MS5104 Computer Security

Download Report

Transcript MS5104 Computer Security

Security Mechanisms
• Last week’s lecture dealt with access control
policies at an abstract level.
• How can computer systems enforce such policies
in practice?
• You have to answer the following questions:
– Where should access control be located?
(Second Fundamental Design Decision)
– Are there any additional security requirements
your solution forces you to consider?
MT5104 - Computer Security Security Mechanisms
1
Agenda
•
•
•
•
•
•
•
Historic examples, to keep matters simple
Reference monitor, security kernel, and TCB
Status information & controlled invocation
Security features in microprocessors
Memory management and access control
The Multics interpretation of Bell-LaPadula
Wrappers, reflection, and in-line reference monitors
MT5104 - Computer Security Security Mechanisms
2
Important Concepts (TCSEC)
• Reference monitor: access control concept that
refers to an abstract machine that mediates all
accesses to objects by subjects.
• Security Kernel: The hardware firmware, and
software elements of a TCB that implement the
reference monitor concept. It must mediate all
accesses, be protected from modification, and be
verifiable as correct.
MT5104 - Computer Security Security Mechanisms
3
Important Concepts (TCSEC)
• Trusted Computing Base (TCB):
The totality of
protection mechanisms within a computer system including hardware, firmware, and software - the
combination of which is responsible for enforcing a
security policy. A TCB consists of one or more
components that together enforce a unified security policy
over a product or system. The ability of the TCB to
correctly enforce a security policy depends solely on the
mechanisms within the TCB and on the correct input by
system administrative personnel of parameters (e.g., a
user’s clearance) related to the security policy.
MT5104 - Computer Security Security Mechanisms
4
Operating System (O/S) Integrity
• Assume that your O/S prevents unauthorized access to
resources (as long as it works as intended).
• To bypass the protection mechanisms, an attacker may try to
disable the security controls by modifying the O/S. You now
face an integrity problem, even if your original concern was
confidentiality. The O/S is not only the arbitrator of access
requests, it is itself an object of access control.
• New security policy: Users must not be able to modify the
operating system.
• This is a generic security policy, needing strong and
efficient support.
MT5104 - Computer Security Security Mechanisms
5
Operating System Integrity
• To make life more complicated, you have to address two
competing requirements.
– Users should be able to use (invoke) the O/S.
– Users should not be able to misuse the O/S.
• Two important concepts commonly used to achieve these
goals are:
– status information
– controlled invocation, also called restricted privilege
• These concepts can be used in any layer of a computing
system, be it application software, operating system, or
hardware.
MT5104 - Computer Security Security Mechanisms
6
Modes of Operation
• To protect itself, an O/S must be able to distinguish
computations ‘on behalf’ of the O/S from computations
‘on behalf’ of a user.
• A status flag allows the system to work in different modes.
– Motorola 68000: one status bit to distinguish between
user mode and supervisor (system) mode
– Intel 80x86: two status bits and four modes
– Unix distinguishes between user and superuser (root)
• Why are such modes useful? For example, to stop users
from writing directly to memory and corrupting the logical
file structure, the O/S could grant write access to memory
locations only if the processor is in supervisor mode.
MT5104 - Computer Security Security Mechanisms
7
Controlled Invocation
• We continue our example. A user wants to execute an
operation requiring supervisor mode, e.g. write to memory.
• To deal with this request, the processor has to switch
between modes, but how should this switch be performed?
• Simply changing the status bit to supervisor mode would
give all privileges associated with this mode to the user
without any control on what the user actually does.
• Therefore, it is desirable that the system only performs a
predefined set of operations in supervisor mode and then
returns to user mode before handing control back to the
user. We refer to this process as controlled invocation.
MT5104 - Computer Security Security Mechanisms
8
Core Security Mechanisms
applications
services
operating system
OS kernel
hardware
MT5104 - Computer Security Security Mechanisms
9
Why Put Mechanisms at the Core?
• To facilitate security evaluation at a higher level of assurance.
A security mechanism in a given layer can be compromised from
a layer below. To evaluate security, you have to check that
security mechanisms cannot be bypassed. The more complex a
system is, the more difficult this check becomes. At the core of a
system you may find simple structures which are amenable to
thorough analysis.
• Putting security mechanisms into the core of the system can
reduce performance overheads caused by security.
Processor performance depends on the right choice and efficient
implementation of a generic set of operations that is most useful
to the majority of users. The same holds for security mechanisms.
• Note: Some sources assume that TCBs and security kernels must
enforce BLP-like policies.
MT5104 - Computer Security Security Mechanisms
10
Computer Architecture
• For our purpose, a simple schematic description of a
computer will do. We have
– a central processing unit (CPU)
– memory
– a bus connecting CPU and memory
CPU
Bus
MT5104 - Computer Security Security Mechanisms
Memory
11
CPU
• The core CPU components are:
• Registers: general purpose registers and dedicated registers
like
– program counter: points to the memory location
containing the next instruction to be executed
– stack pointer: points to the top of the system stack
– status register: allows the CPU to keep essential state
information
• Arithmetic Logic Unit (ALU): executes instructions given
in a machine language; executing an instruction may also
set bits in the status register.
MT5104 - Computer Security Security Mechanisms
12
Processes and Threads
• A process is a program in execution, consisting of
– executable code, data, and the execution context, e.g. the
contents of certain CPU registers.
• A process works in its own address space and communicates
with other processes only through O/S primitives. This logical
separation between processes is a useful basis for security.
However, a context switch between processes is expensive as
the O/S has to save the entire execution context on the stack.
• Threads are strands of execution within a process. Threads
share an address space to avoid the overheads of a full context
switch, but they also avoid potential security controls.
• Processes (and threads) are important units of control for the
O/S, and for security. They are the ‘subjects’ of access
control.
MT5104 - Computer Security Security Mechanisms
13
System Stack
• The system stack is a specially designated part of memory.
The stack can be accessed by pushing data on its top or by
popping data from its top.
• To switch between different processes, the CPU performs a
context switch saving the state of the current process, e.g.
program counter, status register, etc., on the stack before
giving control to the new process.
• Beware of the dangers of abstraction. In an abstract
discussion it is reasonable to pretend that the size of the
stack is unlimited. An actual implementation, however,
could well allocate a fixed memory section for the stack. If
the stack is allowed to grow beyond its maximal size,
security problems can occur, have occurred, and will occur.
MT5104 - Computer Security Security Mechanisms
14
Memory Structures
The security characteristics of different types of memory:
• RAM (random access memory): read/write memory; no
guarantees for integrity and confidentiality
• ROM (read-only memory): provides integrity, does not
guarantee confidentiality; ROM could store (part of) the O/S.
• EPROM (erasable and programmable read-only memory):
could store parts of the O/S or cryptographic keys; technologically more sophisticated attacks threaten security.
• WROM (write-once memory): memory contents are frozen
once and for all, e.g. by blowing a fuse placed on the write
line; WROM could hold cryptographic keys or audit logs.
MT5104 - Computer Security Security Mechanisms
15
Memory Structures
• Volatile memory loses its contents when power is switched
off. To be precise, memory contents degrade and may still be
present after a short power loss and can be constructed by
special electronic techniques if power has been switched off
for some time. To counter such attacks, memory has to be
overwritten repeatedly with suitable bit patterns.
• Non-volatile (permanent) memory keeps its content when
power is switched off. If attackers have direct access to
memory bypassing the CPU, cryptographic or physical
measures are needed to protect sensitive data.
• For example, a light sensor in a tamper resistant module may
detect an attempted manipulation and trigger the deletion of
the data kept in the module.
MT5104 - Computer Security Security Mechanisms
16
Traps - Interrupts
• The CPU deals with interruptions of executions, created by errors
in the program, user requests, hardware failure, etc., through
mechanisms called exceptions, interrupts, and traps. These terms
may refer to different types of events, but as ever there are
competing classifications. We use trap as the generic term.
• A trap is a special input to the CPU, which includes an address
(interrupt vector) in an interrupt vector table giving the location
of the program (interrupt handler) which deals with the condition
specified in the trap.
• When a trap occurs, the CPU saves its current state on the stack
and then executes the interrupt handler. In this way, control is
taken away from the user. The interrupt handler has to restore the
CPU to a proper state, e.g. by clearing the supervisor status bit,
before returning control to the user.
MT5104 - Computer Security Security Mechanisms
17
Interrupt Vectors
Interrupt
Interrupt vector table
Memory
TRAP #n
Interrupt vector
Interrupt handler
MT5104 - Computer Security Security Mechanisms
18
Interrupting Interrupts
• A further interrupt may arrive while the CPU deals with a
current interrupt. The CPU may then have to interrupt the
current interrupt handler.
• Improper handling of such a situation can lead to security
flaws. Consider a system where a user can interrupt the
execution of a program by typing CTRL-C so that the CPU
returns to the O/S prompt with the status bit of the current
process. A user could then enter supervisor mode by
interrupting the execution of an O/S call.
• The interrupt table is a particularly interesting point of
attack and has to be protected adequately. Redirecting
pointers is a very efficient way of compromising the
integrity of the O/S.
MT5104 - Computer Security Security Mechanisms
19
Example 1: Motorola 68000
• The Motorola 68000 has a 16-bit status register. The top
section of the status register, the system byte, contains bits
relevant for security controls.
– S: supervisor bit, two modes
– T: trace bit, exception raised after each instruction
– I2I1I0: interrupt level number
• After a reset, the 68000 always boots in supervisor mode.
Once the S bit has been set to 0, it can only be set to 1 by a
TRAP #n instruction. The operand #n gives the exception
(interrupt) vector. The S bit is reset by the RTE instruction.
• There are seven levels of interrupt priorities. Interrupts can be
masked: interrupts with a higher priority will not be
interrupted by a low priority interrupt.
MT5104 - Computer Security Security Mechanisms
20
Memory Management
• Memory mapped I/O treats memory and input/output devices
in a unified manner.
• The function codes FC2, FC1, FC0 indicate the processor
status so that the address decoder may select between user
and supervisor memory or between data and programs.
FC2 FC1 FC0
0 0 0
0 0 1
0 1 0
0 1 1
1 0 0
1 0 1
1 1 0
1 1 1
(undefined,reserved)
user data
user program
(undefined,reserved)
(undefined,reserved)
supervisor data
supervisor program
interrupt acknowledge
MT5104 - Computer Security Security Mechanisms
21
General Lessons
• The ability to distinguish between data and programs is a
useful security feature, providing a basis for protecting
programs from modification.
• From a more abstract point of view, memory has been
divided into different regions. Access control can then refer
to the location a data object or program comes from.
• This can serve as a first example for location based access
control. Distributed systems or computer networks may use
location based access control at the level of network nodes.
MT5104 - Computer Security Security Mechanisms
22
Example 2: Intel 80x86
• The Intel 80386/80486 is a 32-bit processor. Support for access
control at machine language level is based on protection rings.
• A two-bit field in the status register defines four privilege
levels. Unix and Windows NT use levels 0 (O/S) and 3 (user).
• Privilege levels can only be changed through the POPF
command.
• Processes can only access objects in their ring or in outer rings.
• Processes can invoke subroutines only within their ring.
• Processes need gates to execute procedures in an inner ring.
• Information about system objects like memory segments, access
control tables, or gates is stored in descriptors. The privilege
level of an object is stored in the DPL field of its descriptor.
MT5104 - Computer Security Security Mechanisms
23
Intel 80x86 - Access Control
• Descriptors are held in the descriptor table and are accessed via
selectors. A selector is a 16-bit field containing an index for the
object’s entry in the descriptor table and a requested privilege
level (RPL) field. Only the O/S has access to selectors.
INDEX
Descriptor
DPL
RPL
selector
Descriptor table
• Current privilege level (CPL): the code segment register stores
the selector of the current process. Access control decisions can
be made by comparing CPL (subject) and DPL (object).
MT5104 - Computer Security Security Mechanisms
24
Intel 80x86 - Controlled Invocation
• A gate is a system object that points to a procedure, where the
gate has a privilege level different from that of the procedure it
points to. A process can only use gates has in its own ring.
• Gates allow execute-only access to procedures in an inner ring.
• A subroutine call saves state information about the calling
process and the return address on the stack.
– Should this stack be in the inner ring? Violates the security
policy forbidding write to an inner ring.
– Should this stack be in the outer ring? The return address
could be manipulated from the outer ring.
• Therefore, part of the stack (how much is described in the gate’s
descriptor) is copied to a more privileged stack segment.
MT5104 - Computer Security Security Mechanisms
25
A Loophole?
• When invoking a subroutine through a gate, the CPL changes to
the level of the code the gate is pointing to. On returning from
the subroutine, the CPL is restored to that of the calling process.
• The outer-ring process may now ask the inner-ring procedure to
copy an object residing in the inner ring to the outer ring. This
will not be prevented by any of the mechanisms presented so
far, nor does it actually violate the stated security policy.
• To take into account the level of the calling process, use the
adjust privilege level (ARPL) instruction. This instruction
changes the RPL fields of all selectors to the CPL of the calling
process. The system then compares the RPL (in the selector)
and the DPL (in the descriptor) of an object when making
access control decisions.
MT5104 - Computer Security Security Mechanisms
26
Comparing RPL and DPL
Descriptor table
selector
INDEX
Descriptor
RPL
DPL
?
=
MT5104 - Computer Security Security Mechanisms
27
Security Mechanisms in O/S
• O/S manage access to data and resources. Multitasking O/S
interleave the execution of processes belonging to different
users. They have to
– separate user space from O/S space
– logically separate users
– restrict the memory objects a process can access
• Logical separation of users can take place at two levels:
– file management, deals with logical memory objects
– memory management, deals with physical memory
objects
• As far as security is concerned, this distinction is important.
MT5104 - Computer Security Security Mechanisms
28
Segments and Pages
• Segmentation divides memory into logical units of variable
lengths.
+ A division into logical units is a good basis for enforcing a
security policy.
– Units of variable length make memory management more
difficult.
• Paging divides memory into pages of equal length.
+ Fixed length units allow efficient memory management.
– Paging is not a good basis for access control as pages are
not logical units. One page may contain objects requiring
different protection. Page faults can create a covert
channel.
MT5104 - Computer Security Security Mechanisms
29
A Covert Channel
• When a process makes access to a logical object stored on
more than one page, a page fault occurs whenever a new page
is requested.
• A covert channel exists if page faults can be observed.
• Consider a password scheme where the password entered is
compared character by character with the reference password
stored in memory. Access is denied the moment an incorrect
match is found.
• If a password is stored across a page boundary, then observing a page fault indicates that the piece of the password
on the first page has been guessed correctly. If the attacker
can control where the password is stored on the page,
password guessing becomes rather easy.
MT5104 - Computer Security Security Mechanisms
30
Memory Protection
• The O/S has to control access to data objects in memory. A
data object is physically represented as a collection of bits
stored in certain memory locations. Access to a logical object
is ultimately translated into access operations at machine
language level. At this level, you can pursue three options for
controlling access to memory locations,
– the operating system modifies the addresses it receives
from user processes,
– the operating system constructs the effective addresses
from relative addresses it receives from user processes,
– the operating system checks whether the addresses it
receives from user processes are within given bounds.
MT5104 - Computer Security Security Mechanisms
31
Address Sandboxing (Modification)
• An address consists of a segment identifier and an offset.
When the operating system receives an address, it sets the
correct segment identifier as follows:
First, a bitwise AND of the address with mask_1 clears
the segment identifier. Then a bitwise OR with mask_2
sets the segment identifier to the intended value SEG_ID.
address
seg_id
offset
mask_1
0....0
1….1
0….0
offset
mask_2 SEG_ID
0….0
effective address SEG_ID
offset
MT5104 - Computer Security Security Mechanisms
} bitwise AND
} bitwise OR
32
Relative Addressing
• Clever use of addressing modes can keep processes out of
forbidden memory areas.
• Fence registers: base register addressing keeps users out of O/S
space.
memory
fence register
O/S space
base
top of user space
offset
+
• Bounds register define the bottom of the user space. Base and
bounds registers allow to separate program from data space.
• Tagged architectures indicate the type of each memory object.
MT5104 - Computer Security Security Mechanisms
33
Logical Protection in Multics
• We will examine logical protection in the historic example of
the Multics operating system and demonstrate how BellLaPadula is used in the design of a secure O/S.
• Multics was designed to be a secure, reliable, etc multi-user
O/S. Multics became too cumbersome for some project
members, who then created something much simpler, viz Unix.
• The history of the two systems is ample evidence for the
relation between commercial success and the balance between
usability and security.
• The inductive definition of security in BLP makes it relatively
easy to build a secure system. To show that Multics is secure,
one has to find a description of the O/S, which is consistent
with BLP and verify that all state transitions are secure.
MT5104 - Computer Security Security Mechanisms
34
The Multics Interpretation of BLP
• The subjects in Multics are processes. Each subject has a
descriptor segment that contains information about the process.
• For each object the process currently has access to, there is a
segment descriptor word (SDW) in the subject’s descriptor
segment. The SDW contains the name of the object, a pointer to
the object, and flags for read, execute, and write access.
segment
descriptor
word
Segment_id
r: on
e: off
pointer
w: on
• The security level of subjects are kept in a process level table
and a current-level table. The active segment table records all
active processes. Only active processes have access to an object.
MT5104 - Computer Security Security Mechanisms
35
Compatibility
• Objects are memory segments, I/O devices, ...
• Objects are organised hierarchically in a directory tree.
Directories are again segments. Information about an object, like
its security level or its access control list (ACL), are kept in the
object’s parent directory. To change an object’s access control
parameters and to create or delete an object requires write or
append access rights to the parent directory.
• To access an object, a process has to traverse the directory tree
from the root directory to the target object. If any directory in
this path is not accessible to the process, the target object is not
accessible either.
• Compatibility: The security level of an object must always
dominate the security level of its parent directory.
MT5104 - Computer Security Security Mechanisms
36
BLP State in Multics
Components of the BLP state in Multics:
• Current access b: stored in the SDWs in the descriptor segments
of the active processes; the active processes are found in the
active segment table. The descriptor segment base register
(DSBR) points to the descriptor segment of the current process.
• Access control matrix M: represented by the ACLs; for each
object, the ACL is stored in its parent directory; each ACL entry
specifies a process and the access rights the process has on that
object.
• Level function f: the security levels of the subjects are stored in
the process level table and the current-level table; the security
level of an object is stored in its parent directory.
MT5104 - Computer Security Security Mechanisms
37
descriptor segment
of current process
segment-id
DSBR
segment-id ptr
current process
r:off e:off w:on
subject
current proc. Lc
object
LC  LO?
current-level table
segment-id LO
parent directory
MT5104 - Computer Security Security Mechanisms
38
MAC in Multics
• Multics access attributes for data segments:
–
–
–
–
read
execute
read and write
write
r
e,r
w
a
• The -property for Multics: for any SDW in the descriptor
segment of an active process, the current level of the process
– dominates the level of the segment if the read or execute
flags are on and the write flag is off,
– Is dominated by the level of the segment if the read flag is off
and the write flag is on,
– is equal to the level of the segment if the read flag is on and
the write flag is on.
MT5104 - Computer Security Security Mechanisms
39
Kernel Primitives
• If the state transitions in an abstract model of the Multics kernel
preserve the BLP security policies, then the BLP Basic Security
Theorem proves the ‘security’ of Multics.
• Example: the get-read primitive takes as its parameters a
process-id and a segment-id. The O/S has to check whether
– the ACL of segment-id, stored in the segment's parent
directory, lists process-id with read permission,
– the security level of process-id dominates the security level
of segment-id,
– process-id is a trusted subject, or the current security level of
process-id dominates the security level of segment-id.
• If all three conditions are met, access is permitted and a SDW in
the descriptor segment of process-id is added/updated.
MT5104 - Computer Security Security Mechanisms
40
More Kernel Primitives
• release-read: release an object; the read flag in the corresponding
SDW is turned off; if thereafter no flag is on, the SDW is
removed from the descriptor segment.
• give-read: grant read access to another process (DAC).
• rescind-read: withdraw a read permission given to another
process.
• create-object: create an object; the O/S has to check that write
access on the object's directory segment is permitted and that the
security level of the segment dominates the security level of the
process.
• change-subject-current-security-level: the O/S has to check that
no security violations are created by the change; this kernel
primitive, as well as the primitive change-object-security-level
were not intended for implementation (tranquility).
MT5104 - Computer Security Security Mechanisms
41
Logical Protection in a ‘Real’ O/S
Covered by guest speakers. For each O/S, find out:
•
•
•
•
•
What are the principals?
What are the subjects?
What are the objects?
Which access control structures are used?
What are the rules for evaluating the access
control structures?
• What are the main issues when mapping an
organisational security policy into an automated
security policy?
MT5104 - Computer Security Security Mechanisms
42
Logical Protection at the
Application Level
• Protection at the application level can be implemented by
placing a reference monitor ‘in front of’ the component to be
protected. Instead of calling the component directly, other
components have to call the reference monitor (wrapper) first.
• Wrappers in Unix (more in a moment)
• Reflection in object-oriented systems: I.Welch, R.J.Stroud:
Using Reflection as a Mechanism for Enforcing Security
Policies in Mobile Code, ESORICS 2000, pages 309-322
• In-line Reference Monitors (IRMs): U.Erlingsson,
F.Schneider: IRM Enforcement of Java Stack Inspection, 2000
IEEE Symposium on Security and Privacy, pages 246-255
MT5104 - Computer Security Security Mechanisms
43
Example: Unix Telnet Wrapper
• A Unix network service like telnet work as follows. The inetd
daemon listens to incoming network connections. When a
connection is made, inetd starts the appropriate server
program and then returns to listening for further connections.
• The inetd daemon has a configuration file that maps services
(port numbers) to programs. Entries in this file have the format
service type protocol waitflag userid executable command-line
• The entry for telnet could be
telnet stream tcp nowait root /usr/bin/in.telnetd in.telnet
• When inetd receives a request for a service, it consults the
configuration file and creates a new process that runs the
program (executable) specified. The name of this new process
is the name given in the command-line field.
MT5104 - Computer Security Security Mechanisms
44
• Usually, the name of the executable and the command-line entry
are the same. In this case, point the inetd daemon to a wrapper
program instead of the original executable; use the name of the
process to remember the name of the original executable, which
is called after the wrapper has performed its security controls.
• In our example, change the configuration file entry for telnet to
telnet stream tcp nowait root /usr/bin/tcpd in.telnet
• The program executed is now /usr/bin/tcpd, the TCP wrapper
executable. The process executing the wrapper will still be
called in.telnet. Within this wrapper, you can perform all the
access control or logging you want to do.
• The wrapper knows the directory it is in, i.e. /usr/bin, and its
own name, in.telnet, so it can call the original server program
/usr/bin/in.telnet.
• Users see no difference and receive the same service as before.
• There is a nice trick and a fundamental design principle.
MT5104 - Computer Security Security Mechanisms
45
Exercises - 1
• If the trace bit in the Motorola 68000 is set, an exception is
created after each instruction that has been executed, allowing
the programmer to run an interrupt handler, e.g. to debug
programs. What are the security implications of setting the trace
bit? Why has the trace bit to be cleared when processing an
exception?
• Smart card processors used to have their entire card O/S in
ROM. Today, there are moves towards processors where part of
the O/S can be loaded into E2PROM. What are the advantages
and disadvantages of keeping the O/S in ROM? What are the
security implications of moving parts of the O/S into E2PROM?
• Justify the rephrasing of the - property for Multics. Why do we
have to consider just the three cases mentioned?
MT5104 - Computer Security Security Mechanisms
46
Exercises - 2
• Which level should be assigned to the root directory of a multilevel secure O/S?
• Analyse the security and usability implications of the following
options for storing the security level of a file in a multi-level
secure O/S:
– Store the security level of the file with the file name in the
directory.
– Store the security level of the file with the file itself, the
directory has only the file name.
– Divide the directory into partitions for each security level.
File names are put into the division corresponding to their
security level.
• For each of the talks on IBM products, Unix, and Windows,
write an essay answering the questions from slide 42.
MT5104 - Computer Security Security Mechanisms
47
Further reading
• Gasser, M.: Building a Secure Computer System, Van Nostrand Reinhold,
New York, 1988 (many useful pointers to technical reports on O/S security)
• Sibert, O., Porras, P.A. and Lindell, R.: An Analysis of the Intel 80x86
Processor Architecture and Implementation, IEEE Transaction on Software
Engineering, March 1995, pp.181-199 (building security kernels with Intel
80x86 processors)
• Wahbe, R., Lucco, S., Anderson, T.E. and Graham, S.L.: Efficient SoftwareBased Fault Isolation, Proceedings of the Symposium on Operating System
Principles, 1993 (address sandboxing and related techniques)
• http://www.qnx.com/literature/nto_sysarch/nto_sysarch.html (QNX web
page with practical material on memory management)
• Saltzer, J.H.: Protection and the Control of Information Sharing in Multics,
Communications of the ACM, 17, pp. 388-402, 1974
• Comments on Multics security also at http://www.lilli.com/multics.html
MT5104 - Computer Security Security Mechanisms
48