Skip to content

Multics

Context

Goal

Implementation

Principles

  • Least privilege: Only run your program in the lowest privilege possible
  • Design not secret: We don't base on security on keeping design secret
  • Usability: We want it to be easy for users to use
  • Check every access → how can we do this efficiency?

Note

If you make protection hard to use, people are less likely going to use it, and people make mistakes when using it.

Info

Actually, Unix has a much simpler protection mechanism. It only has user groups. On the other hand, Windows actually has a full-scale access control list

Segmented Memory Model

Each segment is a unique independent entity that has its own function. This makes it easy to manage different parts of a program. Segments are represented by descriptors. Therefore, the virtual address will be in the form: Segment Number + Offset.

Segment Number

Index to the descriptor table to find the corresponding descriptor we are going to access.s

Offset

How many bytes from the base point of this segment.

x86 Implements Segmented Memory Model

32 bits x86 implements a segmented memory model. 64 bits get rid of it. Our operating systems today don't use segment, but since x86 uses a segmented memory model, operating systems use a single giant segment.

x86 registers

  • CS: Code Segments
  • DS: Data Segments
  • SS: Stack Segments

Efficiency Checking Mechanism

Capability Access Control List
Advantage
  • Faster to check
  • More flexible (can be passed between processes
    		•
  • Easier to specify and more intuitive
    		•
    Dsiadvantage
    Note
  • Each open creates a new descriptor (i.e. a single process can have multiple descriptors for the same file
  • Each process has its own file descriptor table stored (file descriptors are index to the table
    		•

    Read("File") vs Read(fd)

    read("file") has to do checks on the file's ACL every single time → ACL
    read(fd) index to the file descriptor which contains a set of capabilities → Capability

    As a result, we have to add an extra fd = read("file") to obtain the file descriptor index

    Protected Subsystems

    • Defined entry points for all subsystems
    • Essentially, this is allowing all subsystems to have the ability to define their own syscalls

    To achieve this protected subsystem, Multics needs gates and ring.

    Gate

    Entry point into the subsystem

    Ring

    Specify privillege

    Note

    Unix only has two previllege levels.
    1. User-level: 1
    2. Kernel-level: 0

    Takeaway

    • Multics is the blueprint for most of modern operating systems protection mechanisms
    • When executing at higher prillege level (lower ring number), Multics don't do check to improve efficiency
    • Capability is bootstrapped from ACLs

    My Question

    Back to top