will be horrific cyber disasters that will deprive society of much of the value computers can provide, or(2) the available technology will be delivered, and hopefully enhanced, in products that provide effective security.
>> We hope it will be the latter.
References
+ Paul A. Karger, Roger R. Schell, Thirty Years Later: Lessons from the Multics Security Evaluation. IBM 2002
+ http://en.wikipedia.org/wiki/Multics
+ http://www.multicians.org/
+ Jonathan S. Shapiro, Extracting The Lessons of Multics. USENIX Security Conference 2004