
Thirty Years Later: Lessons from the Multics Security Evaluation (2002) [pdf] - zdw
https://www.acsac.org/2002/papers/classic-multics.pdf
======
nickpsecurity
Written by two of the people who helped develop INFOSEC field and early secure
systems. Schell was an acquisitions guy who worked with Paul in early
pentests, pushed "COMPUSEC" when few believed in it, pushed for security
certifications, was sneaking funding into secure systems like SCOMP, and spent
rest of his career pushing solutions based on GEMSOS security kernel.

Paul Karger who was an engineer that worked with him early on doing pentests
that were quite embarrassing to military and commercial sector. Paul designed
and built a number of highly-secure systems at a time when it was little
understood. Here's his publication list and an obituary summarizing some of
his work.

[https://dblp.uni-trier.de/pers/hd/k/Karger:Paul_A=](https://dblp.uni-
trier.de/pers/hd/k/Karger:Paul_A=)

[https://www.ieee-
security.org/Cipher/Newsbriefs/2010/karger....](https://www.ieee-
security.org/Cipher/Newsbriefs/2010/karger.html)

My favorite was VAX Security Kernel whose design is still stronger than most
modern VMM's. It was also the project where the application of covert-channel
analysis discovered cache-based, timing channels in processors. The high-
assurance, security field started freaking out about how insecure CPU hardware
was around that point. Both problems ignored by other groups in security much
like results and advice from MULTICS evaluation. His last project was a
secure, smartcard OS for IBM designed for EAL7 evaluation. He and/or his team
wisely split it up into intermediate deliverables that had independent value
and potential sales to keep the long-term project funded despite effects of
management impatience or changes.

------
Animats
The Multics simulator is finally running![1] Old Multics people talked about
that for decades, and now it is available.

The public access machine at NSA, DOCKMASTER, ran Multics until 1998.

[1]
[http://multicians.org/simulator.html](http://multicians.org/simulator.html)

~~~
nickpsecurity
User trn on Lobste.rs has a public one here:

[https://ban.ai/multics/](https://ban.ai/multics/)

I haven't tried to use it or anything. Just posting it for others.

