04 - Protection: Multics & Singularity

Protection and the Control of Information Sharing in Multics

Goals

• an unified protection model

• file system based + runtime protection

Principles

• check every access (be careful with caching, since rights may change overtime)

• least privilege principle

• permission-based rather than exclusion-based rules (default should be rejection)

• usability (so user are willing to use the protection mechanism instead of bypassing it)

Multics Virtual Memory

Protection in Multics

• Login: establish principal identifier(user id)

• File System:
• access control list is associated with each file, which is static.
• derive capability list at runtime from access control list, which is fast for checking at runtime. (an example of capability list is file descriptor in unix.)

Memory Protection

Protected Subsystem

• Gates: entry point of subsystem

• Ring: privilege level, execution domain

Summary & take-away

• Protection in file system based on ACL

• Protection of memory based on capability list.

Singularity: Rethinking the Software Stack

Goals

• build dependable, trustworthy software

• consider security & vulnerability problems

Approach

• leverage language features (e.g. bound checking, garbage collection …)

• leverage program verification tools

Design

• Software Isolated Process:

• Contract-based Channel:

• Manifest-based Program:

Summary & take-away

• Software based isolation via PL & verification