Contents

• Papers and Books (237, 67 online)
• Articles (8, 2 online)
• Project MAC TRs and TMs (52, 40 online)
• Honeywell Manuals (136, 101 online)
• BTL, GE, MIT Repository (124)
• Honeywell Multics Design Documents (B2 certification) (29, 17 online)
• Multics Operating Staff Notes (1, 1 online)
• Multics Alternative Documents (27)
• Local Site Memos (2, 2 online)

Listed on separate pages:

• Multics System Programmer's Manual (839 sections, 7 online)
• Multics Technical Bulletins Index (719, 58 online)

The globe icon is used before materials available from other sites.

Items provided by the ACM Digital Library require a subscription or ACM membership in order to access them.

For more information on an author, see the list of Multicians.
For explanations of Multics terms, see the Multics Glossary.
For links to other sites of interest, see the Multics Links Page.

Papers and books

1. Adleman, N., Effects of Producing a Multics Security Kernel, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, October 1975. NTIS AD-A031 220/7
2. Adleman, N., Engineering Investigations in Support of Multics Security Kernel Software Development, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations. October 19, 1976. NTIS AD-A040 329/5
3. Adleman, N., J. R. Gilson, R. J. Sestak, and R. J. Ziller, Security Kernel Evaluation for Multics and Secure Multics Design, Development and Certification, Semi-annual progress rept. 1 Jan-30 June 76, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, August 1976. NTIS AD-A038 261/4
4. Adleman, N., J. R. Gilson, R. J. Sestak, and R. J. Ziller, Semi-Annual Progress Report July 1975 to December 1975, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, January 1976. NTIS AD-A037 501/4
5. Adleman, N., R. J. Ziller, and J. C. Whitmore, Multics Security Integration Requirements, 1 January 1976-31 December 1980, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, March 1976. NTIS AD-A041 514/1
6. Ames, S. R., File Attributes and Their Relationship to Computer Security, S.M. thesis, June 1974, Case Western Reserve University, Cleveland, OH: HQ Electronic Systems Division, Hanscom AFB, MA.. ESD-TR-74-191
7. Ames Jr., Stanley R., and D. K. Kallman, Multics Security Kernel Validation: Proof Description, Volume I, MITRE Corp Bedford MA, July 1978. NTIS AD-A056 901/2
8. Ames Jr., Stanley R., and J. G. Keeton-Williams, Demonstrating security for trusted applications on a security kernel base, IEEE Comp. Soc. Proc 1980 Symposium on Security and Privacy, April 1980.
9. Ames Jr., Stanley R., and Jonathan K. Millen, Interface Verification for a Security Kernel, System Reliability and Integrity, Vol 2, Infotech State of the Art report pp.1-21 1978.
10. Ames Jr., Stanley R., and Peter G. Neumann, Computer Security Technology: Introduction, IEEE Computer 16(7) p.11, July 1983.
11. Anderson, James P., Multics Evaluation, James P. Anderson and Co., Fort Washington Pa, October 1973. NTIS AD-777 593/5

    Details of a planning study for USAF computer security requirements are presented. An Advanced development and Engineering program to obtain an open-use, multilevel secure computing capability is described. Plans are also presented for the related developments of communications security products and the interim solution to present secure computing problems. Finally a Exploratory development plan complementary to the recommended Advanced and Engineering development plans is also included.

12. Banh, T., and H. Tran, Test program set/document management system, AUTOTESTCON '96, 'Test Technology and Commercialization' Conference Record, pp 369-374, Sep 1996.

    The legacy C-17 Support Equipment Data Acquisition and Control System (SEDACS) was initially designed as a test requirement document (TRD) and test program set (TPS) development system. Its applications have expanded to include word processing for a majority of the C-17 support equipment (SE) deliverable documentation, project management functions, and line-replaceable-unit (LRU) and shop-replaceable-unit (SRU) tracking. While the SEDACS system enabled MDA to support C-17 test and early operation, this legacy SEDACS has some drawbacks. Recently, the SEDACS was upgraded from a host-based Honeywell/Multics mainframe to a new client/server system. The TPS document management system (DMS) was designed to provide the environment to create and edit documents as well as to control their configurations, and it is the first step toward becoming an electronic document management system. The system has increased efficiency and productivity, improved and safeguarded file sharing, and provides better management of document revisions. This TPS DMS was developed using an integrated application software package that runs on IBM PCs. This paper describes how the integrated application software was developed and how the deliverable documents were transferred from the existing mainframe system to the client/server system. The software products identified in this paper were chosen to meet our particular applications requirements and are provided only as examples.

13. Banâtre, Jean-Pierre, Michel Banâtre, Guy Lapalme, and Florimond Ployette, The design and building of Enchère, a distributed electronic marketing system, Commun. ACM 29, 1, 19-29. Jan. 1986.

    Building and prototyping an agricultural electronic marketing system involved experimenting with distributed synchronization, atomic activity, and commit protocols and recovery algorithms.

14. Bell, D. E., and L. J. LaPadula, Computer Security Model: Unified Exposition and Multics Interpretation, Hanscom AFB, MA, 1975. ESD-TR-75-306

    (also available as DTIC AD-A023588)

15. Bell, D. E., and L. J. LaPadula, Secure Computer Systems: Unified Exposition and Multics Interpretation, Mitre Technical Report MTR-2997, rev 2, March 1976. NTIS AD-A023 588/7

    For the past several years ESD has been involved in various projects relating to secure computer systems design and operation. One of the continuing efforts, started in 1972 at MITRE, has been secure computer system modeling. The effort initially produced a mathematical framework and a model [1, 2] and subsequently developed refinements and extensions to the model [3] which reflected a computer system architecture similar to that of Multics [4]. Recently a large effort has been proceeding to produce a design for a secure Multics based on the mathematical model given in [l, 2, 3].

16. Bell, D. E., and L. J. LaPadula, Secure Computer Systems: Mathematical foundations, MITRE tech report, 1 Mar 1973. MTR-2547 vol I
17. LaPadula, L. J., and D. E. Bell, Secure Computer System: A Mathematical Model, MITRE tech report, 31 May 1973. MTR-2547 vol III
18. Bell, D. E., Secure Computer System: A Refinement of the Mathematical Model, MITRE tech report, 28 Dec 1973. MTR-2547 vol II
19. Benedict, G. G., An Enciphering Module for Multics, 1974 Jul. NTIS AD-782 658/9
20. Bensoussan, A., C. T. Clingen, and R. C. Daley, The Multics virtual memory: concepts and design, Proc Second ACM SOSP, Princeton NJ, October 1969.

    Commun. ACM 15, 5, pp 308-318, May 1972. As experience with use of on-line operating systems has grown, the need to share information among system users has become increasingly apparent. Many contemporary systems permit some degree of sharing. Usually, sharing is accomplished by allowing several users to share data via input and output of information stored in files kept in secondary storage. Through the use of segmentation, however, Multics provides direct hardware addressing by user and system programs of all information, ...

21. Berstel, J., and J.-F. Perrot, MULTICS: guide de l'usager, Manuels informatiques Masson, Paris [etc.]: Masson, 1986.
22. Biba, K. J., S. R. Ames Jr., E. L. Burke, P. A. Karger, W. R. Price, R. R. Schell, and W. L. Schiller, The top level specification of a Multics security kernel, MITRE Corp, Bedford MA, August 1975. WP-20377
23. Birnbaum, D., J. J. Cupak, J. D. Dyar, and R. Jackson, MULTICS Remote Data Entry System. Volume I, Source: Pattern Analysis and Recognition Corp., Rome, NY., Rome Air Development Center, Griffiss AFB, NY, Oct 1979, RADC TR-79-265-VOL-1. NTIS ADA080625

    This report contains the user's manuals and software documentation for the Remote Data Entry System which is the front-end to the MULTICS Pattern Recognition Facility and the Cluster Analysis package which was added to MULTICS OLPARS. The Remote Data Entry System was designed to allow users of the MULTICS Pattern Recognition Facility the ability to input their data over the ARPANENT from a Tektronix remote storage device. Once the data is input into the MULTICS System, routines are provided so that the user can easily restructure or cluster his database to perform different classification experiments.

24. Bisbey II, Richard L., Jim Carlstedt, Dale M. Chase, and Dennis Hollingworth, Data Dependency Analysis, ISI-RR-76-45, USC Information Sciences Institute, February 1976. NTIS: ADA 022017
25. Bisbey II, Richard L., and Dennis Hollingworth, Protection Analysis: Final Report, ISI-SR-78-13, USC Information Sciences Institute, July 1978. NTIS: ADA 056816

    The Protection Analysis project was initiated at ISI by ARPA IPTO to further understand operating system security vulnerabilities and, where possible, identify automatable techniques for detecting such vulnerabilities in existing system software. The primary goal of the project was to make protection evaluation both more effective and more economical by decomposing it into more manageable and methodical subtasks so as to drastically reduce the requirement for protection expertise and make it as independent as possible of the skills and motivation of the actual individuals involved. The project focused on near-term solutions to the problem of improving the security of existing and future operating systems in an attempt to have some impact on the security of the systems which would be in use over the next ten years. A general strategy was identified, referred to as "pattern-directed protection evaluation" and tailored to the problem of evaluating existing systems. The approach provided a basis for categorizing protection errors according to their security-relevant properties; it was successfully applied for one such category to the MULTICS operating system, resulting in the detection of previously unknown security vulnerabilities.

26. Boyd, Donald L., and Antonio Pizzarello, Introduction to the WELLMADE design methodology, Proc. 3d Int. Conf. on Software Engineering, 1978.
27. Bull HN Information Systems Inc., Multics Data Security and Data Privacy, USA: Bull HN Information Systems. no date.
28. Burke, Edmund L. et al., Emulating a Honeywell 6180 Computer System, Mitre Corporation, pp. 1-73. June 1974. NTIS AD 787 218
29. Burke, Edmund L., Concept of Operation for Handling I/O in a Secure Computer at the Air Force Data Services Center (AFDSC), Mitre Corporation. Apr 1974. DTIC AD0780529

    The operation of a computer system in a secure fashion requires the control of access to all parts of the system. One part of the system which is often neglected when access and security controls are developed is the input/output (I/O) subsystem. This paper develops a general Concept of Operations for I/O in a secure computer system. This concept is then applied to the proposed two-level, Secret-Top Secret, MULTICS System at the Air Force Data Services Center (AFDSC). The most unusual operational feature recommended for the AFDSC MULTICS is the use of autonomous processes to perform all I/O, preventing any user from directly accessing any I/O device. Procedures are described to provide the necessary controls for operation in the Data Services Center environment.

30. Burrus, Phillip F., SEDACS-a client/server approach to TPS development, AUTOTESTCON '95. Systems Readiness: Test Technology for the 21st Century. Conference Record, Aug 1995.

    The C-17 Support Equipment Data Acquisition and Control System (SEDACS) Test Program Set/Test Requirements Document (TPS/TRD) development system was upgraded from a host-based Honeywell/Multics mainframe system to a new client/server system with Internet connectivity. Reliability, flexibility, and supportability were the requirements for the new system. The combination of the client/server model and commercial software met these requirements by exploiting fast and inexpensive hardware and commercial off-the-shelf (COTS) software such as word processing and project and circuit analysis software. Greater efficiencies were realized by reducing the required time needed to train users, develop TPSs, and prepare supporting documentation. Quality was improved by incorporating configuration management tools and integrated spell checking into the applications suite and by designing around a centralized database. This paper briefly describes how we developed our new system and how we migrated from our existing mainframe (or legacy) system to a client/server system.

31. Clingen, C. T., Program naming problems in a shared tree-structured hierarchy, Proc Conf on Techniques in Software Engineering, October 1969.
32. Colijn, A. W., A note on the Multics command language, Software -- Practice and Experience 11, 6, pp 741-744, Jul 1981.

    Some aspects of the Multics operating system are critically examined. In particular, the properties of the command and language are noted as allowing considerable general purpose programming power. The strength and weaknesses are discussed and a quantitative evaluation of speed is attempted based on a comparison of programming the "Towers of Hanoi" and Ackermann's function in both Multics command language and pll. The programs also serve to exemplify the use of the command language.

33. Connell, David B., Kermit N. Klingbail, and Richard A. Jackson, MULTICS OLPARS Operating System. Volume I., Pattern Analysis and Recognition Corp Rome N Y, 219 pages, PAR-74-25-A, F30602-75-C-0226, F30602-73-C-0352, RADC TR-76-271-Vol-1. NTIS ADA034393

    The development of interactive graphics computer systems for use in detection, identification, and transformation of patterns contained in high- dimensional data has been a continuing program at the Rome Air Development Center since 1968. This long standing effort has resulted in the implementation of OLPARS (the On-Line Pattern Analysis and Recognition System), IFES (the Image Feature Extraction System), and WPS (the Waveform Processing System). This report contains detailed design and user-oriented information related to MOOS (the MULTICS OLPARS Operating System), and advanced version of OLPARS currently resident upon the Honeywell 6180 MULTICS computer system. The currently operational system represents an implemented version of the operations described in a previous report (RADC-TR-73-241); appropriate selections of that report are retained within this document. This report contains brief descriptions of the MOOS system and the mathematics underlying the system algorithms. A major portion of this document is reserved for a user's manual (providing detailed information relating to the operation of all system options) and for MOOS program documentation.

34. Corbató, F. J., A paging experiment with the Multics system, In Honor of P. M. Morse, M. I. T. Press, Cambridge MA, 217-228, 1969.

    (36 MB pdf)

35. Corbató, F. J., and C. T. Clingen, A Managerial View of the Multics System Development, in Research Directions in Software Technology edited by P. Wegner, M.I.T. Press, 1979.

    (Also published in Tutorial: Software Management, Reifer, Donald J. (ed), IEEE Computer Society Press, l979; Second Edition l981; Third Edition, 1986.) A reasonable question of a software manager might be "What possible insight can I gain from the agonies of someone else's project?"

36. Corbató, F. J., and J. H. Saltzer, Some considerations of supervisor program design for multiplexed computer systems, Proc IFIP 4th Global Conf, Edinburgh, August 1968.
37. Corbató, F. J., and V. A. Vyssotsky, Introduction and overview of the Multics system, AFIPS Conf Proc 27, 185-196, 1965.

    Multics (Multiplexed Information and Computing Service) is a comprehensive, general-purpose programming system which is being developed as a research project. The initial Multics system will be implemented on the GE 645 computer. One of the overall design goals is to create a computing system which is capable of meeting almost all of the present and near-future requirements of a large computer utility.

38. Corbató, F. J., C. T. Clingen, and J. H. Saltzer, Multics -- the first seven years, Proc SJCC, 571-583, May 1972.
39. Corbató, F. J., M. M. Daggett, and R. C. Daley, An experimental time-sharing system, AFIPS Conf Proc 21, 335-344, 1962.

    It is the purpose of this paper to discuss briefly the need for time-sharing, some of the implementation problems, an experimental time-sharing system which has been developed for the contemporary IBM 7090, and finally a scheduling algorithm of one of us (FJC) that illustrates some of the techniques which may be employed to enhance and be analyzed for the performance limits of such a time-sharing system.

40. Corbató, F. J., PL/I as a Tool for System Programming, Datamation 15, 5, 68-76, May, 1969.
41. Corbató, F. J., Sensitive issues in the design of multi-use systems, M. I. T. Project MAC, December 1968. MAC-M-383
42. Corbató, F. J., On building systems that will fail, (A. M. Turing Award lecture), Commun. ACM 34 No. 9, September 1991.
43. Corbató, F. J., M. M. Daggett, R. C. Daley, R. J. Creasy, J. D. Hellwig, R. H. Orenstein, and L. K. Korn, The compatible time-sharing system: a programmer's guide, 1st ed, M. I. T. Press, June 1963.

    The "candy stripe" manual.

44. Couleur, J. F., and E. L. Glaser, Shared-access data processing sytstem, filed November 26, 1965, awarded November 19, 1968. US Patent no 3,412,382
45. Couleur, J. F., and R. F. Montee, Method and means for storing and accessing information in a shared access multiprogrammed data processing system, ("New System Architecture" patent) filed November 14, 1978, awarded November 10, 1981. US Patent no 4,300,192

    Partitioning, paging, and segmentation techniques are employed with virtual memory to provide more secure and efficient storage and transfer of information. The virtual memory is divided into a plurality of partitions with real memory storage provided by paging the plurality of partitions. User programs are segmented into logical units and stored in assigned partitions thereby isolating user programs and data. Unsegmented programs may be run by storage in a partition with direct addressing. Segment descriptors including partition, base, and bound are utilized in accessing memory. User domains are expandable by temporarily passing descriptor parameters from one routine to another with access flags limiting access thereto. By shrinking passed descriptors the receiving routine can be restricted to only a portion of the information defined by the descriptor.

46. Couleur, John F., The Core of the Black Canyon Computer Corporation, IEEE Annals of the History of Computing Vol. 17, No. 4: Winter 1995, pp. 56-60.
47. Crisman, P. A., Ed., The compatible time-sharing system: a programmer's guide, 2nd ed, M. I. T. Press, 1965.

    Looseleaf.

48. Daley, R. C., and J. B. Dennis, Virtual memory, processes, and sharing in Multics, Commun. ACM 11, 306-312, May 1968.

    The value of a computer system to its users is greatly enhanced if a user can, in a simple and general way, build his work upon procedures developed by others. The attainment of this essential generality requires that a computer system possess the features of equipment-independent addressing, an effectively infinite virtual memory, and provision for the dynamic linking of shared procedure and data objects. The paper explains how these features are realized in the Multics system.

49. Daley, R. C., and P. G. Neumann, A general-purpose file system for secondary storage, AFIPS Conf Proc 27, 212-230, 1965.

    The need for a versatile on-line secondary storage complex in a multiprogramming environment is immense.

50. Datapro, An Overview of Operating Systems Security, Datapro Reports on Information Security, June 1986. Datapro IS56-001
51. Datapro, Bull HN Information Systems Inc: Security Capabilities of Multics, Datapro Reports on Information Security; Vol 3, USA: Datapro Research. April 1989. IS56-115-101
52. David Jr., E. E., and R. M. Fano, Some thoughts about the social implications of accessible computing, AFIPS Conf Proc 27, 243-248, 1965.
53. Davids, Noah S., Experiences with an Interactive Electronic Meeting Facility, Proc Second Annual Phoenix Conference on Computers and Communications, 563-567, Mar 1983.

    The introduction of an interactive electronic meeting facility, called Forum, within Honeywell's Large Information Systems Division (LISD), a large multi-national organization, has had profound effets. The environment set up by Forum closely mimics that of a face-to-face meeting. The user interface, based on a TTY-style terminal, allows the users to concentrate on the content of the meeting instead of on the interface or the computer. Forum is briefly described, and LISD's experiences, both good and bad, are discussed.

54. Davis, R. C., A Security Compliance Study of the Air Force Data Services Center Multics System, Mitre Corp., Bedford, Mass, NTIS, December 1976.

    Do the hardware and software security features of the Air Force Data Services Center (AFDSC) Multics system comply with the Department of Defense security requirements. To answer this question AFDSC commissioned MITRE to undertake a study to compare intrinsic features of the AFDSC Multics system with the applicable requirements set forth in DoD Requirement 5200.28 and expanded upon in DoD Manual 5200.28-M. (also available as DTIC AD-A034985)

55. Denning, P. J., The working set model for program behavior, Commun. ACM 11, 5, 323-333, May 1968.
56. Denning, P. J., Virtual memory, ACM Computing Surveys 2, 3, 153-189, September 1970.
57. Denning, P. J., Effects of scheduling on file memory operations, Proc 1967 SJCC, 1967.
58. Denning, P. J., A statistical model for console behavior in multiuser computers, Commun. ACM, Sep 1968.
59. Denning, P. J., Thrashing: its causes and prevention, Proc 1968 FJCC, 1968.
60. Denning, P. J., Equipment configuration in balanced computer systems, IEEE Trans on Computers, Nov 1969.
61. Denning, P. J., Comments on a linear paging model, Proceedings of the 1974 ACM SIGMETRICS conference on Measurement and evaluation, Jan 1974.

    The linear approximation relating mean time between page transfers between levels of memory, as reported by Saltzer for Multics, is examined. It is tentatively concluded that this approximation is untenable for main memory, especially under working set policies; and that the linearity of the data for the drum reflects the behavior of the Multics scheduler for background jobs, not the behavior of programs.

62. Dennis, J. B., A multiuser computation facility for education and research, Commun. ACM 7, 521-529, September 1964.
63. Dennis, J. B., Segmentation and the design of multiprogrammed computer systems, IEEE Intl Convention Rec 3, 214-225, 1965.
64. Deutsch, L. P., and B. W. Lampson, An online editor, (qed), Commun. ACM 10, 12, pp 793-799, December 1967.
65. Diamond, D. S., and L. L. Selwyn, Considerations for computer utility pricing policies, Proc ACM 23d Natl Conf, 189-200, 1968.
66. Dominick, W. D., and S. K. Agarwal, MADAM: Multics Approach to Data Access and Management Users Guide, Computer Science Department, University of Southwestern Louisiana, 1977. Technical Report CMPS-77-6-1
67. Donovan, J. J., Tools and philosophy for software education, Commun. ACM, 19, Issue 8, August 1976.
68. Downey, P. J., MULTICS Security Evaluation: Password and File Encryption Techniques, US Air Force, Electronic Systems Div, Hanscom AFB Mass,, Jun 1977. NTIS AD-A045 279/7
69. Dyar, J. D., Multics Remote Data Entry System. Volume II. Clustering Additions to MOOS, PATTERN ANALYSIS AND RECOGNITION CORP ROME N Y, Oct 1979. DTIC ADA080626

    This report describes the clustering algorithms added to the MULTICS OLPARS Operating System under this effort.

70. Elspas, B., R. E. Shostak, and J. M. Sptizen, A Verification System for JOCIT/J3 Programs (Rugged Programming Environment - RPE/2)., Stanford Research Inst Menlo Park Calif. DTIC ADA042670

    This report describes work done during the second year of a research and development program aimed ultimately at a Rugged Programming Environment for JOVIAL. The RPE/1 verification system designed and built during the first year has been greatly extended and improved in several ways. The basic method of verification remains the same--that of inductive assertions. The input processor has been modified to handle virtually of all JOCIT instead of the small subset covered by the RPE/1 system. The overall speed of verification has been increased by a factor of over 25. Ease of user interaction with the system has been greatly enhanced by adding facilities for carrying out and saving partial proofs of programs, for extending the assertion language, and for enabling top-down and bottom-up proofs for well-structured programs. Moreover, the entire system has been translated into MACLISP, the system files have been transferred to the RADC-MULTICS Honeywell 6180 computer, and a sample verification (shown in the report) has been carried out entirely on the RADC computer.

71. Enslow, Philip H., 6180 Multics Systems and 6000 Series, Appendix C (pages 219-228) of Philip H. Enslow, editor, Multiprocessors and Parallel Processing, John Wiley & Sons, New York, 1974..
72. Fano, R. M., and P. Elias, Project MAC 25th Anniversary, M. I. T. Laboratory for Computer Science, 1989.
73. Fano, R. M., The computer utility and the community, IEEE Int Convention Record 12, 30-37, 1967.
74. Fano, R. M., The MAC system: The computer utility approach, IEEE Spectrum 2, 56-64, January 1965.
75. Fano, R. M., and F. J. Corbató, Time-sharing on computers, Scientific American 215, 3, September, 1966, pp. 129-140.

    also in Information, A Scientific American Book, W. H. Freeman & Co., pp. 76-95, 1966

76. Fano, R. M., Project MAC, Encyclopedia of Computer Science and Technology, Vol 12, Marcel Dekker, Inc. New York and Basel, 1979.
77. Feiertag, R. J., and E. I. Organick, The Multics input/output system, Proc ACM Third SOSP, 35-41, October 1971.

    An I/0 system has been implemented in the Multics system that facilitates dynamic switching of I/0 devices. This switching is accomplished by providing a general interface for all I/O devices that allows all equivalent operations on different devices to be expressed in the same way. Also particular devices are referenced by symbolic names and the binding of names to devices can be dynamically modified. Available I/0 operations range from a set of basic I/0 calls that require almost no knowledge ...

78. Feiertag, R. J., Karl N. Levitt, and Lawrence Robinson, Proving Multilevel Security of a System Design, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977.
79. Feingold, Richard, Electronic Resources for Security Related Information, US Department of Energy, Lawrence Livermore National Laboratory, Computer Incident Advisory Capability, December 1994. CIAC-2307 R.1
80. Fenichel, R. R., and J. C. Yochelson, A LISP garbage collector for virtual memory computer systems, Commun. ACM 12, 611-612, 1969.
81. Flamm, Kenneth, Targeting the Computer: Government Support and International Competition, Washington, DC; Brookings Institution, 1987, pp. 42-92..
82. Frankston, Robert M., A Limited Service System on Multics, Bachelor of Science thesis, M. I. T. Department of Electrical Engineering, June 1970.
83. Frankston, Robert M., Nonhistory of IBM Time-Sharing, (letter), IEEE Annals of the History of Computing Vol. 18, No. 3: FALL 1996, pp. 72-73. 1996.
84. Frankston, Robert M., Multics: Lightweight Processes, Unpublished memorandum, MIT Project MAC, March 1974.

    This is a pair of memos I wrote in 1974 when I was a graduate student working on the Multics project. (precursors of MIT CSR-RFC-123)

85. Freiburghouse, R. A., A user's guide to the Multics FORTRAN compiler implementation, CISL, October 1969.
86. Freiburghouse, R. A., The Multics PL/1 compiler, Proc 1969 FJCC, 187-199, 1969.

    Description of the Multics version 1 PL/I compiler implementation.

87. Freiburghouse, R. A., Register allocation via usage counts, Commun. ACM 17, Issue 11, November 1974.

    This paper introduces the notion of usage counts, shows how usage counts can be developed by algorithms that eliminate redundant computations, and describes how usage counts can provide the basis for register allocation. The paper compares register allocation based on usage counts to other commonly used register allocation techniques, and presents evidence which shows that the usage count technique is significantly better than these other techniques.

88. Frenkel, K. A., An interview with Fernando Jose Corbató, Commun. ACM 34 No. 9, September 1991.
89. Friesen, O. D., and J. A. Weeldreyer, Multics Integrated Data Store: An Implementation of a Network Data Base Manager Utilizing Relational Data Base Methodology, Proc 11th Hawaii Intl Conf on System Sciences, Vol 1, pp. 67-84, 1978.
90. Friesen, O. D., N.S. Davids, and R. E. Brinegar, MRDS/LINUS: System Evaluation, in Relational Database Systems: Analysis and Comparison, J. W. Schmidt and M. L. Brodie, eds., Berlin, Springer-Verlag, 1983.
91. Gasser, M., A Random Word Generator for Pronouncable Passwords, MTR-3006, The Mitre Corporation, Bedford, MA 01730, ESD-TR-75-97, HQ Electronic Systems Division, Hanscom AFB, MA 01731. 1975. NTIS AD A 017676
92. Gasser, M., S. R. Ames, and L. J. Chmura, Test Procedures for Multics Security Enhancements, Mitre Corp., Bedford, Mass., NTIS, December 1976.

    (also available as DTIC AD-A034986)

93. Gasser, M., Top Level Specification of a Security Kernel for Multics Front-End Processor, MTR-3269, Mitre Corp., Bedford, Mass., November 1977.
94. Gifford, D., Hardware Estimation of a Process's Primary Memory Requirements, Commun. ACM 20, 9, September 1977.

    A minor hardware extension to the Honeywell 6180 processor is demonstrated to allow the primary memory requirements of a process in Multics to be approximated. The additional hardware required for this estimate to be computed consists of a program accessible register containing the miss rate of the associative memory used for page table words. This primary memory requirement estimate was employed in an experimental version of Multics to control the level of multiprogramming in the system and ...

95. Gilson, J. R., Security and Integrity Procedures., Honeywell Information Systems Inc, Mclean Va, Federal Systems Operations, 21 pages, F19628-74-C-0193, ESD TR-76-294. NTIS ADA040328

    This report covers the procedures required to protect critical phases of the design, development, and certification of a secure Multics. Involved is protection of the security kernel software from unauthorized alteration or sabotage. The facilities of the Government Information Security Program are applied. The program includes protection of a security kernel for Multics and a security kernel for the Secure Communications Processor.

96. Glaser, Edward L., A brief description of privacy measures in the Multics operating system, Proc AFIPS 1967 SJCC, pp 303-304. 1967.
97. Glaser, E. L., J. F. Couleur, and G. A. Oliver, System design of a computer for time-sharing applications, AFIPS Conf Proc 27, 197-202, 1965.

    In the late spring and early summer of 1964 it became obvious that greater facility in the computing system was required if time-sharing techniques were to move from the state of an interesting pilot experiment into that of a useful prototype for remote access computer systems. Investigation proved computers that were immediately available could not be adapted readily to meet the difficult set of requirements time-sharing places on any machine. However, there was one system that appeared to be extendible into what was desired. This machine was the General Electric 635.

98. Gligor, Virgil D., Some thoughts on denial-of-service problems, University of Maryland, College Park, MD, 16 Sept. 1982.
99. Goldstein, R. C., and A. L. Strnad, The MacAIMS Data Management System, ACM SIGFIDET, Houston TX, 1970. 963K
100. Graham, R. M., Protection in an information processing utility, Commun. ACM 11, 5, 365-369, May 1968.
101. Graham, Robert M., Gerald J. Clancy, and David B. DeVaney, A software design and evaluation system, Commun. ACM 16, 2, 110,116, Feb 1973.
102. Green, Paul, An implementation of SEAL on Multics., S. B. Thesis, Department of Electrical Engineering, M. I. T., Cambridge, May, 1973.
103. Greenberg, B. S., Multics Emacs: an experiment in computer interaction, Proc Fourth Honeywell Software Conf, March 1980.
104. Greenberg, B. S., Prose and CONS (Multics Emacs: production text-processing in Lisp), Report on the 1980 LISP Conference, August 1980.

     This paper addresses the choice of Lisp as the implementation language, and its consequences, including some of the implementation issues. The detailed history of Multics Emacs, its system-level design considerations, and its impact on Multics and its user community are discussed in [Greenberg]. One of the immediate and profound consequences of this choice has been to assert Lisp's adequacy, indeed, superiority, as a full-fledged systems and applications programming language. Multics Emacs ...

105. Greenberg, B. S., "Multics Emacs: The History, Design and Implementation", 1979.

     Multics Emacs is a video-oriented text preparation and editing system running on Honeywell's Multics system, being distributed as an experimental offering in Multics Release 7.0. From the viewpoint of Multics, it represents the first video-management software to be implemented, the first time character-at-a-time-interaction has been used, and a radical and complete departure from other editing and text preparation tools and techniques prevalent on Multics.

106. Greenberg, B. S., The Multics MACLISP Compiler. The Basic Hackery. A tutorial, 1977.

     If you are not already familiar with LISP, in some detail, including the traditional implementations and value/object issues, you probably should not be reading this.

107. Greenberg, B. S., and S. H. Webber, The Multics Multilevel Paging Hierarchy, Proc 1975 IEEE Intercon, 1975.
108. Greenberger, Martin, The Computers of Tomorrow, Atlantic Monthly, May 1964.

     In the past two decades, thousands of computers have been applied successfully in various industries. How much more widespread will their use become? Martin Greenberger, who is associate professor at the School of Industrial Management of M.I.T., has been working with computers for fourteen years.

109. Grochow, J. M., MOO in Multics, Software -- Practice and Experience 2, 303-308, 1972. 179K

      PL/I source is online.

110. Grochow, J. M., Real-time graphic display of time-sharing system operating characteristics, AFIPS Conf Proc 35 (1969 FJCC), AFIPS Press, pp. 379-385, 1969.
111. Gumpertz, Richard Henry, The Design and Fabrication of an ARPA Network Interface, Bachelor of Science thesis, M. I. T. Department of Electrical Engineering, July 1973.
112. Haggett, Allan G., John R. McFadden, and Peter R. Newsted, Naive user behavior in a restricted interactive command environment, ACM SIGSOC Bulletin, Volume 13, Issue 2-3, p 139 1982. ISBN:0-89791-064-8

     Results are reported showing the changing pattern of command use by introductory business data processing students. Using the ability of the University of Calgary's Honeywell Multics Operating System to tailor a command and response environment, a subset of commands and responses (called GENIE) was set up in a user-friendly environment to facilitate novice students programming at CRT terminals. Frequency and time of usage of all commands was metered and changing patterns of usage emerged as the semester progressed. For example, "help" usage -- which was originally quite extensive and broad -- limited itself over time to questions only about specific topics. Reluctance to use an "audit" facility to capture an interactive session disappeared as the commands for such usage were likened to a movie camera taking pictures over a student's shoulder. It is further noted that specific emphasis was placed on simplifying commands and reducing options.The whole idea of a restricted command environment is compared to the "abstract machine" concept of Hopper, Kugler, and Unger who are building a universal command and response language (NICOLA, a NIce Standard COmmand LAnguage). GENIE is seen as an example of what such an abstract machine could be if the Multics operating system were viewed as a basic or "parent" abstract machine. Interactive environments such as Multics provides are viewed as essential to providing a satisfactory timesharing system for the various, but frequently intermittent uses, in the social sciences.

113. Henderson, H., and Elliott I. Organick, Considerations in the Design of an XDS Sigma 7 Multics, University of Texas, Department of Computer Science, September, 1969. NTIS AD0713477
114. Henningan, K. B., Hardware Subverter for the Honeywell 6180, MTR-3280, Dec. 1976, pp. 1-222. 1976. ESD-TR-76-352

     (also available as DTIC AD-A034221)

115. Hinke, Thomas H., and Marvin Schaefer, Secure Data Management System., System Development Corp, Santa Monica Calif, 197 pages, SDC-TM-(L)-5407/007/00, F30602-74-C-0258, RADC TR-75-266. NTIS ADA019201

     This report describes the design of a Secure Data Management System (DMS) that is to operate on a Secure MULTICS Operating System Kernel. The DMS achieves its security by mapping its data base into the security structure provided by the operating system, with the result that the DMS need contain no security enforcement code. The logical view chosen for the DMS is the relational view of data.

116. Honeywell, Prototype Secure MULTICS Specification, Preliminary draft, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, January 1976. NTIS AD-A055 166/3
117. Honeywell, Multics Security Kernel Certification Plan, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, July 1976. NTIS AD-A055 171/3
118. Ikeda, Katsuo, Structure of a computer utility: anatomy of Multics, (in Japanese), 2nd ed, Shokoda Co Ltd, Tokyo, Japan, 1976.
119. Iuorno, Normand, Rzepka, Kobziar, LaMonica, Douglas White, and McCauley, RADC/MULTICS evaluation, May 1971. RADC-TR-71-121
120. Janson, Phillippe A., Dynamic linking and environment initialization in a multi-domain process, ACM 5th Symposium on Operating System Principles, 1975.

     As part of an effort to engineer a security kernel for Multics, the dynamic linker has been removed from the domain of the security kernel. The resulting implementation of the dynamic linking function requires minimal security kernel support and is consistent with the principle of least privilege. In the course of the project, the dynamic linker was found to implement not only a linking function, but also an environment initialization function for executing procedures. This report presents ...

121. Janson, P. A., Using Type-Extension to Organize Virtual-Memory Mechanisms, Operating Systems Review, Vol 15 #4 (October 1981) pages 6-38.
122. Jarvis, J. E., The many faces of Multics, 1973.
123. Jones, Malcolm M. et al., The SIMPL Primer, Oct 1971.
124. Jones, Malcolm M., On-line simulation, ACM CSC-ER, Proc 22d National Conference, 1967.

     An on-line simulation system allows both the user and the computer to cooperate and share the task of performing the simulation. It does this by providing facilities for the user to interact with the computer so that they may both play active roles in the simulation process as it is occurring. Thus, the user may perform some of the simulation functions himself and the computer performs the remaining ones. Alternately, the user may act only as a monitor and observe, verify and record data or modify and redirect the simulation when it strays erroneously from the desired path. A second feature of an on-line simulation system is that it may allow the actual phenomenon being simulated to become a part of the simulation.

125. Jordan, D. M., Multics Data Security, Scientific Honeyweller 2, 2, June 1981.
126. Kanodia, R. K., Performance improvement in ARPANET file transfers from Multics, Nov 1974. RFC 662
127. Kaplow, Roy, David Schneider, Franklin C. Smith, and William R. Stensrud, Computer assistance for writing interactive programs, Proceedings of the 1973 annual ACM conference, August 1973.

     In this paper, we describe an on-line and interactive programming system, TICS(1) (for Teacher-Interactive Computer System), which is aimed at facilitating the authoring of interactive computer programs. The system includes particular features for creating instructional software, and in that application it is intended for direct use by teachers or other persons whose expertise lies in the subject matter being addressed, but not necessarily in computer programming. ...

128. Karger, Paul A., The Lattice Security Model In A Public Computing Network, ACM CSC-ER, Proc 1987 National Conference, December 1978.

     This paper defines the lattice security model and shows it to be useful in private sector applications of decentralized computer networks. It examines discretionary security models and shows them to be inadequate to protect against 'Trojan Horse' attacks. It examines the management of large security lattices and proposes solutions to the proliferation of categories problem.

129. Karger, Paul A., and Roger R. Schell, Multics security evaluation: vulnerability anaysis, ESD-TR-74-193, Vol 2, Electronic Systems Division, USAF, June 1974. NTIS AD-A001 120/5

     A security evaluation of Multics for potential use as a two-level (Secret/Top Secret) system in the Air Force Data Services Center (AFDSC) is presented. An overview is provided of the present implementation of the Multics Security controls. The reports then details the results of a penetration exercise of Multics on the HIS 645 computer. In addition, preliminary results of a penetration excise of Multics on the new HIS 6180 computer are presented. The report concludes that Multics as implemented today is not certifiably secure and cannot be used in an open use multi-level system. However, the Multics security design principles are significantly better than other contemporary systems. Thus, Multics as implemented today, can be used in a benign Secret/Top Secret environment. In addition, Multics forms a base from which a certifiably secure open use multi-level system can be developed.

130. Karger, Paul A., New Methods for Immediate Revocation, in: Proc 1989 IEEE Symposium on Security and Privacy, Oakland, California, USA: IEEE Computer Society, pp 48-55, May, 1989.
131. Karger, Paul A., An Implementation of XPL for Multics, SB thesis, June 1972, Massachusetts Institute of Technology: Cambridge, MA..
132. Karger, Paul A., and Roger R. Schell, Thirty Years Later: Lessons from the Multics Security Evaluation, Proc ACSAC 2002. IBM Research Report RC22534.

     Almost thirty years ago a vulnerability assessment of Multics identified significant vulnerabilities, despite the fact that Multics was more secure than other contemporary (and current) computer systems. Considerably more important than any of the individual design and implementation flaws was the demonstration of subversion of the protection mechanism using malicious software (e.g., trap doors and Trojan horses). A series of enhancements were suggested that enabled Multics to serve in a relatively benign environment. These included addition of "Mandatory Access Controls" and these enhancements were greatly enabled by the fact the Multics was designed from the start for security. However, the bottom-line conclusion was that "restructuring is essential" around a verifiable "security kernel" before using Multics (or any other system) in an open environment (as in today's Internet) with well-motivated professional attacks employing subversion. The lessons learned from the vulnerability assessment are highly applicable today as governments and industry strive (unsuccessfully) to "secure" today's weaker operating systems through add-ons, "hardening", and intrusion detection schemes.

133. King, Jane, and William A. Shelly, A Family History of Honeywell's Large-Scale Computer Systems, IEEE Annals of the History of Computing Vol. 19, No. 4, October/ December 1997. Dec 1997.
134. Klensin, John Conrad, The Consistent System, Multics version: Handbook of programs and data, Massachusetts Institute of Technology, Laboratory of Architecture and Planning, 1978.
135. Lackey, R. D., Penetration of Computer Systems, an Overview, Honeywell Computer Journal 8, 2, 1974.
136. Lahr, J. C., HYPOELLIPSE/MULTICS: A computer program for determining local earthquake hypocentral parameters, magnitude, and first-motion pattern, U.S. Geological Survey Open-File Report 80-59, 59 p..
137. Landwehr, Carl E., The Best Available Technologies for Computer Security, IEEE Computer 16(7) pp.86-100, July 1983.
138. Landwehr, Carl E., Alan R. Bull, John P. McDermott, and William S. Choi, A taxonomy of computer program security flaws, ACM Computing Surveys 26, 3, 211-254. Sept. 1994.

     An organized record of actual flaws can be useful to computer system designers, programmers, analysts, administrators, and users. This survey provides a taxonomy for computer program security flaws, with an Appendix that documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they ...

139. Lee, J. A. N., The Rise and Fall of the General Electric Corporation Computer Department, IEEE Annals of the History of Computing Vol. 17, No. 4: Winter 1995, pp. 24-45. 1995.
140. Lipner, S. B., Computer security research and development requirements, MITRE Corp, Bedford MA, February 1973. MTP-142
141. Lipner, Steven B., A comment on the confinement problem, Proc 5th symposium on Operating systems principles, November 1975.
142. Loepere, Keith, Resolving covert channels within a B2 class secure system, ACM SIGOPS Operating Systems Review, Volume 19 Issue 3, July 1985.

     For a secure computer system in the B2, B3 and A1 classes (as defined by the DoD Trusted Computer System Evaluation Criteria), the problem of confining a process such that it may not transmit information in violation of the *-property is an analyzable and solvable problem.This paper examines the problem of covert channels and attempts to analyze and resolve them relative to satisfying the B2 security requirements. A novel solution developed for the Multics computer system for a class of covert channels is presented.

143. Loepere, Keith, The covert channel limiter revisited, ACM SIGOPS Operating Systems Review, Volume 23 Issue 2, April 1989.

     In a previous article, I introduced the idea of a mechanism (the covert channel limiter) that would watch for the potential uses of covert channels and affect the responsible process (or process group) only when such potential uses exceeded the allowable bandwidth for covert channels. Recent work involving the design of the Opus operating system (target class B3) has refined and extended this idea. This paper extends the informal basis for the covert channel limiter and extends its possible utility.

144. Lorho, Bernard, Semantic attributes processing in the system DELTA, Lecture Notes In Computer Science; Vol. 47, Symposium on Methods of Algorithmic Language Implementation, Springer-Verlag, London, UK, 1975. ISBN:3-540-08065-1
145. Mackenzie, Donald, and Garrel Pottinger, Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military, IEEE Annals of the History of Computing Vol. 19, No. 3: JULY-SEPTEMBER 1997, pp. 41-59. Sept 1997.
146. Mainnikko, Sirkku, Multics in the computer world, Master's thesis in social anthropology.
147. Margulies, Benson I., Security in a Multics environment, USA: Auerbach Publishers Inc. Honeywell Information Systems, 1985.
148. Margulies, B I, An overview of Multics security, Proc 2nd IFIP international conference on Computer security, Dec 1984.
149. McCarthy, J., A time-sharing operator program for our projected IBM 709, M. I. T. Computation Center memo, 1959.
150. McClure, R. M., TMG -- a syntax directed compiler, Proc 20th ACM National Conf, 262-274, 1965.
151. McGee, R. C., My Adventures with Dwarfs: A Personal History in Mainframe Computers, unpublished manuscript.

     The book is a slice through the history of those mainframe machines as experienced by the author.

152. McGibbon, Thomas L., MULTICS Long Waveform Analysis System., Pattern Analysis and Recognition Corp Rome N Y, 551 pages, PAR-78-28, F30602-77-C-0090, RADC TR-78-218. NTIS ADA062111

     The objective of the research described in this report was the development and software implementation of a Long Waveform Analysis System (WAVES) on the Honeywell 6180 Computer System running under the MULTICS operating System. The currently operational WAVES System is an open-ended and flexible system for primary use in feature definition and extraction and, as such, serves as a front-end to the MULTICS version of OLPARS (On-Line Pattern Analysis and Recognition System). The development of computer-based interactive feature definition and pattern classification systems has been a continuing program at Rome Air Development Center since 1968. This long standing effort has resulted in the implementation of OLPARS, IFES (the Image Feature Extraction System), IDRS (the Interactive Digital Receiver Simulator System), and WPS (the Waveform Processing System). WAVES represents a furtherance of this continuing effort and a logical expansion and improvement of currently available waveform analysis and feature definition systems.

153. Michelsen, Christie D., Wayne D. Dominick, and Joseph E. Urban, A methodology for the objective evaluation of the user/system interfaces of the MADAM system using software engineering principles, Proceedings of the 18th annual Southeast regional conference, Tallahassee, Florida, pp 103 - 109. ISBN:0-89791-014-1
154. Montgomery, W. A., Measurements of Sharing in Multics, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977.

     There are many good arguments for implementing information systems as distributed systems. These arguments depend on the extent to which interactions between machines in the distributed implementation can be minimized. Sharing among users of a computer utility is a type of interaction that may be difficult to provide in a distributed system. This paper defines a number of parameters that can be used to characterize such sharing. This paper reports measurements that were made on ...

155. Morgan, D., The Multics System, IEEE Trans on Communications 21 10, Oct 1973, pp 1166-1167.

     (A book review of Organick's book.) "The miracle is that it works and provides a level of service sufficient for customers of Honeywell to buy it and M.I.I users to use it. Nevertheless, there must be a better way to achieve an information utility than such a complex system as Multics."

156. Mullen, R. E., Automated merging of software modifications, Proc Honeywell Software Productivity Symposium, April 1977.

     Parallel modification of software modules by different programming teams is an inherent problem of large scale system software efforts. In the Multics Project experiment and analysis have lead to the development of an interactive program, merge_ascii, which competently merges related texts.

157. NCSC staff, Department of Defense Trusted Computer System Evaluation Criteria, the "Orange Book", December 1985. DOD 5200.28-STD

     The trusted computer system evaluation criteria defined in this document classify systems into four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: (a) to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; (b) to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and (c) to provide a basis for specifying security requirements in acquisition specifications. Two types of requirements are delineated for secure processing: (a) specific security feature requirements and (b) assurance requirements. Some of the latter requirements enable evaluation personnel to determine if the required features are present and functioning as intended. The scope of these criteria is to be applied to the set of components comprising a trusted system, and is not necessarily to be applied to each system component individually. Hence, some components of a system may be completely untrusted, while others may be individually evaluated to a lower or higher evaluation class than the trusted product considered as a whole system. In trusted products at the high end of the range, the strength of the reference monitor is such that most of the components can be completely untrusted. Though the criteria are intended to be application-independent, the specific security feature requirements may have to be interpreted when applying the criteria to specific systems with their own functional requirements, applications or special environments (e.g., communications processors, process control computers, and embedded systems in general). The underlying assurance requirements can be applied across the entire spectrum of ADP system or application processing environments without special interpretation.

158. Neumann, P. G., The role of motherhood in the pop art of system programming, Proc Second ACM SOSP, October 1969.

     Numerous papers and conference talks have recently been devoted to the affirmation or reaffirmation of various common-sense principles of computer program design and implementation, particularly with respect to operating systems ad to large subsystems such as language translators. These principles are nevertheless little observed in practice, often to the detriment of the resulting systems. This paper attempts to summarize the most significant principles, to evaluate their applicability in the real world of large multi-access systems, and to assess how they can be used more effectively.

159. Oke, Tom, Multics Through the Looking Glass, HLSUA Formu XXXI, October 1980.

     This paper deals with some of the problems encountered at The University of Calgary during the tuning and optimization of system performance. It presents some of the characteristics to be found in both the scheduling system and the virtual memory environment of Multics, and attempts to put forward a heuristic model of system action to permit a tuner to improve performance.

160. Oldfield, Homer R., King of the Seven Dwarfs: General Electric's Ambiguous Challenge to the Computer Industry, IEEE Computer Society, May 1996. ISBN 0818673834
161. O'Neill, Judy E., 'Prestige Luster' and 'Snow-Balling Effects': IBM's Development of Computer Time-Sharing, IEEE Annals of the History of Computing Vol. 17, No. 2: Summer 1995, pp. 50-54. 1995.

     In the middle 1960s IBM responded to pressure from its most prestigious customers to hasten the development and availability of computer time-sharing systems. When MIT and Bell Laboratories chose General Electric computers for their new time-sharing system, IBM management feared that the ?prestige luster? of these customers would lead other customers to demand the same capabilities and that there would be a ?snow-balling? effect as more customers rejected IBM computers. IBM worked on a time-sharing product and brought it to market by the end of the decade despite greater-than-expected costs. Meanwhile MIT, Bell Laboratories, and GE worked together on a new time-sharing system known as Multics. By examining IBM?s role in and response to the development of time-sharing, this article illustrates the nontechnological criteria that even high-technology companies use to decide what products to develop and market.

162. Organick, E. I., The Multics System: An Examination of its Structure, M. I. T. Press, Cambridge MA, 1972. ISBN 0-262-15012-3

     Multics as it was in the 60s. Reprint available from M. I. T. Press.

163. Ossanna, J. F., and J. H. Saltzer, Technical and human engineering problems in connecting terminals to a time-sharing system, AFIPS Conf Proc 37 (1970 FJCC), 355-362, 1970.
164. Ossanna, J. F., L. Mikus, and S. D. Dunten, Communications and input-output switching in a multiplexed computing system, AFIPS Conf Proc 27, 231-242, 1965.

     This paper discusses the general communications and input/output switching problems in a large-scale multiplexed computing system.

165. Padlipsky, M. A., New Multics network software features, Nov 1972. RFC 411
166. Padlipsky, M. A., Multics sampling timeout change, Feb 1973. RFC 450
167. Padlipsky, M. A., Multics address change, Nov 1973. RFC 590
168. Pandolf, MA, Implementing Forth for the multics operating system, Journal of FORTH Application and Research archive Volume 3 , Issue 2 1986.
169. Podlaska-Lando, S., Implementation and evaluation of interval arithmetic software: Report 2: The Honeywell MULTICS System, Technical report - U.S. Army Engineer Waterways Experiment Station, 1979. NTIS B0006X47Z0

     This is Report 2 of a series entitled Implementation and Evaluation of Interval Arithmetic Software. Interval arithmetic can be used to determine the precision of the arithmetic required to guarantee a given precision in the results of an algorithm. In general, whether using interval or regular arithmetic, the greater the precision the longer the run time required for a given algorithm. A 56 decimal digit version of the original MULTICS interval package was implemented on the MULTICS system. It is concluded that the use of single precision and 56 decimal digit extended precision interval arithmetic can, at times, be extremely useful. The testing showed that, when using the 56 decimal digit data type, much better bounds were obtained for the results than when using the single precision interval data type.

170. Pozzo, M. M., Life Cycle Assurance for Trusted Computer Systems: a Configuration Management Strategy for Multics, 7th DOD/NBS Computer Security Conf, September 1984.
171. Pugh, Emerson et al., IBMs 360 and early 370 systems, no date.
172. Reynolds, G. E., Multics Security Evaluation. Volume IV. Exemplary Performance Under Demanding Workload, Electronic Systems Div Hanscom AFB Mass November, 1976. NTIS AD-A038 231/7
173. Ritchie, D. M., The evolution of the UNIX time-sharing system, Bell System Technical Journal 63, 8, Oct 1984.

     This paper presents a brief history of the early development of the Unix operating system. It concentrates on the evolution of the file system, the process-control mechanism, and the idea of pipelined commands. Some attention is paid to social conditions during the development of the system.

174. Ritchie, D. M., The development of the C language, ACM SIGPLAN Notices 28, 3, 201-208 (ACM HOPL-II Conf), March 1993.

     The C programming language was devised in the early 1970s as a system implementation language for the nascent Unix operating system. Derived from the typeless language BCPL, it evolved a type structure; created on a tiny machine as a tool to improve a meager programming environment, it has become one of the dominant languages of today. This paper studies its evolution.

175. Rus, T., Data Structures and Operating Systems, John Wiley & Sons, Chichester, 1979.
176. Sabonnadiere, J., G. Meunier, and B. Morel, FLUX: A general interactive finite elements package for 2D electromagnetic fields, IEEE Trans on Magnetics 18, 2, Mar 1982, pp 624-626.

     Achievement of finite element methods leads nowadays to the development of general purpose packages. FLUX, developed by the Laboratoire d'Electrotechnique de l'Institut National Polytechnique de Grenoble is an interactive system in which graphic facilities are combined with a convenient command language to allow a high level of conversationnal use. FLUX is made of three independant programs : a pre-precessor : ENTREE for geometrical, physical and finite element descriptions of the model, the computation processor RESOL in which equations occuring from finite elements are solved, and, finally EXPLOI, the post-processor for flux plots, field visualisation, forces and torques. FLUX is implemented under the conversationnal system MULTICS on the HB68 computer of the Centre Inter-universitaire de Calcul de Grenoble. It is available in France through TRANSRAC, the french computer network, and in all western EUROPE through EURONET.

177. Saltzer, J. H., A simple linear model of demand paging performance, Commun. ACM 17, 4, April, 1974.. Project MAC memo M0131, November 1972

     Predicting the performance of a proposed automatically managed multilevel memory system requires a model of the patterns by which programs refer to the information stored in the memory. Some recent experimental measurements on the Multics virtual memory suggest that, for rough approximations, a remarkably simple program reference model will suffice. The simple model combines the effect of the information reference pattern with the effect of the automatic management algorithm to produce a ...

178. Saltzer, J. H., and J. F. Ossanna, Remote terminal character stream processing in Multics, AFIPS Conf Proc 36 (1970 SJCC), 621-627, 1970.
179. Saltzer, J. H., and J. W. Gintell, The instrumentation of Multics, Commun. ACM 13, No. 8, 495-500, August 1970.

     An array of measuring tools devised to aid in the implementation of a prototype computer utility is discussed. These tools include special hardware clocks and data channels, general purpose programmed probing and recording tools, and specialized measurement facilities. Some particular measurements of interest in a system which combines demand paging with multiprogamming are described in detail. Where appropriate, insight into effectiveness (or lack thereof) of individual tools is provided.

180. Saltzer, J. H., Protection and the control of information sharing in the Multics system, Commun. ACM 17, 7, July 1974.

     The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.

181. Saltzer, J. H., and M. D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE. Vol. 63, No. 9 (September 1975), pp. 1278-1308.

     (Also at Mike Schroeder's website)

     This seminal paper collected and established many the of the fundamental principles and terms used in computer security over the last three decades. In addition to the eight "Saltzer/Schroeder Design Principles" and other basic principles of information protection in section 1, it provides an overview of descriptor-based protection systems in section 2, and surveys the state of the art in section 3. Although the paper dates from 1974, most of it is still highly relevant to systems being designed today.

     ABSTRACT: This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification. It concentrates on those architectural structures--whether hardware or software--that are necessary to support information protection. The paper develops in three main sections. Section I describes desired functions, design principles, and examples of elementary protection and authentication mechanisms. Any reader familiar with computers should find the first section to be reasonably accessible. Section II requires some familiarity with descriptor-based computer architecture. It examines in depth the principles of modern protection architectures and the relation between capability systems and access control list systems, and ends with a brief analysis of protected subsystems and protected objects. The reader who is dismayed by either the prerequisites or the level of detail in the second section may wish to skip to Section III, which reviews the state of the art and current research projects and provides suggestions for further reading.

182. Saltzer, J. H., Ongoing research and development on information protection, ACM Operating Systems Review 8, 3, pp. 8-24, July, 1974.
183. Saltzer, J. H., Naming and binding of objects, in R. Bayer, R. M. Graham, and G. Seegmuller (eds.), Operating Systems: An Advanced Course, Springer Verlag, New York, 1979, pp. 99-208. [Appendix A: Case Study of Naming in Multics, pp. 193-208.] 1979.
184. Saltzer, J. H., On the modeling of paging algorithms, ACM Forum, Commun. ACM 19, 5, May 1976.
185. Saltzer, J. H., Technical possibilities and problems in protecting data in computer systems, in Dierstein et al., eds, Datenschutz und Datensicherung, J. P. Bachem Verlag, Cologne, 1976.
186. Salus, Peter H., A Quarter Century of UNIX, Addison Wesley, 1994.
187. Sawatzky, Don L., REMAPP Multics programmer's guide, Open-file report / U.S. Department of the Interior, Geological Survey, 1980.
188. Scheffler, Lee J., Optimal folding of a paging drum in a three level memory system, Proceedings of the fourth symposium on Operating system principles, January 1973.

     This paper describes a drum space allocation and accessing strategy called "folding", whereby effective drum storage capacity can be traded off for reduced drum page fetch time. A model for the "folded drum" is developed and an expression is derived for the mean page fetch time of the drum as a function of the degree of folding. In a hypothetical three-level memory system of primary (directly addressable), drum, and tertiary (usually disk) memories, the tradeoffs among drum storage capacity, drum page fetch time, and page fetch traffic to tertiary memory are explored. An expression is derived for the mean page fetch time of the combined drum-tertiary memory system as a function of the degree of folding. Measurements of the MULTICS three-level memory system are presented as examples of improving multi-level memory performance through drum folding. A methodology is suggested for choosing the degree of folding most appropriate to a particular memory configuration.

189. Schell, R. R., Effectiveness -- the Reason for a Security Kernel, Proceedings of the National Computer Conference, 1974, pp. 975-976. 1974.
190. Schell, Roger R., Peter J. Downey, and Gerald J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, The MITRE Corporation, Bedford, MA 01730 (Jan. 1973). MCI-73-1

     The military has a heavy responsibility for protection of information in its shared computer systems. The military must insure the security of its computer systems before they are put into operational use. That is, the security must be "certified", since once military information is lost it is irretrievable and there are no legal remedies for redress. Most contemporary shared computer systems are not secure because security was not a mandatory requirement of the initial hardware and software design. The military has reasonably effective physical, communication, and personnel security, so that the nub of our computer security problem is the information access controls in the operating system and supporting hardware. We primarily need an effective means for enforcing very simple protection relationships, (e.g., user clearance level must be greater than or equal to the classification level of accessed information); however, we do not require solutions to some of the more complex protection problems such as mutually suspicious processes. Based on the work of people like Butler Lampson we have espoused three design principles as a basis for adequate security controls:

     1. Complete Mediation -- The system must provide complete mediation of information references, i.e., must interpose itself between any reference to sensitive data and accession of that data. All references must be validated by those portions of the system hardware and software responsible for security.
     2. Isolation -- These valid operators, a "security kernel," must be an isolated, tamper-proof component of the system. This kernel must provide a unique, protected identity for each user who generates references, and must protect the reference-validating algorithms.
     3. Simplicity -- The security kernel must be simple enough for effective certification. The demonstrably complete logical design should be implemented as a small set of simple primitive operations and system database structures that can be shown to be correct.

     These three principles are central to the understanding of the deficiencies of present systems and provide a basis for critical examination of protection mechanisms and a method for insuring a system is secure. It is our firm belief that by applying these principles we can have secure shared systems in the next few years.

191. Schiller, W. L., K. J. Biba, and E. L. Burke, A preliminary specification of a Multics security kernel, MITRE Corp, Bedford MA, April 1975. WP-20119
192. Schiller, W. L., Design and Abstract Specification of a Multics Security Kernel, MITRE Corp Bedford MA, 1977. NTIS AD-048 576
193. Schiller, W. L. et al., Top level specification of a Multics security kernel, MITRE Corp, Bedford MA, July 1976. WP-20810
194. Schiller, W. L., Preliminary Specification of the Answering Service, Multics design note 33, MITRE Corp, Bedford MA, 1976.
195. Schroeder, M. D., and J. H. Saltzer, A hardware architecture for implementing protection rings, Proc ACM Third SOSP, 42-54, October 1971. Commun. ACM 15, 3, pp.157-170, March 1972.

     Protection of computations and information is an important aspect of a computer utility. In a system which uses segmentation as a memory addressing scheme, protection can be achieved in part by associating concentric rings of decreasing access privilege with a computation. This paper describes hardware processor mechanisms for implementing these rings of protection. The mechanisms allow cross-ring calls and subsequent returns to occur without trapping to the supervisor. Automatic hardware ...

196. Schroeder, M. D., Engineering a security kernel for Multics, ACM Operating Systems Review 9, 5, pp. 25-32, Proc ACM 5th SOSP, November, 1975.

     This paper describes a research project to engineer a security kernel for Multics, a general-purpose, remotely accessed, multiuser computer system. The goals are to identify the minimum mechanism that must be correct to guarantee computer enforcement of desired constraints on information access, to simplify the structure of that minimum mechanism to make verification of correctness by auditing possible, and to demonstrate by test implementation that the security kernel so developed is ...

197. Schroeder, M. D., Performance of the GE-645 associative memory while Multics is in operation, Proc ACM SIGOPS Workshop on System Performance Evaluation, Harvard, April 1971.
198. Schroeder, M. D., D. D. Clark, and J. H. Saltzer, The Multics kernel design project, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977.

     We describe a plan to create an auditable version of Multics. The engineering experiments of that plan are now complete. Type extension as a design discipline has been demonstrated feasible, even for the internal workings of an operating system, where many subtle intermodule dependencies were discovered and controlled. Insight was gained into several tradeoffs between kernel complexity and user semantics. The performance and size effects of this work are encouraging. We conclude that ...

199. Sebring, Michael M., Eric W. Shellhouse, Mary E. Hanna, and R. Alan Whitehurst, Expert Systems in Intrusion Detection: A Case Study, Proc 11th NCSC, Baltimore, USA: NBS/NCSC: pp.74-81, October 17, 1988.

     Describes MIDAS (Multics Intrusion Detection and Alerting System).

200. Sekino, A., Response time distribution of multiprogrammed time-shared computing systems, Sixth Annual Princeton Conf on Information Sciences and Systems, Princeton, March 1972.
201. Shafer, Fred J., Multilevel Computer Security Requirements of the World Wide Military Command and Control System (WWMCCS), LCD-78-106, April 5, 1978.

     The World Wide Military Command and Control System (WWMCCS) is a composite of military command facilities, communications, warning systems, and computers located throughout the world to support military command and control activities. A followup review was conducted to determine whether the multilevel computer security requirements of WWMCCS were being properly provided for by the Department of Defense (DOD) and if Air Force efforts to solve this problem had been properly considered by DOD. At the time of the review, WWMCCS officials had not endorsed or supported Air Force efforts on multilevel computer security even though the Air Force had demonstrated a potential for resolving the shortcomings of WWMCCS software. However, the Air Force terminated its efforts to develop multilevel computer security because of insufficient financing. The Departments of the Army and Navy also have a need for multilevel security in their computerized systems and had been waiting for the developed capability by the Air Force. The apparent need for a multilevel security system and the lack of a concentrated effort to meet it, as well as cancellation of the Air Force program which showed promise of meeting this need, resulted from a lack of centralized responsibility and authority for development of a multilevel system. An office within the Office of the Secretary of Defense should be given budget authority and responsibility for: control of all computer security research and development in DOD; review and approval of computer security requirements for all three services; review and approval of all computer security specifications, methodologies, and procurements; and review and approval of all long-range plans for WWMCCS and the services.

202. Sibert, Olin, mxload - Read Multics Backup Tapes, HLSUA FORUM, 1988.
203. Spicer, Robert A., MAGIC, computer programs for paleontologists available on MULTICS, Reports-Open file series - United States Geological Survey, 1980.
204. Spier, M. J., and E. I. Organick, The Multics inter-process communication facility, Proc ACM Second SOSP, 83-91, October 1969.
205. Spratt, Lindsey L., The transaction resolution journal: extending the before journal, ACM SIGOPS Operating Systems Review, Volume 19 Issue 3, July 1985.
206. Stamen, Jeffrey P., and Robert M. Wallace, Janus: a data management and analysis system for the behavioral sciences, ACM CSC-ER, Proc 1973 national conference, 1973.

     This paper describes the Janus data management and analysis system which has been designed at the Cambridge Project. A prototype of Janus is currently running on the Multics time-sharing system at M.I.T. The data model for the design of Janus is very general and should be usable as a model for data handling in general, as well as for Janus in particular. The Janus command language is an English-like language based on procedural functions - such as define, display, and delete - which act on ...

207. Stanke, Edward C., II, An Associative Processor Study, The RADCAP Project, Rept. for 1 Sep 72-30 Nov 76, Rome Air Development Center, Griffiss AFB N Y, Feb 1978. DTIC ADA052717

     The underlying objective of the Rome Air Development Center Associative Processor (RADCAP) Project is to investigate solutions to data processing problems which strain conventional approaches due to high data rates and heavy processing requirements. One group of data processing functions, those inherent in the USAF Airborne Warning and Control System (AWACS, now called the E-3A), have been chosen as being representative of this class of problems. This report describes the results of a five-year project which involved the implementation of the AWACS functions on the RADCAP testbed system which consists of a STARAN S-1000P associative processor interfaced to a Honeywell Information Systems 645-MULTICS computer (later upgraded to a HIS 6180). Based on these results, the key characteristics of an associative processor to handle this type of problem are identified and some general conclusions as to the applicability of associative/parallel processing to real-world, real-time processing problems are drawn. The report also makes some general statements concerning the future of associative/parallel processing.

208. Stern, J. A., Multics Security Kernel Top Level Specification, ESD-TR-76-368, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, November 1976. NTIS AD-A060 000/7

     Air Force Systems Command terminated the effort which this document describes before the effort reached its logical conclusion. This report is incomplete but was published in the interest of capturing and disseminating the computer security technology that was available at the time of the termination.

209. Stern, J. A., Discretionary Access Control, memo, 15 March 1976.
210. Teichroew, D., A. Hershey, and S. Spewak, User Requirements Language (URL) User's Manual. Part I. (Description) H6180/Multics/Version 3.2., Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 200 pages, F19628-76-C-0197, ESD TR-78-127-VOL-1. NTIS ADA054096

     This report is part of a series that deals with a Computer-Aided Design and Specification Analysis Tool (CADSAT). The purpose of the tool is to describe the requirements for information processing systems and to record such descriptions in machine-processable form. The major components of CADSAT are the User Requirements Language (URL) and the User Requirements Analyzer (URA) which can operate in an interactive computer environment. This report describes how the formal URL may be used to define systems. It explains the language statements available, their use and application on a Honeywell 6180 Multics Computer.

211. Teichroew, D., A. Hershey, and S. Spewak, User Requirements Language (URL) User's Manual. Part II. (Reference) H6180/Multics/Version 3.2., Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 450 pages, F19628-76-C-0197. ESD TR-78-127-VOL-2

     This report is part of a series that deals with a Computer-Aided Design and Specification Analysis Tool (CADSAT). Its purpose is to describe the requirements for information processing systems and to record such descriptions in machine-processable form. The major components of CADSAT are the User Requirements Language (URL) and the User Requirement Analyzer (URA) which can operate in an interactive computer environment. In parts I and II, this report describes how the formal URL may be used to define systems. It explains the language statements available, their use and application on a Honeywell 6180 Multics Computer. This manual describes the User Requirements Language (URL) to be used with Version 3.2 of the User Requirements Analyzer (URA). Part I gives a detailed description of the URL statements available and their use. Part II is a reference manual which gives the proper syntax for each statement.

212. Van Vleck, T. H., An example of industry-university cooperation: Multics, Proc IRIA Tenth Anniversary Conf, Paris, June 1978.
213. Van Vleck, T. H., and C. T. Clingen, Implementation of security concepts in a large-scale operating system, Proc Honeywell Security Symposium, Monaco, December 1980.
214. Van Vleck, T. H., and C. T. Clingen, The Multics system programming process, Proc IEEE COMPCON 78, Atlanta, May 1978.

     Reprinted in IEEE Tutorial on Software Maintenance, 1981. Features of the Multics system programming process lead to high programmer productivity with a small programming staff and a finished system with high software reliability. Other workers' predictions of increasing difficulty of system maintenance with time have not been observed; reasons for this are suggested.

215. Van Vleck, T. H., Control of access to computer system resources, Proc IEEE COMPCON 74, San Francisco, February 1974.
216. Van Vleck, T. H., The administration and management of Multics, Project MAC Multics Symposium, January 1971.
217. Vestal, Stanley Curtis, Diane Anderson, and Henry Nirsberger, GCOS/Multics File Transfer Facility, Honeywell Information Systems Inc Minneapolis Minn, 440 pages, F30602-73-C-0327, RADC TR-75-137. NTIS ADA013109

     Rome Air Development Center currently operates two R and D computer facilities: an HIS GCOS system and an HIS Multics system. Another Air Force site also operates both a GCOS and a Multics installation. In both cases, the GCOS system has preceded the Multics system by several years. There is thus a large GCOS user applications and data files. Many of these users desire to transfer these programs, applications, and data files from the GCOS environment to the Multics environment in order to take advantage of the unique design features of the Multics system. To facilitate this transfer, and to make the process as simple and easy to use as possible, Rome Air Development Center contracted with Honeywell Information Systems to specify, design, and implement procedures and software to provide an integrated capability for the transfer of information, programs, and procedures from the GCOS to the Multics environment. This technical report describes the activities conducted in the performance of this contract.

218. Vestal, Stanley Curtis, and Henry Nirsberger, GCOS/Multics File Transfer Tool., Honeywell Information Systems Inc Minneapolis Minn, 157 pages, F30602-75-C-0162, RADC TR-75-312. NTIS ADA019748

     The effort described in this report consisted of enhancements to the GCOS/Multics File Transfer Facility which was developed under contract. The facility provides for the transfer of data files from the GCOS environment to the Multics environment. In particular, data base and file backup facilities, performance monitoring instrumentation, and Inner Ring Program/Data Protection have been added.

219. Vestal, S. C., T. Krocak, H. S. Schwenk, and A. Levy, Virtual Machine Monitor Performance Analysis, Honeywell Information Systems Inc Minneapolis Minn, 178 pages, F30602-77-C-0097, RADCTR-78-251. NTIS ADA065087

     This report describes the H6180 Virtual Machine Monitor Performance Analysis. Included as part of this report is a description of the Virtual Machine Monitor. This report also includes an approach for enhancing the baseline VMM functionality by use of a service machine to control peripheral sharing. The actual experimentation performed in this effort identifies the feasibility of a VMM in a Programming Environment and the performance tradeoffs required for its optimized utilization.

220. Vinograd, D. R., What's a system to do? -- Assuring system data integrity, Proc IEEE Conf, September 1971.
221. Vyssotsky, V. A., F. J. Corbató, and R. M. Graham, Structure of the Multics Supervisor, AFIPS Conf Proc 27, 203-212, 1965.

     This paper is a preliminary report on a system which has not yet been implemented. Of necessity, it therefore reports on status and objectives rather than on performance.

222. Wade, W., M. Mortara, P. Leong, and V. Frost, Interactive Communication Systems Simulation Model--ICSSM, IEEE Journal on Selected Areas in Communications 2, 1, Jan 1984, pp 102-128.

     The design of ICSSM, a nonreal time computer-aided simulation and analysis tool for communications systems, is presented, ICSSM is capable of supporting modeling, simulation, and analysis of any system representable in terms of a network of multiport functional blocks. Its applicability is limited only by the modeler's ingenuity to decompose the system to functional blocks and to represent these functional blocks algorithmically. ICSSM has been constructed modularly, consisting of five subsystems to facilitate the tasks of formulating the model, exercising the model, evaluating and showing the simulation results, and storing and maintaining a library of modeling elements, analysis, and utility subroutines. It is written exclusively in ANSI Standard Fortran IV language, and is now operational in a Honeywell DPS 7/80 M computer under the MULTICS Operating System. Description of a recent simulation using ICSSM and some generic moduels of general interest developed as a result of the modeling work are also presented.

223. Waldrop, M. Mitchell, The Dream Machine: J. C. R. Licklider and the Revolution That Made Computing Personal, Viking Press, 2001.

     The history of time-sharing and networks and ARPA's part in supporting the activities. It has one or two chapters which focus on CTSS and Multics. It also includes the saga of PARC.

224. Walter, K. G., J. M. Gilligan, S. I. Schaen, W. F. Ogden, W. C. Rounds, D. G. Shumway, D. D. Schaeffer, K. J. Biba, F. T. Bradshaw, and S. R. Ames, Structured specification of a Security Kernel, Proceedings of the SIGPLAN international conference on Reliable software, pp 285 - 293, Los Angeles,