At the 2014 Annual Computer Security Applications Conference (ACSAC) in New Orleans, LA, on Wednesday, Dec 10, there was a Distinguished Practitioner Keynote Panel titled "Multics: Before, During, After". Olin Sibert was the moderator: Roger Schell, Tom Van Vleck, and Steve Lipner were panelists.
We talked about the 50-year influence (or not) of Multics on computer science and on subsequent systems. An audience of about 400, ranging from respected long-term contributors to students, heard about Multics' contributions to computer security.
Olin Sibert: Introduction and demonstration of Multics on a simulated 6180
Olin Sibert has been an independent consultant focused on information security since founding Oxford Systems, Inc., in 1982. Prior to that, he worked for MIT and later for Honeywell as part of the joint Multics Development Project, responsible for developing diverse aspects of the Multics system ranging from kernel support for next-generation hardware to the mail reader client. As a consultant, much of his work involved -- and still does today -- bringing the "lessons of Multics" to a wide variety of clients in industry and government.
[WOS] Few systems have had as much influence on information security, computer architecture, and academic computer science as the Multics system did. From the project's inception in 1964, through to significant use as a computer utility in government, academic, and commercial settings in the 1970s and 1980s, to its influence on many systems and technologies that came afterward, Multics has delivered lasting value for half a century. The panel celebrated its 50th anniversary and focused particularly on the Multics influence on information security: the state of the world before Multics, how Multics defined, refined, utilized information security principles in its development, and how the world has -- and has not -- made effective use of those principles in the decades that followed.
[WOS] Many people, even in the security world, have never heard of Multics, or haven't thought about it in decades. In one sense, this counts as success: features like the hierarchical file system, the process model, access control lists, and Mandatory Access Control are just part of the landscape today -- it's hard to imagine how to make a computer system that doesn't work the way Multics did. But it's also unfortunate that many of the Multics security lessons are still as valid today and are still as little-heeded. I'd initially thought about structuring the panel around the Saltzer/Schroeder principles, and I think that would make a good retrospective paper, but ultimately it didn't fit the format for this year.
[WOS] I ran the demo of the simulator for the Multics CPU interactively: booted the system, wrote a little PL/I program, compiled it (comic relief: four-line program, one extraneous character, six PL/I compiler error messages), and ran it. It generated a linkage error because it called -- by design -- a program that didn't exist, so at level 2, I wrote that second little program, compiled it, typed "start", and everything ran to completion. That's my favorite Multics demo, showing how dynamic linking works as a structuring principle rather than a bolt-on feature.
test: proc(); declare hello entry(); call hello(); end;
hello: proc(); declare ioa_ entry options(variable); call ioa_("Hello ACSAC ^d", 2014); end;
[WOS] My fingers remembered PL/I syntax and Multics commands pretty well, but gosh, it was tough getting used to @-sign and #-sign typing again. The simulator performed without a hitch!
[WOS] Quite a few people talked to me afterward and asked how to get access to the simulator. I referred them to https://multicians.org, where I hope we will soon have some more detailed instructions. Congratulations to Harry Reed and Charles Anthony, without whom none of this would have happened!
Roger R. Schell: Before Multics
Roger R. Schell is a Professor of Engineering Practice at the University Of Southern California Viterbi School Of Engineering, and a member of the founding faculty for their Masters of Cyber Security degree program. He holds patents in cryptography, authentication and trusted workstation. For more than decade he has been co-founder and an executive of Aesec Corporation, a start-up company providing verifiably secure platforms on an OEM basis. Previously Prof. Schell was the Corporate Security Architect for Novell, and co-founder and vice president for Gemini Computers, Inc., where he directed development of their "Class A1" commercial GEMSOS based heavily on Multics security concepts. He was also the founding Deputy Director of NSA's National Computer Security Center where they employed Multics as the primary network-accessible computer services. Earlier as program manager he had the USAF join with DARPA and General Motors to have Honeywell enhance Multics with mandatory access controls. Prof. Schell is a retired USAF Colonel. He received a Ph.D. in Computer Science from the MIT, where as part of his research he designed and implement what has been described as "extremely aggressive on-line reconfiguration" of hardware for the commercial Multics product.
Roger's talk described the evolution of people's understanding of computer security: "there is no problem," "there is no solution," "there is no free lunch," and how the Multics design influenced this evolution.
Tom Van Vleck: Multics Development
Tom Van Vleck is a security consultant. He worked on many parts of Multics, beginning in 1966, including leading the design and implementation of the Multics New Storage System, and contributing to Multics login, account management and security software. After leaving the Multics project in 1981, he had senior engineer positions on security projects at several companies. He has edited the Multics website at www.multicians.org since 1994.
Tom's talk described the history of Multics security, starting with the influence of CTSS, through the initial Multics design, the importance of US government security requirements and Roger Schell's clarification of the problem and its solution, the Multics development team's response to the Orange Book, and finally the award of the B2 rating in 1986.
Steven B. Lipner: Influence after Multics
Steven B. Lipner is Partner Director of Program Management in Trustworthy Computing Security at Microsoft. Lipner is the creator and long-time leader of Microsoft's Security Development Lifecycle (SDL) team that defines the SDL, develops associated tools and processes, and executes Microsoft's internal SDL process company-wide. Lipner also leads Microsoft's initiatives to make the SDL available to organizations beyond Microsoft. Lipner has worked for over forty years as a researcher, development manager, and business manager in computer and network security. While at the MITRE Corporation early in his career, he led MITRE's work specifying security enhancements to Multics for the Air Force Data Services Center and for Project Guardian. He is a director and board chair of SAFECode, a non-profit industry association dedicated to improving the security and integrity of software. Lipner holds S.B. and S.M. degrees in Civil Engineering from the Massachusetts Institute of Technology and attended the Harvard Business School's Program for Management Development.
Steve has written a very fine article, "The Birth and Death of the Orange Book," in the IEEE Annals of the History of Computing, Vol. 37, No. 2: April-June 2015, pp. 19-31, which describes the history of evaluation criteria with special attention to Multics.
Earl Boebert made a cameo appearance to talk about his successful efforts to rescue Multics from one of its many near-death experiences. Peter Neumann described the early days of the Multics design.