This planning document is concerned with a loop-hole in the planned software for System 1. The problem is described in section 1 and a solution is proposed in section 2.
The now established mechanisms for file protection rely upon the existence of some check against one user masquerading as another. Provision for such a check was included in the log-in procedure proposed in Planning Document 15. Unfortunately, however, the plans for System 1 do not include any log-in procedure for off-line jobs and it seems impractical to do this in any short time scale.
It is not expected that the off-line use of the filing system will escalate rapidly beyond the use of the library. However, some off-line activity is essential, e.g:
A mechanism must therefore be found but it need not be compatible with any existing system with one exception: access to the library should not require the user to depart significantly from the currently available methods of program assembly.
Introduce the concepts of a "proven title" and "unproven title". Whenever a user title is used as the basis for decision arrange that the outcome is not in favour of the user unless his title is proven.
Users of the on-line system will be required to prove their identity when they log in. For the off-line user this check will be entirely voluntary and anyone will be permitted to submit proof of title simply by using a standard system program.
As an expedient I propose to write the minimum acceptable routine that will perform the function of proving the title of an off-line user. Ultimately this will have to be integrated into the log-in mechanism used for on-line work and it must be recognised that the proposed procedure is an interim measure. Users must be prepared for a change when System 2 comes into operation.
I also propose that the distinction between proven and unproven titles is installed as a permanent feature of the system, that a suitable marker digit is included in the object program dump blocklet and that all protection mechanisms that use job titles are written to use this marker.
There is an essential problem of security for the off-line user which can only be resolved by conventional administrative methods. This arises from the fact that an off-line job, packed in a plastic bag must contain all the information necessary to gain access to the system in the name of job owner. Pass-word security is thereby reduced simply to the security of information held in a plastic bag and passed through a publicly available postal system.
As a contribution to attaining a long-term solution to this problem I suggest that the casual user should be given just the security provided by the use of paper tape (as opposed to a system which requires him to include a printout with his job) and that extra security can be obtained by any user who is prepared to take the trouble to acquire it (e.g. frequent changes of password and personal submission and collection of his work). It has already been suggested that operators and others with access to the computer room should be regarded as "trustworthy" and that protection arrangements should not go beyond the malicious activities of those not so regarded.
AGF
16.11.66
Copyright © 1966 University of Cambridge Computer Laboratory. Distributed by permission. Thanks to Barry Landy, Roger Needham and David Hartley for giving permission to distribute these documents. Thanks to Barry Landy for lending me the paper document from which this was scanned. Any typographical errors probably arose in the course of OCR.
Previous Planning Document: 22. Job Scheduling,
BL, 21.11.66
Next Planning Document: 24. File Master Dump System
- Weekly Activity, (unknown author), 31.3.67
Return to Cambridge Supervisor Planning Documents
Return to CUCPS TITAN page
Return to CUCPS home page
Return to University of Cambridge home page