Multics Security Evaluation: Vulnerability Analysis* Paul A. Karger, 2Lt, USAF Roger R. Schell, Maj, USAF Deputy for Command and Management Systems (MCI), HQ Electronic Systems Division Hanscom AFB, MA 01730 * This article is a reprint of a technical report [19] published in June 1974. The program listings from the appendices have been omitted, due to space constraints. The text has been retyped and the figures redrawn, but with no substantive changes. The references have been updated, as some were not yet in final form in 1974. ABSTRACT A security evaluation of Multics for potential use as a two-level (Secret / Top Secret) system in the Air Force Data Services Center (AFDSC) is presented. An overview is provided of the present implementation of the Multics Security controls. The report then details the results of a penetration exercise of Multics on the HIS 645 computer. In addition, preliminary results of a penetration exercise of Multics on the new HIS 6180 computer are presented. The report concludes that Multics as implemented today is not certifiably secure and cannot be used in an open use multi-level system. However, the Multics security design principles are significantly better than other con-temporary systems. Thus, Multics as implemented today, can be used in a benign Secret / Top Secret environment. In addition, Multics forms a base from which a certifiably secure open use multi-level system can be developed. 1 INTRODUCTION 1.1 Status of Multi-Level Security A major problem with computing systems in the mili-tary today is the lack of effective multi-level security con-trols. The term multi-level security controls means, in the most general case, those controls needed to process sev-eral levels of classified material from unclassified through compartmented top secret in a multi-processing multi-user computer system with simultaneous access to the system by users with differing levels of clearances. The lack of such effective controls in all of today’s computer operat-ing systems has led the military to operate computers in a closed environment in which systems are dedicated to the highest level of classified material and all users are re-quired to be cleared to that level. Systems may be changed from level to level, but only after going through very time consuming clearing operations on all devices in the system. Such dedicated systems result in extremely inefficient equipment and manpower utilization and have often resulted in the acquisition of much more hardware than would otherwise be necessary. In addition, many operational requirements cannot be met by dedicated sys-tems because of the lack of information sharing. It has been estimated by the Electronic Systems Division (ESD) sponsored Computer Security Technology Panel [10] that these additional costs may amount to $100,000,000 per year for the Air Force alone. 1.2 Requirement for Multics Security Evaluation This evaluation of the security of the Multics system was performed under Project 6917, Program Element 64708F to meet requirements of the Air Force Data Ser-vices Center (AFDSC). AFDSC must provide responsive interactive time-shared computer services to users within the Pentagon at all classification levels from unclassified to top secret. AFDSC in particular did not wish to incur the expense of multiple computer systems nor the expense of encryption devices for remote terminals which would oth-erwise be processing only unclassified material. In a sepa-rate study completed in February 1972, the Information Systems Technology Applications Office, Electronic Sys-tems Division (ESD/MCI) identified the Honeywell Mul-tics system as a candidate to meet both AFDSC’s multi-level security requirements and highly responsive advanced interactive time-sharing requirements. 1.3 Technical Requirements for Multi-Level Security The ESD-sponsored Computer Security Technology Planning Study [10] outlined the security weaknesses of present day computer systems and proposed a development plan to provide solutions base on current technology. A brief summary of the findings of the panel follows. 1.3.1 Insecurity of Current Systems The internal controls of current computers repeatedly have been shown insecure though numerous penetration exercises on such systems as GCOS [9], WWMCCS GCOS [8, 18], and IBM OS/360/370 [16]. This insecurity is a fundamental weakness of contemporary operating sys-tems and cannot be corrected by “patches”, “fix-ups”, or “add-ons” to those systems. Rather, a fundamental re-implementation using an integrated hardware/software design which considers security as a fundamental re-quirement is necessary. In particular, steps must be taken to ensure the correctness of the security related portions of the operating system. It is not sufficient to use a team of experts to “test” the security controls of a system. Such a “tiger team” can only show the existence of vul-nerabilities but cannot prove their non-existence. Unfortunately, the managers of successfully penetrated computer systems are very reluctant to permit release of the details of the penetrations. Thus, most reports of penetrations have severe (and often unjustified) distribu-tion restrictions leaving very few documents in the public domain. Concealment of such penetrations does nothing to deter a sophisticated penetrator and can in fact impede technical interchange and delay the development of a proper solution. A system which contains vulnerabilities cannot be protected by keeping those vulnerabilities se-cret. It can only be protected by the constraining of physi-cal access to the system. 1.3.2 Reference Monitor Concept The ESD Computer Security Technology Panel intro-duced the concept of a reference monitor. This reference monitor is that hardware/software combination which must monitor all references by any program to any data anywhere in the system to ensure that the security rules are followed. Three conditions must be met to ensure the security of the system based on a reference monitor. a. The monitor must be tamper proof. b. The monitor must be invoked for