The Protection of Information in Computer Systems

Proceedings of the IEEE

Volumn 63, Issue 9, 1975, Pages 1278-1308

  Saltzer, Jerome H ^a   Schroeder, Michael D ^a  

^a MASSACHUSETTS INSTITUTE OF TECHNOLOGY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER ARCHITECTURE;

DATA PROCESSING;

COMPUTER ANALYSIS; CRIME; DIGITAL COMPUTER; INFORMATION RETRIEVAL;

EID: 0016555241     PISSN: 00189219     EISSN: 15582256     Source Type: Journal    
DOI: 10.1109/PROC.1975.9939     Document Type: Article

References (100)

1. A. Westin, Privacy and Freedom. New York: Atheneum, 1967. (I-A1, SFR)
2. A. Miller, The Assault on Privacy. Ann Arbor, Mich.: Univ. of Mich. Press, 1971; also New York: Signet, 1972, Paperback W4934. (I-A1, SFR)
3. Dept. of Health, Education, and Welfare, Records, Computers, and the Rights of Citizens. Cambridge, Mass.: M.I.T. Press, 1973. (I-A1, SFR)
4. R. Turn and W. Ware, “Privacy and security in computer systems,” Amer. Scientist, vol. 63, pp. 196–203, Mar.–Apr. 1975. (I-A1)
5. W. Ware, “Security and privacy in computer systems,” in 1967 SJCC, AFIPS Conf. Proc., vol. 30, pp. 287–290. (I-A1)
6. J. Anderson, “Information security in a multi-user computer environment,” in Advances in Computers, vol. 12. New York: Academic Press, 1973, pp. 1–35. (I-A1, SFR)
7. J. Martin, Security, Accuracy, and Privacy in Computer Systems. Englewood Cliffs, N.J.: Prentice-Hall, 1973. (I-A1, SFR)
8. R. Patrick, Security Systems Review Manual. Montvale, N.J.: AFIPS Press, 1974. (I-A1, SFR)
9. G. Bender, D. Freeman, and J. Smith “Function and design of DOS/360 and TOS/360,” IBM Syst. J., vol. 6, pp. 2–21, 1967. (I-A2)
10. R. Hargraves and A. Stephenson, “Design considerations for an educational time-sharing system,” in 1969 SJCC, AFIPS Conf. Proc., vol. 34, pp. 657–664. (I-A2)
11. R. Meyer and L. Seawright “A virtual machine time-sharing system,” IBM Syst. J., vol. 9, pp. 199–218, 1970. (I-A2, I-B3, III-A)
12. M.I.T. Computation Center, CTSS Programmer's Guide, 2nd ed. Cambridge, Mass.: M.I.T. Press, 1965. (I-A2, III-A)
13. D. Stone, “PDP-10 system concepts and capabilities,” in PDP-10 Applications in Science, vol. II. Maynard, Mass: Digital Equipment Corp., undated (ca. 1970), pp. 32–55. (I-A2)
14. C. Weissman, “Security controls in the ADEPT-50 time-sharing system,” in 1969 FJCC, AFIPS Conf. Proc., vol. 35, pp. 119–133. (I-A2, II-C5, III-A, III-B, SFR)
15. D. Bobrow et al. “TENEX, a paged time sharing system for the PDP-10,” Commun. ACM, vol. 15, pp. 135–143, Mar. 1972. (I-A2, II-C3)
16. F. Corbató, J. Saltzer, and C. Clingen, “Multics-The first seven years,” in 1972 SJCC, AFIPS Conf. Proc., vol. 40, pp. 571–583. (I-A2)
17. H. Sturgis, “A postmortem for a time sharing system,” Ph.D. dissertation, Univ. of Calif., Berkeley, 1973. (Also available as Xerox Palo Alto Res. Center Tech. Rep. CSL74-1.) (I-A2, II-C2, II-E, III-A, SFR)
18. D. Ritchie and K. Thompson “The UNIX time-sharing system,” Commun. ACM, vol. 17, pp. 365–375, July 1974. (I-A2, II-C3)
19. B. Lampson, “Dynamic protection structures,” in 1969 FJCC, AFIPS Conf. Proc., vol. 35, pp. 27–38. (I-A2, II-E, III-A)
20. R. Needham, “Protection systems and protection implementations,” in 1972 FJCC, AFIPS Conf. Proc., vol. 41, part. I, pp. 571–578. (I-A2, II-B3, II-E, III-A, SFR)
21. W. Wulf et al. “HYDRA: The kernel of a multiprocessor operating system,” Commun. ACM, vol. 17, pp. 337–345, June 1974. (I-A2, II-B3, III-A)
22. R. Conway, W. Maxwell, and H. Morgan “On the implementation of security measures in information systems,” Commun. ACM, vol. 15, pp. 211–220, Apr. 1972. (I-A2)
23. I. Reed, “The application of information theory to privacy in data banks,” Rand Corp., Tech. Rep. R-1282-NSF, 1973. (I-A2)
24. D. Hsiao, D. Kerr, and F. Stahl, “Research on data secure systems,” in 1974 NCC, AFIPS Conf. Proc., vol. 43, pp. 994–996. (I-A2)
25. L. Hoffman and W. Miller “Getting a personal dossier from a statistical data bank,” Datamation, vol. 16, pp. 74–75, May 1970. (I-A2)
26. J. Saltzer “Protection and the control of information sharing in Multics,” Commun. ACM, vol. 17, pp. 388–402, July 1974. (I-A3, I-B4, III-A, SFR)
27. P. Baran, “Security, secrecy, and tamper-free considerations,” on Distributed Communications, no. 9, Rand Corp. Tech. Rep. RM-3765-PR, 1964. (I-A3, III-B)
28. G. Popek, “A principle of kernel design,” in 1974 NCC, AFIPS Conf. Proc., vol. 43, pp. 977–978. (I-A3)
29. D. Hollingsworth, “Enhancing computer system security,” Rand Corp. Paper P-5064, 1973. (I-A3)
30. B. Lampson “Protection,” in Proc. 5th Princeton Symp. Information Science and Systems (Mar. 1971), pp. 437–443. (Reprinted in ACM Operating Syst. Rev., vol. 8, pp. 18–24, Jan. 1974.) (I-B1, II-B2, II-E, SFR)
31. E. Codd et al. “Multiprogramming Stretch: Feasibility considerations,” Commun. ACM, vol. 2, pp. 13–17, Nov. 1959. (I-B3)
32. W. Lonergan and P. King “Design of the B5000 system,” Datamation, vol. 7, pp. 28–32, May 1961. (I-B3, I-B5)
33. G. Popek and R. Goldberg “Formal requirements for virtualizable third generation architectures,” Commun. ACM, vol. 17, pp. 412–421, July 1974. (I-B3)
34. R. Goldberg, “Architecture of virtual machines,” in 1973 NCC, AFIPS Conf. Proc., vol. 42, pp. 309–318. (I-B3)
35. G. Purdy “A high security log-in procedure,” Commun. ACM, vol. 17, pp. 442–445, Aug. 1974. (I-B4)
36. A. Evans, W. Kantrowitz, and E. Weiss “A user authentication scheme not requiring secrecy in the computer,” Commun. ACM, vol. 17, pp. 437–442, Aug. 1974. (I-B4)
37. M. Wilkes, Time-Sharing Computer Systems, 2nd ed. New York: American-Elsevier, 1972. (I-B4, I-B5, II-A)
38. J. Smith, W. Notz, and P. Osseck, “An experimental application of cryptography to a remotely accessed data system,” in Proc. ACM 25th Nat. Conf., pp. 282–298, 1972. (I-B4, III-B, SFR)
39. H. Feistel, “Cryptographic coding for data bank privacy,” IBM Corp. Res. Rep. RC 2827, Mar. 1970. (I-B4, III-B, SFR)
40. D. Branstad, “Security aspects of computer networks,” in AIAA Computer Network Systems Conf. (Apr. 1973), Paper 73-427. (I-B4, I-B5, III-B, SFR)
41. J. Dennis and E. Van Horn “Programming semantics for multiprogrammed computations,” Commun. ACM, vol. 9, pp. 143–155, Mar. 1966. (I-B5, II-B1, II-E)
42. J. Dennis “Segmentation and the design of multiprogrammed computer systems,” J ACM, vol. 12, pp. 589–602, Oct. 1965. (I-B5, II-A)
43. R. Daley and J. Dennis “Virtual memory, processes, and sharing in Multics,” Commun. ACM, vol. 11, pp. 306–312, May 1968. (I-B5)
44. R. Watson, Timesharing System Design Concepts. New York: McGraw-Hill, 1970. (II-A)
45. R. Fabry “Capability-based addressing,” Commun. ACM, vol. 17, pp. 403–412, July 1974. (II-A, SFR)
46. E. Organick, The Multics System: An Examination of its Structure. Cambridge, Mass.: M.I.T. Press, 1971. (II-A)
47. E. Organick —, Computer System Organization: The B5700/B6700 Series. New York: Academic Press, 1973. (II-A, II-B3)
48. W. Ackerman and W. Hummer, “An implementation of a multiprocessing computer system,” in Proc. ACM Symp. Operating System Principles (Oct. 1967), Paper D-3. (II-B1)
49. R. Fabry, “Preliminary description of a supervisor for a machine oriented around capabilities,” Inst. Comput. Res. Quart. Rep., vol. 18, sec. IB, Univ. of Chicago, Aug. 1968. (II-B1)
50. J. Iliffe and J. Jodeit, “A dynamic storage allocation scheme,” Comput. J., vol. 5, pp. 200–209, Oct. 1962. (II-B1)
51. E. A. Feustel “On the advantages of tagged architecture,” IEEE Trans. Comput., vol. C-22, pp. 644–656, July 1973. (II-B1)
52. L. Robinson et al., “On attaining reliable software for a secure operating system,” in Int. Conf. Reliable Software (Apr. 1975), pp. 267–284. (II-B3, III-B)
53. D. England, “Capability concept mechanism and structure in system 250,” in IRIA Int. Workshop Protection in Operating Systems (Aug. 1974), pp. 63–82. (II-B3, III-A)
54. D. Redell, “Naming and protection in extendible operating systems,” Ph.D. dissertation, Univ. of Calif., Berkeley, 1974. (Available as M.I.T. Proj. MAC Tech. Rep. TR-140.) (II-B3, III-A, SFR)
55. A. Bensoussan, C. Clingen, and R. Daley “The Multics virtual memory: Concepts and design,” Commun. ACM, vol. 15, pp. 308–318, May 1972. (II-B3, II-C3)
56. B. W. Lampson, W. W. Lichtenberger, and M. W. Pirtle “A user machine in a time-sharing system,” Proc. IEEE, vol. 54, pp. 1766–1774, Dec. 1966. (II-C3)
57. H. Bingham, “Access controls in Burroughs large systems,” Privacy and Security in Computer Systems, Nat. Bur. Stand. Special Pub. 404, pp. 42–45, Sept. 1974. (II-C3)
58. R. Daley and P. Neumann, “A general-purpose file system for secondary storage,” in 1965 FJCC, AFIPS Conf. Proc., vol. 27, part. I, pp. 213–229. (II-C4)
59. L. Rotenberg, “Making computers keep secrets,” Ph.D. dissertation, M.I.T., Cambridge, Mass., 1973. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-115.) (II-C4, II-C5, II-E, III-A, III-B, SFR)
60. K. Walters et al., “Structured specification of a security kernel,” in Int. Conf. Reliable Software, Los Angeles, Calif., pp. 285–293, Apr. 1975. (II-C5)
61. B. Lampson “A note on the confinement problem,” Commun. ACM, vol. 16, pp. 613–615, Oct. 1973. (II-C5)
62. D. Bell and L. LaPadula, “Secure computer systems,” Air Force Elec. Syst. Div. Rep. ESD-TR-73-278, vols. I, II, and III, Nov. 1973. (II-C5, III-B)
63. M. Schroeder and J. Saltzer “A hardware architecture for implementing protection rings,” Commun. ACM, vol. 15, pp. 157–170, Mar. 1972. (II-C5, III-A, SFR)
64. J. Fenton, “Memoryless subsystems,” Comput. J., vol. 17, pp. 143–147, May 1974. (II-C5)
65. O. Dahl and C. Hoare, “Hierarchical program structures,” in Structured Programming. New York: Academic Press, 1972, pp. 175–220. (II-E)
66. D. Branstad “Privacy and protection in operating systems,” Computer, vol. 6, pp. 43–46, Jan. 1973. (II-E)
67. P. Brinch-Hansen “The nucleus of a multiprogramming system,” Commun. ACM, vol. 13, pp. 238–250, Apr. 1970. (II-E)
68. J. LeClerc, “Memory structures for interactive computers,” Ph.D. dissertation, Univ. of Calif., Berkeley, May 1966. (II-E)
69. D. Evans and J. LeClerc, “Address mapping and the control of access in an interactive computer,” in 1967 SJCC, AFIPS Conf. Proc., vol. 30, pp. 23–30. (II-E)
70. M. Schroeder, “Cooperation of mutually suspicious subsystems in a computer utility,” Ph.D. dissertation, M.I.T., Cambridge, Mass., 1972. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-104.) (II-E, III-A, SFR)
71. A. Jones, “Protection in programmed systems,” Ph.D. dissertation, Carnegie-Mellon Univ., Pittsburgh, Pa., 1973. (II-E, SFR)
72. J. Morris “Protection in programming languages,” Commun. ACM, vol. 16, pp. 15–21, Jan. 1973. (II-E, SFR)
73. G. Amdahl, G. Blaauw, and F. Brooks “Architecture of the IBM System/360,” IBM J. Res. Develop., vol. 8, pp. 87–101, Apr. 1964. (III-A)
74. IBM Corp., “System 370/Principles of operation,” IBM Corp. Syst. Ref. Lib. GA22-7000-3, 1973. (III-A)
75. R. Bisbey, II, and G. Popek, “Encapsulation: An approach to operating system security,” in Proc. ACM 1974 Annu. Conf., pp. 666-675. (III-A)
76. Dept. of Defense, Manual of Techniques and Procedures for Implementing, Deactivating, Testing, and Evaluating Secure Resource-Sharing ADP Systems, DOD5200.28-M, Aug. 1972. (III-A)
77. R. Graham “Protection in an information processing utility,” Commun. ACM, vol. 11, pp. 365–369, May 1968. (III-A)
78. S. Motobayashi, T. Masuda, and N. Takahashi, “The Hitac 5020 time-sharing system,” in Proc. ACM 24th Nat. Conf., pp. 419–429, 1969. (III-A)
79. M. Spier, T. Hastings, and D. Cutler “An experimental implementation of the kernel/domain architecture,” ACM Operating Syst. Rev., vol. 7, pp. 8–21, Oct. 1973. (III-A)
80. M.I.T. Proj. MAC, “Computer systems research,” in Project MAC Progress Report XI: July 1973 to June 1974, pp. 155-183. (III-B)
81. E. Burke, “Synthesis of a software security system,” in Proc. ACM 1974 Annu. Conf., pp. 648-650. (III-B)
82. W. Schiller, “Design of a security kernel for the PDP-11/45,” Air Force Elec. Syst. Div. Rep. ESD-TR-73-294, Dec. 1973. (III-B, SFR)
83. L. Molho, “Hardware aspects of secure computing,” in 1970 SJCC, AFIPS Conf. Proc., vol. 36, pp. 135–141. (III-B, SFR)
84. R. Fabry “Dynamic verification of operating system decisions,” Commun. ACM, vol. 16, pp. 659–668, Nov. 1973. (III-B, SFR)
85. C. Shannon “Communication theory of secrecy systems,” Bell Syst. Tech. J., vol. 28, pp. 656–715, Oct. 1949. (III-B)
86. S. Lipner, Chm., “A panel session-Security kernels,” in 1974 NCC, AFIPS Conf. Proc., vol. 43, pp. 973–980. (III-B, SFR)
87. R. Mathis, Chm., “A panel session-Research in data security-Policies and projects,” in 1974 NCC, AFIPS Conf. Proc., vol. 43, pp. 993–999. (III-B, SFR)
88. Institut de Recherche d'Informatique et d'Automatique (IRIA), Int. Workshop Protection in Operating Systems. Rocquencourt, France: IRIA, Aug. 1974. (III-B, SFR)
89. J. Saltzer “Ongoing research and development on information protection,” ACM Operating Syst. Rev., vol. 8, pp. 8–24, July 1974. (III-B, SFR)
90. L. Hoffman, Ed., Security and Privacy in Computer Systems. Los Angeles, Calif.: Melville Pub. Co., 1973. (SFR)
91. C. W. Beardsley “Is your computer insecure?” IEEE Spectrum, vol. 9, pp. 67–78, Jan. 1972. (SFR)
92. D. Parker, S. Nycom, and S. Oura, “Computer abuse,” Stanford Res. Inst., Proj. ISU 2501, Nov. 1973. (SFR)
93. D. Kahn, The Codebreakers. New York: Macmillan, 1967. (SFR)
94. G. Mellen, “Cryptology, computers, and common sense,” in 1973 NCC, AFIPS Conf. Proc., vol. 42, pp. 569–579. (SFR)
95. J. Anderson, “Computer security technology planning study,” Air Force Elec. Syst. Div. Rep. ESD-TR-73-51, Oct. 1972. (SFR)
96. W. Ware et al., “Security controls for computer systems,” Rand Corp. Tech. Rep. R-609, 1970. (Classified confidential.) (SFR)
97. R. Anderson and E. Fagerlund “Privacy and the computer: An annotated bibliography,” ACM Comput. Rev., vol. 13, pp. 551–559, Nov. 1972. (SFR)
98. J. Bergart, M. Denicoff, and D. Hsiao, “An annotated and cross-referenced bibliography on computer security and access control in computer systems,” Ohio State Univ., Computer and Information Science Res. Center Rep. OSU-CISRC-T072-12, 1972. (SFR)
99. S. Reed and M. Gray, “Controlled accessibility bibliography,” Nat. Bur. Stand. Tech. Note 780, June 1973. (SFR)
100. J. Scherf, “Computer and data base security: A comprehensive annotated bibliography,” M.I.T. Proj. MAC Tech. Rep. TR-122, Jan. 1974. (SFR)