ProtectionOfInformationInComputerSystems1975s1ProtectionOfInformationInComputerSystems1975s2ProtectionOfInformationInComputerSystems1975s3ProtectionOfInformationInComputerSystems1975s4ProtectionOfInformationInComputerSystems1975s5ProtectionOfInformationInComputerSystems1975f1ProtectionOfInformationInComputerSystems1975f2ProtectionOfInformationInComputerSystems1975f3ProtectionOfInformationInComputerSystems1975f4ProtectionOfInformationInComputerSystems1975f5ProtectionOfInformationInComputerSystems1975f6ProtectionOfInformationInComputerSystems1975f7ProtectionOfInformationInComputerSystems1975f8ProtectionOfInformationInComputerSystems1975f9ProtectionOfInformationInComputerSystems1975f10ProtectionOfInformationInComputerSystems1975f11ProtectionOfInformationInComputerSystems1975f12ProtectionOfInformationInComputerSystems1975f13ProtectionOfInformationInComputerSystems1975f14About this paperThe Protection of Information in ComputerSystemsJEROME H. SALTZER, SENIOR MEMBER, IEEE, AND MICHAEL D. SCHROEDER, MEMBER, IEEEInvited PaperAbstract - This tutorial paper explores the mechanics of protecting computer-stored information fromunauthorized use or modification. It concentrates on those architectural structures--whether hardware orsoftware--that are necessary to support information protection. The paper develops in three mainsections. Section I describes desired functions, design principles, and examples of elementary protectionand authentication mechanisms. Any reader familiar with computers should find the first section to bereasonably accessible. Section II requires some familiarity with descriptor-based computer architecture.It examines in depth the principles of modern protection architectures and the relation betweencapability systems and access control list systems, and ends with a brief analysis of protected subsystemsand protected objects. The reader who is dismayed by either the prerequisites or the level of detail in thesecond section may wish to skip to Section III, which reviews the state of the art and current researchprojects and provides suggestions for further reading.GlossaryThe following glossary provides, for reference, brief definitions for several terms as used in this paper in thecontext of protecting information in computers.AccessThe ability to make use of information stored in a computer system. Used frequently as a verb, to thehorror of grammarians.Access control listA list of principals that are authorized to have access to some object.AuthenticateTo verify the identity of a person (or other agent external to the protection system) making a request.AuthorizeTo grant a principal access to certain information.CapabilityIn a computer system, an unforgeable ticket, which when presented can be taken as incontestable proofthat the presenter is authorized to have access to the object named in the ticket.CertifyTo check the accuracy, correctness, and completeness of a security or protection mechanism.Complete isolationA protection system that separates principals into compartments between which no flow of information orcontrol is possible.ConfinementAllowing a borrowed program to have access to data, while ensuring that the program cannot release theinformation.DescriptorA protected value which is (or leads to) the physical address of some protected object.Discretionary(In contrast with nondiscretionary.) Controls on access to an object that may be changed by the creatorof the object.DomainThe set of objects that currently may be directly accessed by a principal.EnciphermentThe (usually) reversible scrambling of data according to a secret transformation key, so as to make it safefor transmission or storage in a physically unprotected environment.GrantTo authorize (q. v.).Hierarchical controlReferring to ability to change authorization, a scheme in which the record of each authorization iscontrolled by another authorization, resulting in a hierarchical tree of authorizations.List-orientedUsed to describe a protection system in which each protected object has a list of authorized principals.PasswordA secret character string used to authenticate the claimed identity of an individual.PermissionA particular form of allowed access, e.g., permission to READ as contrasted with permission to WRITE.PrescriptA rule that must be followed before access to an object is permitted, thereby introducing an opportunityfor human judgment about the need for access, so that abuse of the access is discouraged.PrincipalThe entity in a computer system to which authorizations are granted; thus the unit of accountability in acomputer system.PrivacyThe ability of an individual (or organization) to decide whether, when, and to whom personal (ororganizational) information is released.PropagationWhen a principal, having been authorized access to some object, in turn authorizes access to anotherprincipal.Protected objectA data structure whose existence is known, but whose internal organization is not accessible, except byinvoking the protected subsystem (q.v.) that manages it.Protected subsystemA collection of procedures and data objects that is encapsulated in a domain of its own so that the internalstructure of a data object is accessible only to the procedures of the protected subsystem and theprocedures may be called only at designated domain entry points.Protection1) Security (q.v.).2) Used more narrowly to denote mechanisms and techniques that control the access of executingprograms to stored information.Protection groupA principal that may be used by several different individuals.RevokeTo take away previously authorized access from some principal.SecurityWith respect to information processing systems, used to denote mechanisms and techniques that controlwho may use or modify the computer or the information stored in it.Self controlReferring to ability to change authorization, a scheme in which each authorization contains within it thespecification of which principals may change it.Ticket-orientedUsed to describe a protection system in which each principal maintains a list of unforgeable bit patterns,called tickets, one for each object the principal is authorized to have access.UserUsed imprecisely to refer to the individual who is accountable for some identifiable set of activities in acomputer system.1. Basic Principles Of Information Protection2. Descriptor-Based Protection Systems3. The State of the Art4. References5. Figures: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14I. BASIC