Hacker News new | past | comments | ask | show | jobs | submit login
Thirty Years Later: Lessons from the Multics Security Evaluation (2002) [pdf] (acsac.org)
52 points by zdw 10 months ago | hide | past | web | favorite | 3 comments

Written by two of the people who helped develop INFOSEC field and early secure systems. Schell was an acquisitions guy who worked with Paul in early pentests, pushed "COMPUSEC" when few believed in it, pushed for security certifications, was sneaking funding into secure systems like SCOMP, and spent rest of his career pushing solutions based on GEMSOS security kernel.

Paul Karger who was an engineer that worked with him early on doing pentests that were quite embarrassing to military and commercial sector. Paul designed and built a number of highly-secure systems at a time when it was little understood. Here's his publication list and an obituary summarizing some of his work.



My favorite was VAX Security Kernel whose design is still stronger than most modern VMM's. It was also the project where the application of covert-channel analysis discovered cache-based, timing channels in processors. The high-assurance, security field started freaking out about how insecure CPU hardware was around that point. Both problems ignored by other groups in security much like results and advice from MULTICS evaluation. His last project was a secure, smartcard OS for IBM designed for EAL7 evaluation. He and/or his team wisely split it up into intermediate deliverables that had independent value and potential sales to keep the long-term project funded despite effects of management impatience or changes.

The Multics simulator is finally running![1] Old Multics people talked about that for decades, and now it is available.

The public access machine at NSA, DOCKMASTER, ran Multics until 1998.

[1] http://multicians.org/simulator.html

User trn on Lobste.rs has a public one here:


I haven't tried to use it or anything. Just posting it for others.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact