Multics 707 entries, 321 online
13 Jul 2014

Bibliography

Contents

Listed on separate pages:

The globe icon is used before materials available from other sites.

Items provided by the ACM Digital Library require a subscription or ACM membership in order to access them.

For more information on an author, see the list of Multicians.
For explanations of Multics terms, see the Multics Glossary.
For links to other sites of interest, see the Multics Links Page.

Papers and books

  1. Adleman, N., Effects of Producing a Multics Security Kernel, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, October 1975. NTIS AD-A031 220/7

    This report summarizes the effects of reducing the current Multics hardcore supervisor (Ring 0), even as the entire Multics system is undergoing continuous development and enhancement. An evolutionary engineering discipline, rather than a structured, formal approach has been used to either modify or recommend changes to the system. Many of the proposed major changes have been demonstrated as being sound and useful. These system changes are documented in this report. For the purposes of this report, the security kernel is that part of the system which implements a reference monitor that enforces a specified protection policy. That is, a security kernel is a subset of the current Multics supervisor. This report will show that the engineering approach of undertaking trial designs and that the engineering approach of undertaking trial designs and implementation is indeed a major contribution to the eventual analytical development and certification of a Multics supervisor which can then be viewed as the Multics security kernel.

  2. Adleman, N., Engineering Investigations in Support of Multics Security Kernel Software Development, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations. October 19, 1976. NTIS AD-A040 329/5

    This report provides the status of certain engineering efforts to support the development of a secure general purpose computer.

  3. Adleman, N., J. R. Gilson, R. J. Sestak, and R. J. Ziller, Security Kernel Evaluation for Multics and Secure Multics Design, Development and Certification, Semi-annual progress rept. 1 Jan-30 June 76, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, August 1976. NTIS AD-A038 261/4
  4. Adleman, N., J. R. Gilson, R. J. Sestak, and R. J. Ziller, Semi-Annual Progress Report July 1975 to December 1975, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, January 1976. NTIS AD-A037 501/4
  5. Adleman, N., R. J. Ziller, and J. C. Whitmore, Multics Security Integration Requirements, 1 January 1976-31 December 1980, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, March 1976. NTIS AD-A041 514/1
  6. Ames, S. R., File Attributes and Their Relationship to Computer Security, S.M. thesis, June 1974, Case Western Reserve University, Cleveland, OH: HQ Electronic Systems Division, Hanscom AFB, MA.. ESD-TR-74-191
  7. Ames Jr., Stanley R., and D. K. Kallman, Multics Security Kernel Validation: Proof Description, Volume I, MITRE Corp Bedford MA, July 1978. NTIS AD-A056 901/2
  8. Ames Jr., Stanley R., and J. G. Keeton-Williams, Demonstrating security for trusted applications on a security kernel base, IEEE Comp. Soc. Proc 1980 Symposium on Security and Privacy, April 1980.
  9. Ames Jr., Stanley R., and Jonathan K. Millen, Interface Verification for a Security Kernel, System Reliability and Integrity, Vol 2, Infotech State of the Art report pp.1-21 1978.
  10. Ames Jr., Stanley R., and Peter G. Neumann, Computer Security Technology: Introduction, IEEE Computer 16(7) p.11, July 1983.
  11. Anderson, James P., Multics Evaluation, James P. Anderson and Co., Fort Washington Pa, October 1973. NTIS AD-777 593/5

    Details of a planning study for USAF computer security requirements are presented. An Advanced development and Engineering program to obtain an open-use, multilevel secure computing capability is described. Plans are also presented for the related developments of communications security products and the interim solution to present secure computing problems. Finally a Exploratory development plan complementary to the recommended Advanced and Engineering development plans is also included.

  12. Anderson, James P., Accelerating Computer Security Innovation, IEEE Symposium on Security and Privacy, 1982.

    This note is prompted by a number of observations. - After nearly twelve years of serious work on computer security, all that can be shown is two one-shot ?brassboard? systems and one commercially supported product that integrates the DoD security policy into the operating system. - The first round of research results on computer security were useful and by 1975 the principles of secure computers were well enough understood that the first demonstration models of security kernels had been completed. [SCHI 73] - In spite of hopes to the contrary, it has been amply demonstrated that the civil sector of government and virtually all of the private sector can satisfy their information protection needs with simple physical and procedural methods, coupled with using systems with "improved integrity". - In spite of the tiresomeness of its repetition, the fact is that the need for secure systems for important national defense applications has not been diminished in the slightest by any work that has gone on over the past twelve years.

  13. Banh, T., and H. Tran, Test program set/document management system, AUTOTESTCON '96, 'Test Technology and Commercialization' Conference Record, pp 369-374, Sep 1996.

    The legacy C-17 Support Equipment Data Acquisition and Control System (SEDACS) was initially designed as a test requirement document (TRD) and test program set (TPS) development system. Its applications have expanded to include word processing for a majority of the C-17 support equipment (SE) deliverable documentation, project management functions, and line-replaceable-unit (LRU) and shop-replaceable-unit (SRU) tracking. While the SEDACS system enabled MDA to support C-17 test and early operation, this legacy SEDACS has some drawbacks. Recently, the SEDACS was upgraded from a host-based Honeywell/Multics mainframe to a new client/server system. The TPS document management system (DMS) was designed to provide the environment to create and edit documents as well as to control their configurations, and it is the first step toward becoming an electronic document management system. The system has increased efficiency and productivity, improved and safeguarded file sharing, and provides better management of document revisions. This TPS DMS was developed using an integrated application software package that runs on IBM PCs. This paper describes how the integrated application software was developed and how the deliverable documents were transferred from the existing mainframe system to the client/server system. The software products identified in this paper were chosen to meet our particular applications requirements and are provided only as examples.

  14. Banâtre, Jean-Pierre, Michel Banâtre, Guy Lapalme, and Florimond Ployette, The design and building of Enchère, a distributed electronic marketing system, Commun. ACM 29, 1, 19-29. Jan. 1986.

    Building and prototyping an agricultural electronic marketing system involved experimenting with distributed synchronization, atomic activity, and commit protocols and recovery algorithms.

  15. Bell, D. E., and L. J. La Padula, Secure Computer Systems: Unified Exposition and Multics Interpretation, Mitre Technical Report MTR-2997, rev 2, March 1976. NTIS AD-A023 588/7

    For the past several years ESD has been involved in various projects relating to secure computer systems design and operation. One of the continuing efforts, started in 1972 at MITRE, has been secure computer system modeling. The effort initially produced a mathematical framework and a model [1, 2] and subsequently developed refinements and extensions to the model [3] which reflected a computer system architecture similar to that of Multics [4]. Recently a large effort has been proceeding to produce a design for a secure Multics based on the mathematical model given in [l, 2, 3]. Same as ESD-TR-75-306, DTIC AD-A023588

  16. Bell, D. E., and L. J. La Padula, Secure Computer Systems: Mathematical foundations, MITRE tech report, 1 Mar 1973. MTR-2547 vol I
  17. La Padula, L. J., and D. E. Bell, Secure Computer System: A Mathematical Model, MITRE tech report, 31 May 1973. MTR-2547 vol III
  18. Bell, D. E., Secure Computer System: A Refinement of the Mathematical Model, MITRE tech report, 28 Dec 1973. MTR-2547 vol II
  19. Benedict, G. G., An Enciphering Module for Multics, 1974 Jul. NTIS AD-782 658/9
  20. Bennett, D. A., and C. A. Landauer, An application of simulation to tracking, In: Winter Simulation Conference, San Diego, CA, December 3-5, 1979, Proceedings. Volume 1. New York, IEEE, p. 83-90..

    AIMER (Automatic Integration of Multiple Element Radars) is an emulated model of a loosely coupled distributed radar tracking processor. The design goal of the model is to provide a reliable processing system whose computational bandwidth can be dynamically altered in response to changing ground scenario and availability of hardware. A large number of minicomputers connected with multiple packet networks was chosen as the framework for the design. This paper describes the current status of AIMER.

  21. Bensoussan, A., C. T. Clingen, and R. C. Daley, The Multics virtual memory: concepts and design, Proc Second ACM SOSP, Princeton NJ, October 1969.

    Commun. ACM 15, 5, pp 308-318, May 1972. As experience with use of on-line operating systems has grown, the need to share information among system users has become increasingly apparent. Many contemporary systems permit some degree of sharing. Usually, sharing is accomplished by allowing several users to share data via input and output of information stored in files kept in secondary storage. Through the use of segmentation, however, Multics provides direct hardware addressing by user and system programs of all information, independent of its physical storage location. Information is stored in segments each of which is potentially sharable and carries its own independent attributes of size and access privilege. Here, the design and implementation considerations of segmentation and sharing in Multics are first discussed under the assumption that all information resides in a large, segmented main memory. Since the size of main memory on contemporary systems is rather limited, it is then shown how the Multics software achieves the effect of a large segmented main memory through the use of the Honeywell 645 segmentation and paging hardware.

  22. Bensoussan, André, Honeywell, Inc., MULTICS records, 1965-1982. Finding Aid, University of Minnesota, Charles Babbage Institute.

    In the late 1980s, when André Bensoussan was about to retire from Honeywell (or perhaps he was retiring as a Bull employee working at Honeywell) I was also working at Honeywell and arranged to send two boxes of what he considered the historically most valuable Multics material with which he was willing to part to the Charles Babbage Institute (CBI) at the University of Minnesota.

  23. Berstel, J., and J.-F. Perrot, MULTICS: guide de l'usager, Manuels informatiques Masson, Paris [etc.]: Masson, 1986.
  24. Biba, K. J., S. R. Ames Jr., E. L. Burke, P. A. Karger, W. R. Price, R. R. Schell, and W. L. Schiller, The top level specification of a Multics security kernel, MITRE Corp, Bedford MA, August 1975. WP-20377
  25. Birnbaum, D., J. J. Cupak, J. D. Dyar, and R. Jackson, MULTICS Remote Data Entry System. Volume I, Source: Pattern Analysis and Recognition Corp., Rome, NY., Rome Air Development Center, Griffiss AFB, NY, Oct 1979, RADC TR-79-265-VOL-1. NTIS ADA080625

    This report contains the user's manuals and software documentation for the Remote Data Entry System which is the front-end to the MULTICS Pattern Recognition Facility and the Cluster Analysis package which was added to MULTICS OLPARS. The Remote Data Entry System was designed to allow users of the MULTICS Pattern Recognition Facility the ability to input their data over the ARPANET from a Tektronix remote storage device. Once the data is input into the MULTICS System, routines are provided so that the user can easily restructure or cluster his database to perform different classification experiments.

  26. Bisbey II, Richard L., Jim Carlstedt, Dale M. Chase, and Dennis Hollingworth, Data Dependency Analysis, ISI-RR-76-45, USC Information Sciences Institute, February 1976. NTIS: ADA 022017
  27. Bisbey II, Richard L., and Dennis Hollingworth, Protection Analysis: Final Report, ISI-SR-78-13, USC Information Sciences Institute, July 1978. NTIS: ADA 056816

    The Protection Analysis project was initiated at ISI by ARPA IPTO to further understand operating system security vulnerabilities and, where possible, identify automatable techniques for detecting such vulnerabilities in existing system software. The primary goal of the project was to make protection evaluation both more effective and more economical by decomposing it into more manageable and methodical subtasks so as to drastically reduce the requirement for protection expertise and make it as independent as possible of the skills and motivation of the actual individuals involved. The project focused on near-term solutions to the problem of improving the security of existing and future operating systems in an attempt to have some impact on the security of the systems which would be in use over the next ten years. A general strategy was identified, referred to as "pattern-directed protection evaluation" and tailored to the problem of evaluating existing systems. The approach provided a basis for categorizing protection errors according to their security-relevant properties; it was successfully applied for one such category to the MULTICS operating system, resulting in the detection of previously unknown security vulnerabilities.

  28. Boebert, Earl, The Fox Herder's Guide: How to Lead Teams That Motivate and Inform Organizational Change, Bitsmasher Press, 2001.

    180 pages.

  29. Bosworth, Bruce, A user's guide to statistics programs on the MULTICS timesharing system, Avery Publishing Group, Inc. (1982).

    64 pages.

  30. Boyd, Donald L., and Antonio Pizzarello, Introduction to the WELLMADE design methodology, Proc. 3d Int. Conf. on Software Engineering, 1978.
  31. Bull HN Information Systems Inc., Multics Data Security and Data Privacy, USA: Bull HN Information Systems. no date.
  32. Burke, Edmund L. et al., Emulating a Honeywell 6180 Computer System, Mitre Corporation, pp. 1-73. June 1974. NTIS AD 787 218

    he Honeywell 6180 is a new, large-scale computer for the MULTICS time-sharing system. This report describes the 6180, and examines the feasibility of emulating it with each of three microprogrammable processors: the Burroughs D-Machine, the Nanodata QM-1, and the Burroughs B1700. Benchmark emulations are presented for each of these machines.

  33. Burke, Edmund L., Concept of Operation for Handling I/O in a Secure Computer at the Air Force Data Services Center (AFDSC), Mitre Corporation. Apr 1974. DTIC AD0780529

    The operation of a computer system in a secure fashion requires the control of access to all parts of the system. One part of the system which is often neglected when access and security controls are developed is the input/output (I/O) subsystem. This paper develops a general Concept of Operations for I/O in a secure computer system. This concept is then applied to the proposed two-level, Secret-Top Secret, MULTICS System at the Air Force Data Services Center (AFDSC). The most unusual operational feature recommended for the AFDSC MULTICS is the use of autonomous processes to perform all I/O, preventing any user from directly accessing any I/O device. Procedures are described to provide the necessary controls for operation in the Data Services Center environment.

  34. Burrus, Phillip F., SEDACS-a client/server approach to TPS development, AUTOTESTCON '95. Systems Readiness: Test Technology for the 21st Century. Conference Record, Aug 1995.

    The C-17 Support Equipment Data Acquisition and Control System (SEDACS) Test Program Set/Test Requirements Document (TPS/TRD) development system was upgraded from a host-based Honeywell/Multics mainframe system to a new client/server system with Internet connectivity. Reliability, flexibility, and supportability were the requirements for the new system. The combination of the client/server model and commercial software met these requirements by exploiting fast and inexpensive hardware and commercial off-the-shelf (COTS) software such as word processing and project and circuit analysis software. Greater efficiencies were realized by reducing the required time needed to train users, develop TPSs, and prepare supporting documentation. Quality was improved by incorporating configuration management tools and integrated spell checking into the applications suite and by designing around a centralized database. This paper briefly describes how we developed our new system and how we migrated from our existing mainframe (or legacy) system to a client/server system.

  35. Caruso, Michael Joseph, A graphics systems for RDMS, Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Thesis. 1975. B.S., 1975.

    82 pages

  36. Clingen, C. T., Program naming problems in a shared tree-structured hierarchy, Proc Conf on Techniques in Software Engineering, October 1969.
  37. Clisham, Tom J., Source RX: A Multics-Fortran program for stratigraphic and petroleum geochemical data, U.S. Geological Survey, 1979.
  38. Colijn, A. W., A note on the Multics command language, Software -- Practice and Experience 11, 6, pp 741-744, Jul 1981.

    Some aspects of the Multics operating system are critically examined. In particular, the properties of the command and language are noted as allowing considerable general purpose programming power. The strength and weaknesses are discussed and a quantitative evaluation of speed is attempted based on a comparison of programming the "Towers of Hanoi" and Ackermann's function in both Multics command language and pll. The programs also serve to exemplify the use of the command language.

  39. Colman, S. M., CHEMANAL: A MULTICS Fortran program to calculate chemical weathering data, U.S. Geological Survey, 1980.
  40. Connell, David B., Kermit N. Klingbail, and Richard A. Jackson, MULTICS OLPARS Operating System. Volume I., Pattern Analysis and Recognition Corp Rome N Y, 219 pages, PAR-74-25-A, F30602-75-C-0226, F30602-73-C-0352, RADC TR-76-271-Vol-1. NTIS ADA034393

    The development of interactive graphics computer systems for use in detection, identification, and transformation of patterns contained in high- dimensional data has been a continuing program at the Rome Air Development Center since 1968. This long standing effort has resulted in the implementation of OLPARS (the On-Line Pattern Analysis and Recognition System), IFES (the Image Feature Extraction System), and WPS (the Waveform Processing System). This report contains detailed design and user-oriented information related to MOOS (the MULTICS OLPARS Operating System), and advanced version of OLPARS currently resident upon the Honeywell 6180 MULTICS computer system. The currently operational system represents an implemented version of the operations described in a previous report (RADC-TR-73-241); appropriate selections of that report are retained within this document. This report contains brief descriptions of the MOOS system and the mathematics underlying the system algorithms. A major portion of this document is reserved for a user's manual (providing detailed information relating to the operation of all system options) and for MOOS program documentation.

  41. Corbató, F. J., A paging experiment with the Multics system, Chapter 19 of In Honor of Philip M. Morse, edited by Herman Feshbach and K. Uno Ingard, M. I. T. Press, Cambridge MA, 217-228, 1969. Available from MIT Press print-on-demand.

    A key strategic question that a paging algorithm must answer whenever a new page is needed is: "Which page should be removed from core memory?" (1.9MB PDF )

  42. Corbató, F. J., and C. T. Clingen, A Managerial View of the Multics System Development, in Research Directions in Software Technology edited by P. Wegner, M.I.T. Press, 1979.

    (Also published in Tutorial: Software Management, Reifer, Donald J. (ed), IEEE Computer Society Press, l979; Second Edition l981; Third Edition, 1986.) A reasonable question of a software manager might be "What possible insight can I gain from the agonies of someone else's project?"

  43. Corbató, F. J., and J. H. Saltzer, Some considerations of supervisor program design for multiplexed computer systems, Proc IFIP 4th Global Conf, Edinburgh, August 1968. Project MAC memo MAC-M-372, May 1968

    One of the principal hurdles in developing multiplexed computer systems is acquiring sufficient insight into the apparently complex problems encountered. This paper isolates two system objectives by distinguishing between problems related to multiplexing and those arising from sharing of information. In both cases, latent problems of noninteractive systems are shown to be aggravated by interacting people. Viewpoints such as reversibility of binding, and mechanisms such as segmentation, are suggested as approaches to acquiring insight. It is argued that only such analysis and functional understanding can lead to simplifications needed to allow design of more sophisticated systems.

  44. Corbató, F. J., and V. A. Vyssotsky, Introduction and overview of the Multics system, AFIPS Conf Proc 27, 185-196, 1965.

    Multics (Multiplexed Information and Computing Service) is a comprehensive, general-purpose programming system which is being developed as a research project. The initial Multics system will be implemented on the GE 645 computer. One of the overall design goals is to create a computing system which is capable of meeting almost all of the present and near-future requirements of a large computer utility.

  45. Corbató, F. J., C. T. Clingen, and J. H. Saltzer, Multics -- the first seven years, Proc SJCC, 571-583, May 1972.

    First we review the goals, history and current status of the Multics project. This review is followed by a brief description of the appearance of the Multics system to its various classes of users. Finally several topics are given which represent some of the research insights which have come out of the development activities.

  46. Corbató, F. J., M. M. Daggett, and R. C. Daley, An experimental time-sharing system, AFIPS Conf Proc 21, 335-344, 1962.

    It is the purpose of this paper to discuss briefly the need for time-sharing, some of the implementation problems, an experimental time-sharing system which has been developed for the contemporary IBM 7090, and finally a scheduling algorithm of one of us (FJC) that illustrates some of the techniques which may be employed to enhance and be analyzed for the performance limits of such a time-sharing system.

  47. Corbató, F. J., PL/I as a Tool for System Programming, Datamation 15, 5, 68-76, May, 1969.
  48. Corbató, F. J., Sensitive issues in the design of multi-use systems, M. I. T. Project MAC, December 1968. MAC-M-383
  49. Corbató, F. J., On building systems that will fail, (A. M. Turing Award lecture), Commun. ACM 34 No. 9, September 1991.

    What I am really trying to address is the class of systems that for want of a better phrase, I will call "ambitious systems." It almost goes without saying that ambitious systems never quite work as expected. Things usually go wrong and sometimes in dramatic ways. And this leads me to my main thesis, namely, that the question to ask when designing such systems is not: "if something will go wrong, but when will it?"

  50. Corbató, F. J., M. M. Daggett, R. C. Daley, R. J. Creasy, J. D. Hellwig, R. H. Orenstein, and L. K. Korn, The compatible time-sharing system: a programmer's guide, 1st ed, M. I. T. Press, June 1963.

    The "candy stripe" manual describing early versions of CTSS.

  51. Couleur, J. F., and E. L. Glaser, Shared-access data processing system, filed November 26, 1965, awarded November 19, 1968. US Patent no 3,412,382
  52. Couleur, J. F., and R. F. Montee, Method and means for storing and accessing information in a shared access multiprogrammed data processing system, ("New System Architecture" patent) filed November 14, 1978, awarded November 10, 1981. US Patent no 4,300,192

    Partitioning, paging, and segmentation techniques are employed with virtual memory to provide more secure and efficient storage and transfer of information. The virtual memory is divided into a plurality of partitions with real memory storage provided by paging the plurality of partitions. User programs are segmented into logical units and stored in assigned partitions thereby isolating user programs and data. Unsegmented programs may be run by storage in a partition with direct addressing. Segment descriptors including partition, base, and bound are utilized in accessing memory. User domains are expandable by temporarily passing descriptor parameters from one routine to another with access flags limiting access thereto. By shrinking passed descriptors the receiving routine can be restricted to only a portion of the information defined by the descriptor.

  53. Couleur, John F., The Core of the Black Canyon Computer Corporation, IEEE Annals of the History of Computing Vol. 17, No. 4: Winter 1995, pp. 56-60.
  54. Crisman, P. A., Ed., The compatible time-sharing system: a programmer's guide, 2nd ed, M. I. T. Press, 1965.

    Looseleaf.

  55. Daley, R. C., and J. B. Dennis, Virtual memory, processes, and sharing in Multics, Commun. ACM 11, 306-312, May 1968.

    The value of a computer system to its users is greatly enhanced if a user can, in a simple and general way, build his work upon procedures developed by others. The attainment of this essential generality requires that a computer system possess the features of equipment-independent addressing, an effectively infinite virtual memory, and provision for the dynamic linking of shared procedure and data objects. The paper explains how these features are realized in the Multics system.

  56. Daley, R. C., and P. G. Neumann, A general-purpose file system for secondary storage, AFIPS Conf Proc 27, 212-230, 1965.

    The need for a versatile on-line secondary storage complex in a multiprogramming environment is immense.

  57. Datapro, An Overview of Operating Systems Security, Datapro Reports on Information Security, June 1986. Datapro IS56-001
  58. Datapro, Bull HN Information Systems Inc: Security Capabilities of Multics, Datapro Reports on Information Security; Vol 3, USA: Datapro Research. April 1989. IS56-115-101
  59. David Jr., E. E., and R. M. Fano, Some thoughts about the social implications of accessible computing, AFIPS Conf Proc 27, 243-248, 1965.
  60. Davids, Noah S., Experiences with an Interactive Electronic Meeting Facility, Proc Second Annual Phoenix Conference on Computers and Communications, 563-567, Mar 1983.

    The introduction of an interactive electronic meeting facility, called Forum, within Honeywell's Large Information Systems Division (LISD), a large multi-national organization, has had profound effets. The environment set up by Forum closely mimics that of a face-to-face meeting. The user interface, based on a TTY-style terminal, allows the users to concentrate on the content of the meeting instead of on the interface or the computer. Forum is briefly described, and LISD's experiences, both good and bad, are discussed.

  61. Davis, R. C., A Security Compliance Study of the Air Force Data Services Center Multics System, Mitre Corp., Bedford, Mass, NTIS, December 1976.

    Do the hardware and software security features of the Air Force Data Services Center (AFDSC) Multics system comply with the Department of Defense security requirements. To answer this question AFDSC commissioned MITRE to undertake a study to compare intrinsic features of the AFDSC Multics system with the applicable requirements set forth in DoD Requirement 5200.28 and expanded upon in DoD Manual 5200.28-M. (also available as DTIC AD-A034985)

  62. Davis, Edward W., STARAN parallel processor system software, Proc AFIPS 74.

    This paper is concerned with the features and concepts of system software for a parallel associative array processor---STARAN. Definitions of parallel processors have appeared often. Essentially they are machines with a large number of processing elements. They have the capability to operate on multiple data streams with a single instruction stream. STARAN is a line of parallel processors with a variable number of processing elements.

  63. Denning, P. J., The working set model for program behavior, Commun. ACM 11, 5, 323-333, May 1968.
  64. Denning, P. J., Virtual memory, ACM Computing Surveys 2, 3, 153-189, September 1970.
  65. Denning, P. J., Effects of scheduling on file memory operations, Proc 1967 SJCC, 1967.
  66. Denning, P. J., A statistical model for console behavior in multiuser computers, Commun. ACM, Sep 1968.
  67. Denning, P. J., Thrashing: its causes and prevention, Proc 1968 FJCC, 1968.

    A particularly troublesome phenomenon, thrashing, may seriously interfere with the performance of paged memory systems, reducing computing giants (Multics, IBM System 360, and others not necessarily excepted) to computing dwarfs. The term thrashing denotes excessive overhead and severe performance degradation or collapse caused by too much paging. Thrashing inevitably turns a shortage of memory space into a surplus of processor time.

  68. Denning, P. J., Equipment configuration in balanced computer systems, IEEE Trans on Computers, Nov 1969.
  69. Denning, P. J., Comments on a linear paging model, Proceedings of the 1974 ACM SIGMETRICS conference on Measurement and evaluation, Jan 1974.

    The linear approximation relating mean time between page transfers between levels of memory, as reported by Saltzer for Multics, is examined. It is tentatively concluded that this approximation is untenable for main memory, especially under working set policies; and that the linearity of the data for the drum reflects the behavior of the Multics scheduler for background jobs, not the behavior of programs.

  70. Dennis, J. B., A multiuser computation facility for education and research, Commun. ACM 7, 521-529, September 1964.
  71. Dennis, J. B., Segmentation and the design of multiprogrammed computer systems, IEEE Intl Convention Rec 3, 214-225, 1965.
  72. Deutsch, L. P., and B. W. Lampson, An online editor, (qed), Commun. ACM 10, 12, pp 793-799, December 1967.
  73. Diamond, D. S., and L. L. Selwyn, Considerations for computer utility pricing policies, Proc ACM 23d Natl Conf, 189-200, 1968.

    There are a number of different philosophies concerning the problems of pricing the resources of a multi-access computer utility. Although some have been proposed only academically, others have actually been implemented by the various fledgling systems that have come into existence during the past few years.

  74. Dominick, W. D., and S. K. Agarwal, MADAM: Multics Approach to Data Access and Management Users Guide, Computer Science Department, University of Southwestern Louisiana, 1977. Technical Report CMPS-77-6-1

    The MADAM system was developed to provide the framework for conducting information system research, design, implementation, measurement and evaluation experiments within the context of the Multics operating system. This paper overviews some of the more important aspects of the design philosophy of MADAM.

  75. Donovan, J. J., Tools and philosophy for software education, Commun. ACM, 19, Issue 8, August 1976.
  76. Downey, P. J., MULTICS Security Evaluation: Password and File Encryption Techniques, US Air Force, Electronic Systems Div, Hanscom AFB Mass,, Jun 1977. NTIS AD-A045 279/7
  77. Dyar, J. D., Multics Remote Data Entry System. Volume II. Clustering Additions to MOOS, PATTERN ANALYSIS AND RECOGNITION CORP ROME N Y, Oct 1979. DTIC ADA080626

    This report describes the clustering algorithms added to the MULTICS OLPARS Operating System under this effort.

  78. Elefante, Donald M., Unattended Testing Sessions on the Honeywell Multics Computer, Rome Air Development Center Griffiss AFB N Y (MAR 1977).. NTIS ADA041824

    This report discusses the procedure used to run a series of machine-dedicated performance evaluation tests without any machine operator intervention, either before or after the tests, and with minimum disruption to normal time-sharing service. The procedure involves, among other things, setting up a control program to execute at some optimum time in the future, whereupon MULTICS is automatically induced to remove itself from its normal user support status, log in a predetermined set of artificial users for the duration of the test, and following this, restore itself to its normal user (timesharing) status. 43 pages.

  79. Elspas, B., R. E. Shostak, and J. M. Sptizen, A Verification System for JOCIT/J3 Programs (Rugged Programming Environment - RPE/2)., Stanford Research Inst Menlo Park Calif. DTIC ADA042670

    This report describes work done during the second year of a research and development program aimed ultimately at a Rugged Programming Environment for JOVIAL. The RPE/1 verification system designed and built during the first year has been greatly extended and improved in several ways. The basic method of verification remains the same--that of inductive assertions. The input processor has been modified to handle virtually of all JOCIT instead of the small subset covered by the RPE/1 system. The overall speed of verification has been increased by a factor of over 25. Ease of user interaction with the system has been greatly enhanced by adding facilities for carrying out and saving partial proofs of programs, for extending the assertion language, and for enabling top-down and bottom-up proofs for well-structured programs. Moreover, the entire system has been translated into MACLISP, the system files have been transferred to the RADC-MULTICS Honeywell 6180 computer, and a sample verification (shown in the report) has been carried out entirely on the RADC computer.

  80. Enslow, Philip H., 6180 Multics Systems and 6000 Series, Appendix C (pages 219-228) of Philip H. Enslow, editor, Multiprocessors and Parallel Processing, John Wiley & Sons, New York, 1974..
  81. Fano, R. M., and P. Elias, Project MAC 25th Anniversary, M. I. T. Laboratory for Computer Science, 1989.
  82. Fano, R. M., The computer utility and the community, IEEE Int Convention Record 12, 30-37, 1967.
  83. Fano, R. M., The MAC system: The computer utility approach, IEEE Spectrum 2, 56-64, January 1965.
  84. Fano, R. M., and F. J. Corbató, Time-sharing on computers, Scientific American 215, 3, September, 1966, pp. 129-140.

    also in Information, A Scientific American Book, W. H. Freeman & Co., pp. 76-95, 1966

  85. Fano, R. M., Project MAC, Encyclopedia of Computer Science and Technology, Vol 12, Marcel Dekker, Inc. New York and Basel, 1979.
  86. Feiertag, R. J., and E. I. Organick, The Multics input/output system, Proc ACM Third SOSP, 35-41, October 1971.

    An I/0 system has been implemented in the Multics system that facilitates dynamic switching of I/0 devices. This switching is accomplished by providing a general interface for all I/O devices that allows all equivalent operations on different devices to be expressed in the same way. Also particular devices are referenced by symbolic names and the binding of names to devices can be dynamically modified. Available I/0 operations range from a set of basic I/0 calls that require almost no knowledge ...

  87. Feiertag, R. J., Karl N. Levitt, and Lawrence Robinson, Proving Multilevel Security of a System Design, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977.
  88. Feingold, Richard, Electronic Resources for Security Related Information, US Department of Energy, Lawrence Livermore National Laboratory, Computer Incident Advisory Capability, December 1994. CIAC-2307 R.1
  89. Yochelson, J. C., A LISP garbage collector for virtual memory computer systems, Commun. ACM 12, 611-612, 1969.
  90. Fenichel, Robert R., Joseph Weizenbaum, and Jerome C. Yochelson, A program to teach programming, Commun. ACM 13, 1970.

    The TEACH system was developed at MIT to ease the cost and improve the results of elementary instruction in programming. To the student, TEACH offers loosely guided experience with a conversational language which was designed with teaching in mind. Faculty involvement is minimal. A term of experience with TEACH is discussed. Pedagogically, the system appears to be successful; straighforward reimplementation will make it economically successful as well. Similar programs of profound tutorial skill will appear only as the results of extended research. The outlines of this research are beginning to become clear.

  91. Finfer, M., J. Fellows, and D. Casey, Software debugging methodology. Volume II: Handbook for debugging in the MULTICS/GCOS/RTM environments, System Development Corp, Santa Monica, Calif, Apr 1979.

    A debugging study was conducted which surveyed current research being performed in the area of software debugging during integration level testing. Particular emphasis was placed on assessing debugging tools and techniques which were applicable to embedded software developments. The purpose of the debugging study was to define a software debugging methodology applicable to diverse environments to be utilized during integration testing of system software. The results of the study are contained in three volumes. This volume presents the application of the debugging methodology to three specific environments. 122 pages.

  92. Flamm, Kenneth, Targeting the Computer: Government Support and International Competition, Washington, DC; Brookings Institution, 1987, pp. 42-92..
  93. Frankston, Robert M., A Limited Service System on Multics, Bachelor of Science thesis, M. I. T. Department of Electrical Engineering, June 1970.
  94. Frankston, Robert M., Multics: Lightweight Processes, Unpublished memorandum, MIT Project MAC, March 1974.

    This is a pair of memos I wrote in 1974 when I was a graduate student working on the Multics project. (precursors of MIT CSR-RFC-123)

  95. Freiburghouse, R. A., A user's guide to the Multics FORTRAN compiler implementation, CISL, October 1969.

    A document that provides the prospective Multics FORTRAN user with sufficient information to enable him to create and execute FORTRAN programs on Multics. It contains a complete definition of the Multics FORTRAN language as well as a description of the FORTRAN command and error messages. It also describes how to communicate with non-FORTRAN programs and discusses some of the fundamental characteristics of Multics that affect the FORTRAN user. 68 pages. -- Organick

  96. Freiburghouse, R. A., The Multics PL/1 compiler, Proc 1969 FJCC, 187-199, 1969.

    Description of the Multics version 1 PL/I compiler implementation.

  97. Freiburghouse, R. A., Register allocation via usage counts, Commun. ACM 17, Issue 11, November 1974.

    This paper introduces the notion of usage counts, shows how usage counts can be developed by algorithms that eliminate redundant computations, and describes how usage counts can provide the basis for register allocation. The paper compares register allocation based on usage counts to other commonly used register allocation techniques, and presents evidence which shows that the usage count technique is significantly better than these other techniques.

  98. Friesen, O. D., and J. A. Weeldreyer, Multics Integrated Data Store: An Implementation of a Network Data Base Manager Utilizing Relational Data Base Methodology, Proc 11th Hawaii Intl Conf on System Sciences, Vol 1, pp. 67-84, 1978.
  99. Friesen, O. D., N.S. Davids, and R. E. Brinegar, MRDS/LINUS: System Evaluation, in Relational Database Systems: Analysis and Comparison, J. W. Schmidt and M. L. Brodie, eds., Berlin, Springer-Verlag, 1983.
  100. Gasser, M., A Random Word Generator for Pronouncable Passwords, MTR-3006, The Mitre Corporation, Bedford, MA 01730, ESD-TR-75-97, HQ Electronic Systems Division, Hanscom AFB, MA 01731. 1975. NTIS AD A 017676
  101. Gasser, M., S. R. Ames, and L. J. Chmura, Test Procedures for Multics Security Enhancements, Mitre Corp., Bedford, Mass., NTIS, December 1976.

    (also available as DTIC AD-A034986)

  102. Gasser, M., Top Level Specification of a Security Kernel for Multics Front-End Processor, MTR-3269, Mitre Corp., Bedford, Mass., November 1977.
  103. Gifford, D., Hardware Estimation of a Process's Primary Memory Requirements, Commun. ACM 20, 9, September 1977.

    A minor hardware extension the Honeywell 6180 processor is demonstrated to allow the primary memory requirements of a process in Multics to be approximated. The additional hardware required for this estimate to be computed consists of a program accessible register containing the miss rate of the associative memory used for page table words. This primary memory requirement estimate was employed in an experimental version of Multics to control the level of multiprogramming in the system and to bill for memory usage. The resulting system's tuning parameters display configuration insensitivity, and it is conjectured that the system would also track shifts in the referencing characteristics of its workload and keep the system in tune.

  104. Gilson, J. R., Security and Integrity Procedures., Honeywell Information Systems Inc, Mclean Va, Federal Systems Operations, 21 pages, F19628-74-C-0193, ESD TR-76-294. NTIS ADA040328

    This report covers the procedures required to protect critical phases of the design, development, and certification of a secure Multics. Involved is protection of the security kernel software from unauthorized alteration or sabotage. The facilities of the Government Information Security Program are applied. The program includes protection of a security kernel for Multics and a security kernel for the Secure Communications Processor.

  105. Glaser, Edward L., A brief description of privacy measures in the Multics operating system, Proc AFIPS 1967 SJCC, pp 303-304. 1967.

    The problem of maintaining information privacy in a multi-user, remote-access system is quite complex. Hopefully, without going into detail, some idea can be given of the mechanisms that have been used in the Multics operating system at MIT.

  106. Glaser, E. L., J. F. Couleur, and G. A. Oliver, System design of a computer for time-sharing applications, AFIPS Conf Proc 27, 197-202, 1965.

    In the late spring and early summer of 1964 it became obvious that greater facility in the computing system was required if time-sharing techniques were to move from the state of an interesting pilot experiment into that of a useful prototype for remote access computer systems. Investigation proved computers that were immediately available could not be adapted readily to meet the difficult set of requirements time-sharing places on any machine. However, there was one system that appeared to be extendible into what was desired. This machine was the General Electric 635.

  107. Gligor, Virgil D., Some thoughts on denial-of-service problems, University of Maryland, College Park, MD, 16 Sept. 1982.
  108. Goldstein, R. C., and A. L. Strnad, The MacAIMS Data Management System, ACM SIGFIDET, Houston TX, 1970. 963K
  109. Graham, R. M., Protection in an information processing utility, Commun. ACM 11, 5, 365-369, May 1968. also http://portal.acm.org/citation.cfm?doid=363095.363146

    In this paper we will define and discuss a solution to some of the problems concerned with protection and security in an information processing utility. This paper is not intended to be an exhaustive study of all aspects of protection in such a system. Instead, we concentrate our attention on the problems of protecting both user and system information (procedures and data) during the execution of a process. We will give special attention to this problem when shared procedures and data are permitted.

  110. Graham, Robert M., Gerald J. Clancy, and David B. DeVaney, A software design and evaluation system, Commun. ACM 16, 2, 110,116, Feb 1973.
  111. Gray, Terence E., and Maria M. Pozzo, An Approach to Containing Computer Viruses, Computers & Security, volume 6, issue 4, pp. 321-331. $35.95

    This paper presents a mechanism for containing the spread of computer viruses by detecting at run-time whether or not an executable has been modified since its installation. The detection strategy uses encryption and is held to be better for virus containment than conventional computer security mechanisms which are based on the incorrect assumption that preventing modification of executables by unauthorized users is sufficient. Although this detection mechanism is most effective when all executables in a system are encrypted, a scheme is presented that shows the usefulness of the encryption approach when this is not the case. The detection approach is also better suited for use in untrusted computer systems. The protection of this mechanism in untrusted computing environments is addressed.

  112. Green, Paul, An implementation of SEAL on Multics., S. B. Thesis, Department of Electrical Engineering, M. I. T., Cambridge, May, 1973.
  113. Greenberg, B. S., Multics Emacs: an experiment in computer interaction, Proc Fourth Honeywell Software Conf, March 1980.
  114. Greenberg, B. S., Prose and CONS (Multics Emacs: production text-processing in Lisp), Report on the 1980 LISP Conference, August 1980.

    This paper addresses the choice of Lisp as the implementation language, and its consequences, including some of the implementation issues. The detailed history of Multics Emacs, its system-level design considerations, and its impact on Multics and its user community are discussed in [Greenberg]. One of the immediate and profound consequences of this choice has been to assert Lisp's adequacy, indeed, superiority, as a full-fledged systems and applications programming language. Multics Emacs ...

  115. Greenberg, B. S., "Multics Emacs: The History, Design and Implementation", 1979.

    Multics Emacs is a video-oriented text preparation and editing system running on Honeywell's Multics system, being distributed as an experimental offering in Multics Release 7.0. From the viewpoint of Multics, it represents the first video-management software to be implemented, the first time character-at-a-time-interaction has been used, and a radical and complete departure from other editing and text preparation tools and techniques prevalent on Multics.

  116. Greenberg, B. S., The Multics MACLISP Compiler. The Basic Hackery. A tutorial, 1977.

    If you are not already familiar with LISP, in some detail, including the traditional implementations and value/object issues, you probably should not be reading this.

  117. Greenberg, B. S., and S. H. Webber, The Multics Multilevel Paging Hierarchy, Proc 1975 IEEE Intercon, 1975.

    This paper describes the Multics multilevel paging system, the Page Multilevel algorithm or PML for short, with particular emphasis on the algorithms used to move pages from one level of the storage hierarchy to another. The paper also discusses some of the history and background of the development in particular where it relates to changes in the algorithms. Although Multics has been in working existence for many years, many of its features are still novel and implemented on few if any other operating systems. For this reason, a discussion of some of the terminology as it relates to Multics is also included as background for the reader. Finally, a discussion is presented which predicts probable future developments both on Multics and other systems with respect to hierarchically organized memories (storage hierarchies) in light of what we have learned from Multics.

  118. Greenberger, Martin, The Computers of Tomorrow, Atlantic Monthly, May 1964.

    In the past two decades, thousands of computers have been applied successfully in various industries. How much more widespread will their use become? Martin Greenberger, who is associate professor at the School of Industrial Management of M.I.T., has been working with computers for fourteen years.

  119. Grochow, J. M., MOO in Multics, Software -- Practice and Experience 2, 303-308, 1972. 179K

    PL/I source is online.

  120. Grochow, J. M., Real-time graphic display of time-sharing system operating characteristics, AFIPS Conf Proc 35 (1969 FJCC), AFIPS Press, pp. 379-385, 1969.

    The Graphic Display Monitoring System (GDM) is an experimental monitoring facility for Multics, a general purpose time-sharing system implemented at Project MAC cooperatively with General Electric and the Bell Telephone Laboratories. GDM allows design, systems programming, and operating staff to graphically view the dynamically changing properties of the timesharing system. It was designed and implemented by the author to provide a medium for experimentation with the real-time observation of time-sharing system behavior. GDM has proven to be very useful both as a measuring instrument and a debugging tool and as such finds very general use.

  121. Gumpertz, Richard Henry, The Design and Fabrication of an ARPA Network Interface, Bachelor of Science thesis, M. I. T. Department of Electrical Engineering, July 1973.
  122. Gunson, Alison, Directory of library software for microcomputers: Design and implementation of a STATUS database, and hardcopy output using the Multics Wordpro system, ASIN: B0000CHIWC.
  123. Haggett, Allan G., John R. McFadden, and Peter R. Newsted, Naive user behavior in a restricted interactive command environment, ACM SIGSOC Bulletin, Volume 13, Issue 2-3, p 139 1982. ISBN:0-89791-064-8

    Results are reported showing the changing pattern of command use by introductory business data processing students. Using the ability of the University of Calgary's Honeywell Multics Operating System to tailor a command and response environment, a subset of commands and responses (called GENIE) was set up in a user-friendly environment to facilitate novice students programming at CRT terminals. Frequency and time of usage of all commands was metered and changing patterns of usage emerged as the semester progressed. For example, "help" usage -- which was originally quite extensive and broad -- limited itself over time to questions only about specific topics. Reluctance to use an "audit" facility to capture an interactive session disappeared as the commands for such usage were likened to a movie camera taking pictures over a student's shoulder. It is further noted that specific emphasis was placed on simplifying commands and reducing options.The whole idea of a restricted command environment is compared to the "abstract machine" concept of Hopper, Kugler, and Unger who are building a universal command and response language (NICOLA, a NIce Standard COmmand LAnguage). GENIE is seen as an example of what such an abstract machine could be if the Multics operating system were viewed as a basic or "parent" abstract machine. Interactive environments such as Multics provides are viewed as essential to providing a satisfactory timesharing system for the various, but frequently intermittent uses, in the social sciences.

  124. Hauben, Michael, and Ronda Hauben, Cybernetics, Time-Sharing, Human-computer Symbiosis and Online Communities: Creating a Supercommunity of Online Communities, First Monday, Volume 3, Number 8 - 3 August 1998.
  125. Hebalkar, Prakash Gurunath, Asynchronous cooperative multiprocessing within MULTICS, S.M. Thesis, Department of Electrical Engineering, M.I.T., June 1968.
  126. Henderson, H., and Elliott I. Organick, Considerations in the Design of an XDS Sigma 7 Multics, University of Texas, Department of Computer Science, September, 1969. NTIS AD0713477
  127. Henningan, K. B., Hardware Subverter for the Honeywell 6180, MTR-3280, Dec. 1976, pp. 1-222. 1976. ESD-TR-76-352

    (also available as DTIC AD-A034221)

  128. Hilton, Jarvis Gene, Instructional data base development using MULTICS relational data store, Thesis (M.B.A.)--San Diego State University, 1978..
  129. Hinke, Thomas H., and Marvin Schaefer, Secure Data Management System., System Development Corp, Santa Monica Calif, 197 pages, SDC-TM-(L)-5407/007/00, F30602-74-C-0258, RADC TR-75-266. NTIS ADA019201

    This report describes the design of a Secure Data Management System (DMS) that is to operate on a Secure MULTICS Operating System Kernel. The DMS achieves its security by mapping its data base into the security structure provided by the operating system, with the result that the DMS need contain no security enforcement code. The logical view chosen for the DMS is the relational view of data.

  130. Honeywell, Prototype Secure MULTICS Specification, Preliminary draft, Honeywell Information Systems Inc., Mclean Va Federal Systems Operations, January 1976. NTIS AD-A055 166/3

    The goal of Project Guardian is to design, develop and certify a secure Multics to provide a certified secure multilevel computer utility. This report covers preliminary work in development of a specification describing the characteristics of the secure system.

  131. Honeywell, Multics Security Kernel Certification Plan, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, July 1976. NTIS AD-A055 171/3
  132. Honeywell, Project Guardian (Final Report), ESD-TR-78-115, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, September 1977.
  133. Ikeda, Katsuo, Structure of a computer utility: anatomy of Multics, (in Japanese), 2nd ed, Shokoda Co Ltd, Tokyo, Japan, 1976.
  134. Iuorno, Normand, Rzepka, Kobziar, LaMonica, Douglas White, and McCauley, RADC/MULTICS evaluation, May 1971. RADC-TR-71-121
  135. Janson, Phillippe A., Dynamic linking and environment initialization in a multi-domain process, ACM 5th Symposium on Operating System Principles, 1975.

    As part of an effort to engineer a security kernel for Multics, the dynamic linker has been removed from the domain of the security kernel. The resulting implementation of the dynamic linking function requires minimal security kernel support and is consistent with the principle of least privilege. In the course of the project, the dynamic linker was found to implement not only a linking function, but also an environment initialization function for executing procedures. This report presents an analysis of dynamic linking and environment initialization in a multi-domain process, isolating three sets of functions requiring different sets of access privileges. A design based on this decomposition of the dynamic linking and environment initialization functions is presented.

  136. Janson, P. A., Using Type-Extension to Organize Virtual-Memory Mechanisms, Operating Systems Review, Vol 15 #4 (October 1981) pages 6-38.

    As part of an effort to engineer a security kernel for Multics, the dynamic linker has been removed from the domain of the security kernel. The resulting implementation of the dynamic linking function requires minimal security kernel support and is consistent with the principle of least privilege. In the course of the project, the dynamic linker was found to implement not only a linking function, but also an environment initialization function for executing procedures. This report presents an analysis of dynamic linking and environment initialization in a multi-domain process, isolating three sets of functions requiring different sets of access privileges. A design based on this decomposition of the dynamic linking and environment initialization functions is presented.

  137. Jarvis, J. E., The many faces of Multics, The Computer Journal, 1975; 18: 2-6.
  138. Jones, Malcolm M. et al., The SIMPL Primer, Oct 1971.
  139. Jones, Malcolm M., On-line simulation, ACM CSC-ER, Proc 22d National Conference, 1967.

    An on-line simulation system allows both the user and the computer to cooperate and share the task of performing the simulation. It does this by providing facilities for the user to interact with the computer so that they may both play active roles in the simulation process as it is occurring. Thus, the user may perform some of the simulation functions himself and the computer performs the remaining ones. Alternately, the user may act only as a monitor and observe, verify and record data or modify and redirect the simulation when it strays erroneously from the desired path. A second feature of an on-line simulation system is that it may allow the actual phenomenon being simulated to become a part of the simulation.

  140. Jordan, D. M., Multics Data Security, Scientific Honeyweller 2, 2, June 1981.

    Later published as Honeywell GA01

  141. Kanodia, R. K., Performance improvement in ARPANET file transfers from Multics, Nov 1974. RFC 662
  142. Kaplow, Roy, David Schneider, Franklin C. Smith, and William R. Stensrud, Computer assistance for writing interactive programs: TICS, Proceedings of the 1973 annual ACM conference, August 1973.

    In this paper, we describe an on-line and interactive programming system, TICS(1) (for Teacher-Interactive Computer System), which is aimed at facilitating the authoring of interactive computer programs. The system includes particular features for creating instructional software, and in that application it is intended for direct use by teachers or other persons whose expertise lies in the subject matter being addressed, but not necessarily in computer programming. To that purpose, the system provides a greater degree of computer-assistance for the authoring process itself than has been afforded in earlier languages and programming systems of similar orientation(2-5). TICS is implemented within the M. I. T. Multics time-sharing system (6) in two components: an author system and a delivery system. The former provides the tools for writing, investigating, editing, and trying out programs. The latter provides a special environment for student use of the programs.

  143. Karger, Paul A., The Lattice Security Model In A Public Computing Network, ACM CSC-ER, Proc 1987 National Conference, December 1978.

    This paper defines the lattice security model and shows it to be useful in private sector applications of decentralized computer networks. It examines discretionary security models and shows them to be inadequate to protect against 'Trojan Horse' attacks. It examines the management of large security lattices and proposes solutions to the proliferation of categories problem.

  144. Karger, Paul A., and Roger R. Schell, Multics Security Evaluation: Vulnerability Analysis, ESD-TR-74-193, Vol 2, Electronic Systems Division, USAF, June 1974. NTIS AD-A001 120/5

    A security evaluation of Multics for potential use as a two-level (Secret/Top Secret) system in the Air Force Data Services Center (AFDSC) is presented. An overview is provided of the present implementation of the Multics Security controls. The reports then details the results of a penetration exercise of Multics on the HIS 645 computer. In addition, preliminary results of a penetration excise of Multics on the new HIS 6180 computer are presented. The report concludes that Multics as implemented today is not certifiably secure and cannot be used in an open use multi-level system. However, the Multics security design principles are significantly better than other contemporary systems. Thus, Multics as implemented today, can be used in a benign Secret/Top Secret environment. In addition, Multics forms a base from which a certifiably secure open use multi-level system can be developed.

  145. Karger, Paul A., New Methods for Immediate Revocation, in: Proc 1989 IEEE Symposium on Security and Privacy, Oakland, California, USA: IEEE Computer Society, pp 48-55, May, 1989.
  146. Karger, Paul A., An Implementation of XPL for Multics, SB thesis, June 1972, Massachusetts Institute of Technology: Cambridge, MA.
  147. Karger, Paul A., and Roger R. Schell, Thirty Years Later: Lessons from the Multics Security Evaluation, Proc ACSAC 2002. IBM Research Report RC22534.

    Almost thirty years ago a vulnerability assessment of Multics identified significant vulnerabilities, despite the fact that Multics was more secure than other contemporary (and current) computer systems. Considerably more important than any of the individual design and implementation flaws was the demonstration of subversion of the protection mechanism using malicious software (e.g., trap doors and Trojan horses). A series of enhancements were suggested that enabled Multics to serve in a relatively benign environment. These included addition of "Mandatory Access Controls" and these enhancements were greatly enabled by the fact the Multics was designed from the start for security. However, the bottom-line conclusion was that "restructuring is essential" around a verifiable "security kernel" before using Multics (or any other system) in an open environment (as in today's Internet) with well-motivated professional attacks employing subversion. The lessons learned from the vulnerability assessment are highly applicable today as governments and industry strive (unsuccessfully) to "secure" today's weaker operating systems through add-ons, "hardening", and intrusion detection schemes.

  148. Karger, P. A., D. C. Toll, E. R. Palmer, S. K. McIntosh, S. M. Weber, and J. Edwards, Implementing a High-Assurance Smart-Card OS, Proc Financial Cryptography and Data Security 10. Lecture Notes in Computer Science Vol. 6052, Springer. p. 51-65.

    Building a high-assurance, secure operating system for memory constrained systems, such as smart cards, introduces many challenges. The increasing power of smart cards has made their use feasible in applications such as electronic passports, military and public sector identification cards, and cell-phone based financial and entertainment applications. Such applications require a secure environment, which can only be provided with sufficient hardware and a secure operating system. We argue that smart cards pose additional security challenges when compared to traditional computer platforms. We discuss our design for a secure smart card operating system, named Caernarvon, and show that it addresses these challenges, which include secure application download, protection of cryptographic functions from malicious applications, resolution of covert channels, and assurance of both security and data integrity in the face of arbitrary power losses. The paper is of interest to Multicians, because the Caernarvon operating system uses a clone of the Multics quota mechanism to control usage of the very limited amount of persistent memory on the smart card.

  149. Karger, Paul Ashley, Improving Security and Performance for Capability Systems, PhD thesis, March 1988, Cambridge University.

    This dissertation examines two major limitations of capability systems: an inability to support security policies that enforce confinement and a reputation for relatively poor performance when compared with non-capability systems.

  150. King, Jane, and William A. Shelly, A Family History of Honeywell's Large-Scale Computer Systems, IEEE Annals of the History of Computing Vol. 19, No. 4, October/ December 1997..
  151. Klensin, John Conrad, The Consistent System, Multics version: Handbook of programs and data, Massachusetts Institute of Technology, Laboratory of Architecture and Planning, 1978.
  152. Koch, R. D., TMPLOT -- Transverse Mercator Plot Program for Multics, U.S. Geological Survey (1980).
  153. Kork, John O., Modifications of the IBM Personal Computer Asynchronous Communications Support programs for use with the Multics, U.S. Geological Survey, 1983.
  154. Lackey, R. D., Penetration of Computer Systems, an Overview, Honeywell Computer Journal 8, 2, 1974.
  155. Lahr, J. C., HYPOELLIPSE/MULTICS: A computer program for determining local earthquake hypocentral parameters, magnitude, and first-motion pattern, U.S. Geological Survey Open-File Report 80-59, 59 p..
  156. Lahr, John C., SQUASH/MULTICS: A computer program to be used in conjunction with HYPOELLIPSE to generate an augmented phase data archive, U.S. Geological Survey, 1980.
  157. Landwehr, Carl E., The Best Available Technologies for Computer Security, IEEE Computer 16(7) pp.86-100, July 1983.
  158. Landwehr, Carl E., Alan R. Bull, John P. McDermott, and William S. Choi, A taxonomy of computer program security flaws, ACM Computing Surveys 26, 3, 211-254. Sept. 1994.

    An organized record of actual flaws can be useful to computer system designers, programmers, analysts, administrators, and users. This survey provides a taxonomy for computer program security flaws, with an Appendix that documents 50 actual security flaws. These flaws have all been described previously in the open literature, but in widely separated places. For those new to the field of computer security, they provide a good introduction to the characteristics of security flaws and how they ...

  159. Lee, J. A. N., The Rise and Fall of the General Electric Corporation Computer Department, IEEE Annals of the History of Computing Vol. 17, No. 4: Winter 1995, pp. 24-45. 1995.

    The computer department of the General Electric Corporation began with the winning of a single contract to provide a special purpose computer system to the Bank of America, and expanded to the development of a line of upward compatible machines in advance of the IBM System/360 and whose descendants still exist in 1995, to a highly successful time-sharing service, and to a process control business. Over the objections of the executive officers of the Company the computer department strived to become the number two in the industry, but after fifteen years, to the surprise of many in the industry, GE sold the operation and got out of the competition to concentrate on other products that had a faster turn around on investment and a well established first or second place in their industry. This paper looks at the history of the GE computer department and attempts to draw some conclusions regarding the reasons why this fifteen year venture was not more successful, while recognizing that there were successful aspects of the operation that could have balanced the books and provided necessary capital for a continued business.

  160. Lee, J. A. N., and George E. Snively, The Rise and Sale of the General Electric Corporation Computer Department, IEEE Annals of the History of Computing April-June 2000 (vol. 22 no. 2) pp. 53-60..

    This article is a follow-up and extension of the first author's 1995 Annals article entitled, "The Rise and Fall of the General Electric Corporation Computer Department." It is divided into three parts: a study of the financial implications of rental versus sales in the larger GE environment, a collection of differing views with respect to the GE management paradigm and its effect on the Computer Department, and a set of corrections to the original article.

  161. Lipari, Charles A., An intelligent temperature monitor-control system for the University of Southwestern Louisiana Multics machine room, Thesis USL, 1978.
  162. Lipner, S. B., Computer security research and development requirements, MITRE Corp, Bedford MA, February 1973. MTP-142
  163. Lipner, Steven B., A comment on the confinement problem, Proc 5th symposium on Operating systems principles, November 1975.
  164. Lively, Mark Beirne, Time aspects of paging on MULTICS., MIT thesis, 1971.

    52 pages

  165. Loepere, Keith, Resolving covert channels within a B2 class secure system, ACM SIGOPS Operating Systems Review, Volume 19 Issue 3, July 1985.

    For a secure computer system in the B2, B3 and A1 classes (as defined by the DoD Trusted Computer System Evaluation Criteria), the problem of confining a process such that it may not transmit information in violation of the *-property is an analyzable and solvable problem.This paper examines the problem of covert channels and attempts to analyze and resolve them relative to satisfying the B2 security requirements. A novel solution developed for the Multics computer system for a class of covert channels is presented.

  166. Loepere, Keith, The covert channel limiter revisited, ACM SIGOPS Operating Systems Review, Volume 23 Issue 2, April 1989.

    In a previous article, I introduced the idea of a mechanism (the covert channel limiter) that would watch for the potential uses of covert channels and affect the responsible process (or process group) only when such potential uses exceeded the allowable bandwidth for covert channels. Recent work involving the design of the Opus operating system (target class B3) has refined and extended this idea. This paper extends the informal basis for the covert channel limiter and extends its possible utility.

  167. Loome, James R., Mark L. Langberg, and Albert J. Thurmond, Wartime Manpower Programing System: Final Report, Management Systems Division, General Research Corporation, 1980. 1063-03-80-CR
  168. Lorho, Bernard, Semantic attributes processing in the system DELTA, Lecture Notes In Computer Science; Vol. 47, Symposium on Methods of Algorithmic Language Implementation, Springer-Verlag, London, UK, 1975. ISBN:3-540-08065-1
  169. Lucas, Henry C., An on-line user information facility for the Multics-time-sharing system (Project MAC), Massachusetts Institute of Technology Project MAC (1967).

    textbookland.com lists the price for this report as 10 trillion dollars.

  170. Mackenzie, Donald, and Garrel Pottinger, Mathematics, Technology, and Trust: Formal Verification, Computer Security, and the U.S. Military, IEEE Annals of the History of Computing Vol. 19, No. 3: JULY-SEPTEMBER 1997, pp. 41-59. Sept 1997.

    A distinctive concern in the U.S. military for computer security dates from the emergence of time-sharing systems in the 1960s. This paper traces the subsequent development of the idea of a "security kernel" and of the mathematical modeling of security, focusing in particular on the paradigmatic Bell-La Padula model. The paper examines the connections between computer security and formal, deductive verification of the properties of computer systems. It goes on to discuss differences between the cultures of communications security and computer security, the bureaucratic turf war over security, and the emergence and impact of the Department of Defense's Trusted Computer System Evaluation Criteria (the so-called Orange Book), which effectively took its final form in 1983. The paper ends by outlining the fragmentation of computer security since the Orange Book was written.

  171. Mainnikko, Sirkku, Multics in the computer world, Master's thesis in social anthropology.
  172. Margulies, Benson I., Security in a Multics environment, USA: Auerbach Publishers Inc. Honeywell Information Systems, 1985.
  173. Margulies, B I, An overview of Multics security, Proc 2nd IFIP international conference on Computer security, Dec 1984.
  174. Mark, Robert K., User oriented, interactive Multics computer programs to create grid cell, contour, and perspective maps using Surface Display Library, U.S. Geological Survey, 1981.
  175. Martin, Thomas Joseph, A performance analysis of the relational data management system, Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Thesis. 1976. B.S., 1976.
  176. McCarthy, J., A time-sharing operator program for our projected IBM 709, M. I. T. Computation Center memo, 1959.
  177. McClure, R. M., TMG -- a syntax directed compiler, Proc 20th ACM National Conf, 262-274, 1965.
  178. McGee, R. C., My Adventures with Dwarfs: A Personal History in Mainframe Computers, unpublished manuscript.

    The book is a slice through the history of those mainframe machines as experienced by the author.

  179. McGibbon, Thomas L., MULTICS Long Waveform Analysis System., Pattern Analysis and Recognition Corp Rome N Y, 551 pages, PAR-78-28, F30602-77-C-0090, RADC TR-78-218. NTIS ADA062111

    The objective of the research described in this report was the development and software implementation of a Long Waveform Analysis System (WAVES) on the Honeywell 6180 Computer System running under the MULTICS operating System. The currently operational WAVES System is an open-ended and flexible system for primary use in feature definition and extraction and, as such, serves as a front-end to the MULTICS version of OLPARS (On-Line Pattern Analysis and Recognition System). The development of computer-based interactive feature definition and pattern classification systems has been a continuing program at Rome Air Development Center since 1968. This long standing effort has resulted in the implementation of OLPARS, IFES (the Image Feature Extraction System), IDRS (the Interactive Digital Receiver Simulator System), and WPS (the Waveform Processing System). WAVES represents a furtherance of this continuing effort and a logical expansion and improvement of currently available waveform analysis and feature definition systems.

  180. McRae, J. R., and W. Y. Svrcek, Honeywell Multics: an approach to simplify use of an interactive simulation language, Proc. 1983 Summer Comp. Simul. Conf., 1983, vol. 1, pp. 31-39.

    The simulation of continuous systems, simulation languages in general and CSSLIV in particular are discussed briefly, followed by a description of the attempts made to create a more user friendly environment for the CSSLIV implementation on the Honeywell Multics system at the University of Calgary.

  181. MacLaren, M. Donald, Exception handling in PL/I, ACM SIGOPS Operating Systems Review, 11, 2, April 1977 .

    The PL/I language's facilities for handling exceptional conditions are analyzed. The description is based on the new PL/I standard. Special attention is given to fine points which are not well known. The analysis is generally critical. It emphasizes problems in regards to implementation and structured programming. A few suggestions for future language design are offered.

  182. Michelsen, Christie D., Wayne D. Dominick, and Joseph E. Urban, A methodology for the objective evaluation of the user/system interfaces of the MADAM system using software engineering principles, Proceedings of the 18th annual Southeast regional conference, Tallahassee, Florida, pp 103 - 109. ISBN:0-89791-014-1
  183. Montgomery, W. A., Measurements of Sharing in Multics, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977.

    There are many good arguments for implementing information systems as distributed systems. These arguments depend on the extent to which interactions between machines in the distributed implementation can be minimized. Sharing among users of a computer utility is a type of interaction that may be difficult to provide in a distributed system. This paper defines a number of parameters that can be used to characterize such sharing. This paper reports measurements that were made on the M.I.T. Multics system in order to obtain estimates of the values of these parameters for that system. These estimates are upper bounds on the amount of sharing and show that although Multics was designed to provide active sharing among its users, very little sharing actually takes place. Most of the sharing that does take place is sharing of system programs, such as the compilers and editors.

  184. Moon, David A., MacLISP Reference Manual, Revision 0, Project MAC, Massachusetts Institute of Technology, April 8, 1974.

    From Herbert Stoyan Collection on LISP Programming, Lot Number X5687.2010

  185. Morgan, D., The Multics System, IEEE Trans on Communications 21 10, Oct 1973, pp 1166-1167.

    (A book review of Organick's book.) "The miracle is that it works and provides a level of service sufficient for customers of Honeywell to buy it and M.I.I users to use it. Nevertheless, there must be a better way to achieve an information utility than such a complex system as Multics."

  186. Mullen, R. E., Automated merging of software modifications, Proc Honeywell Software Productivity Symposium, April 1977.

    Parallel modification of software modules by different programming teams is an inherent problem of large scale system software efforts. In the Multics Project experiment and analysis have lead to the development of an interactive program, merge_ascii, which competently merges related texts.

  187. Nandigam, Jagadeesh, EMT : an interactive expert system for Multics tuning, Thesis USL, 1987.
  188. NCSC staff, Department of Defense Trusted Computer System Evaluation Criteria, the "Orange Book", December 1983. DOD 5200.28-STD

    The trusted computer system evaluation criteria defined in this document classify systems into four broad hierarchical divisions of enhanced security protection. They provide a basis for the evaluation of effectiveness of security controls built into automatic data processing system products. The criteria were developed with three objectives in mind: (a) to provide users with a yardstick with which to assess the degree of trust that can be placed in computer systems for the secure processing of classified or other sensitive information; (b) to provide guidance to manufacturers as to what to build into their new, widely-available trusted commercial products in order to satisfy trust requirements for sensitive applications; and (c) to provide a basis for specifying security requirements in acquisition specifications. Two types of requirements are delineated for secure processing: (a) specific security feature requirements and (b) assurance requirements. Some of the latter requirements enable evaluation personnel to determine if the required features are present and functioning as intended. The scope of these criteria is to be applied to the set of components comprising a trusted system, and is not necessarily to be applied to each system component individually. Hence, some components of a system may be completely untrusted, while others may be individually evaluated to a lower or higher evaluation class than the trusted product considered as a whole system. In trusted products at the high end of the range, the strength of the reference monitor is such that most of the components can be completely untrusted. Though the criteria are intended to be application-independent, the specific security feature requirements may have to be interpreted when applying the criteria to specific systems with their own functional requirements, applications or special environments (e.g., communications processors, process control computers, and embedded systems in general). The underlying assurance requirements can be applied across the entire spectrum of ADP system or application processing environments without special interpretation.

  189. NCSC staff, Final Evaluation Report for Multics, Evaluated Product Report, August 1985. CSC-EPL-85003

    This report's distribution is still restricted, because NSA used to use Multics in-house. I have written to NSA's Public Affairs Office requesting official permission to obtain it and post it online.

  190. Neumann, P. G., The role of motherhood in the pop art of system programming, Proc Second ACM SOSP, October 1969.

    Numerous papers and conference talks have recently been devoted to the affirmation or reaffirmation of various common-sense principles of computer program design and implementation, particularly with respect to operating systems ad to large subsystems such as language translators. These principles are nevertheless little observed in practice, often to the detriment of the resulting systems. This paper attempts to summarize the most significant principles, to evaluate their applicability in the real world of large multi-access systems, and to assess how they can be used more effectively.

  191. Neumann, P. G., R. J. Feiertag, K. N, Levitt, and L. Robinson, Software Development and Proofs of Multi-Level Security, ICSE, 1976.

    This paper summarizes current research at SRI aimed at developing secure operating systems and verifying certain critical properties of these systems. It is seen that proofs of design properties can be relatively straightforward when the design is specified in suitable formal specification language. These proofs demonstrate the correspondence between the desired properties and a specification of the system design. Various on-line tools aid considerably in this process. In addition, correctness proofs for implementations of such systems are now feasible, because of both various theoretical advances and the use of supporting tools.

  192. National Research Council, System Security Study Committee, Computers at Risk: Safe Computing in the Information Age., Washington, DC: The National Academies Press, 1991.
  193. Oke, Tom, Multics Through the Looking Glass, HLSUA Formu XXXI, October 1980.

    This paper deals with some of the problems encountered at The University of Calgary during the tuning and optimization of system performance. It presents some of the characteristics to be found in both the scheduling system and the virtual memory environment of Multics, and attempts to put forward a heuristic model of system action to permit a tuner to improve performance.

  194. Oldfield, Homer R., King of the Seven Dwarfs: General Electric's Ambiguous Challenge to the Computer Industry, IEEE Computer Society, May 1996. ISBN 0818673834
  195. O'Neill, Judy E., 'Prestige Luster' and 'Snow-Balling Effects': IBM's Development of Computer Time-Sharing, IEEE Annals of the History of Computing Vol. 17, No. 2: Summer 1995, pp. 50-54. 1995.

    In the middle 1960s IBM responded to pressure from its most prestigious customers to hasten the development and availability of computer time-sharing systems. When MIT and Bell Laboratories chose General Electric computers for their new time-sharing system, IBM management feared that the ?prestige luster? of these customers would lead other customers to demand the same capabilities and that there would be a ?snow-balling? effect as more customers rejected IBM computers. IBM worked on a time-sharing product and brought it to market by the end of the decade despite greater-than-expected costs. Meanwhile MIT, Bell Laboratories, and GE worked together on a new time-sharing system known as Multics. By examining IBM?s role in and response to the development of time-sharing, this article illustrates the nontechnological criteria that even high-technology companies use to decide what products to develop and market.

  196. Organick, E. I., The Multics System: An Examination of its Structure, M. I. T. Press, Cambridge MA, 1972. ISBN 0-262-15012-3

    Multics as it was in the 60s. Reprint available from M. I. T. Press.

    This volume provides an overview of the Multics system developed at M.I.T.--a time-shared, general purpose utility like system with third-generation software. The advantage that this new system has over its predecessors lies in its expanded capacity to manipulate and file information on several levels and to police and control access to data in its various files. On the invitation of M.I.T.'s Project MAC, Elliott Organick developed over a period of years an explanation of the workings, concepts, and mechanisms of the Multics system. This book is a result of that effort, and is approved by the Computer Systems Research Group of Project MAC.

    In keeping with his reputation as a writer able to explain technical ideas in the computer field clearly and precisely, the author develops an exceptionally lucid description of the Multics system, particularly in the area of "how it works." His stated purpose is to serve the expected needs of designers, and to help them "to gain confidence that they are really able to exploit the system fully, as they design increasingly larger programs and subsystems."

    The chapter sequence was planned to build an understanding of increasingly larger entities. From segments and the addressing of segments, the discussion extends to ways in which procedure segments may link dynamically to one another and to data segments. Subsequent chapters are devoted to how Multics provides for the solution of problems, the file system organization and services, and the segment management functions of the Multics file system and how the user may employ these facilities to advantage. Ultimately, the author builds a picture of the life of a process in coexistence with other processes, and suggests ways to model or construct subsystems that are far more complex than could be implemented using predecessor computer facilities.

    This volume is intended for the moderately well informed computer user accustomed to predecessor systems and familiar with some of the Multics overview literature. While not intended as a definitive work on this living, ever-changing system, the book nevertheless reflects Multics as it has been first implemented, and should reveal its flavor, structure and power for some time to come.

  197. Ossanna, J. F., and J. H. Saltzer, Technical and human engineering problems in connecting terminals to a time-sharing system, AFIPS Conf Proc 37 (1970 FJCC), 355-362, 1970.
  198. Ossanna, J. F., L. Mikus, and S. D. Dunten, Communications and input-output switching in a multiplexed computing system, AFIPS Conf Proc 27, 231-242, 1965.

    This paper discusses the general communications and input/output switching problems in a large-scale multiplexed computing system.

  199. Padlipsky, M. A., New Multics network software features, Nov 1972. RFC 411
  200. Padlipsky, M. A., Multics sampling timeout change, Feb 1973. RFC 450
  201. Padlipsky, M. A., Multics address change, Nov 1973. RFC 590
  202. Pandolf, MA, Implementing Forth for the multics operating system, Journal of FORTH Application and Research archive Volume 3 , Issue 2 1986.
  203. Parks, Lee S., The Design and Implementation of a Multi-Programming Virtual Memory Operating System for a Mini-Computer, B.S. thesis MIT, May 1979.

    Magic 6 was a paged, segmented, dynamic linked, operating system for the Interdata series of mini-computers inspired by Multics.

  204. Perron, Richard Theodore, Establishing a data channel between Multics and a communications processor., Thesis MIT, 1971.

    36 pages

  205. Peterson, John Raymond, Contour model in Multics, Massachusetts Institute of Technology. Dept. of Electrical Engineering and Computer Science. Thesis. 1975. B.S..
  206. Podlaska-Lando, S., Implementation and evaluation of interval arithmetic software: Report 2: The Honeywell MULTICS System, Technical report - U.S. Army Engineer Waterways Experiment Station, 1979. NTIS B0006X47Z0

    This is Report 2 of a series entitled Implementation and Evaluation of Interval Arithmetic Software. Interval arithmetic can be used to determine the precision of the arithmetic required to guarantee a given precision in the results of an algorithm. In general, whether using interval or regular arithmetic, the greater the precision the longer the run time required for a given algorithm. A 56 decimal digit version of the original MULTICS interval package was implemented on the MULTICS system. It is concluded that the use of single precision and 56 decimal digit extended precision interval arithmetic can, at times, be extremely useful. The testing showed that, when using the 56 decimal digit data type, much better bounds were obtained for the results than when using the single precision interval data type.

  207. Powell, Kit, Evolution of networks using standard protocols, Computer Communications, Volume 3, Issue 3, July 1980, Pages 117-122. doi:10.1016/0140-3664(80)90069-9

    The UK South West Universities Computer Network (SWUCN) was implemented on a homogenous set of computers, before the emergence of accepted standard protocols for networking. The paper outlines problems of evolving from this network to a heterogeneous one, in which standard protocols are used. A particular application of the strategy involved is described that includes the implementation of a network connection using the X.25 Recommendation on the Honeywell Multics system.

  208. Pozzo, M. M., Life Cycle Assurance for Trusted Computer Systems: a Configuration Management Strategy for Multics, 7th DOD/NBS Computer Security Conf, September 1984.
  209. Pugh, Emerson et al., IBMs 360 and early 370 systems, no date.
  210. Radin, George, The early history and characteristics of PL/I, August 1978 SIGPLAN Notices , Volume 13 Issue 8.

    Source material for a written history of PL/I has been preserved and is available in dozens of cartons, each packed with memos, evaluations, language control logs, etc. A remembered history of PL/I is retrievable by listening to as many people, each of whom was deeply involved in one aspect of its progress. This paper is an attempt to gather together and evaluate what I and some associates could read and recall in a few months. There is enough material left for several dissertations. The exercise is important, I think, not only because of the importance of PL/I, but because of the breadth of its subject matter. Since PL/I took as its scope of applicability virtually all of programming, the dialogues about its various parts encompass a minor history of computer science in the middle sixties. There are debates among numerical analysts about arithmetic, among language experts about syntax, name scope, block structure, etc., among systems programmers about multi-tasking, exception handling, I/O, and more.

  211. Ramprasad, B. S., A design and implementation of a hierarchical data store as a front end to Multics relational data store, Computer Science, University of Calgary, 1980.

    114 pages

  212. Rautenberg, Lee Howard, A data communications tutorial and a MULTICS-minicomputer program transfer operating system., MIT thesis, 1972.

    87 pages

  213. Reynolds, G. E., Multics Security Evaluation. Volume IV. Exemplary Performance Under Demanding Workload, Electronic Systems Div Hanscom AFB Mass November, 1976. NTIS AD-A038 231/7
  214. Ritchie, D. M., The evolution of the UNIX time-sharing system, Bell System Technical Journal 63, 8, Oct 1984.

    This paper presents a brief history of the early development of the Unix operating system. It concentrates on the evolution of the file system, the process-control mechanism, and the idea of pipelined commands. Some attention is paid to social conditions during the development of the system.

  215. Ritchie, D. M., The development of the C language, ACM SIGPLAN Notices 28, 3, 201-208 (ACM HOPL-II Conf), March 1993.

    The C programming language was devised in the early 1970s as a system implementation language for the nascent Unix operating system. Derived from the typeless language BCPL, it evolved a type structure; created on a tiny machine as a tool to improve a meager programming environment, it has become one of the dominant languages of today. This paper studies its evolution.

  216. Rus, T., Data Structures and Operating Systems, John Wiley & Sons, Chichester, 1979.
  217. Sabonnadiere, J., G. Meunier, and B. Morel, FLUX: A general interactive finite elements package for 2D electromagnetic fields, IEEE Trans on Magnetics 18, 2, Mar 1982, pp 624-626.

    Achievement of finite element methods leads nowadays to the development of general purpose packages. FLUX, developed by the Laboratoire d'Electrotechnique de l'Institut National Polytechnique de Grenoble is an interactive system in which graphic facilities are combined with a convenient command language to allow a high level of conversational use. FLUX is made of three independent programs : a pre-precessor : ENTREE for geometrical, physical and finite element descriptions of the model, the computation processor RESOL in which equations occurring from finite elements are solved, and, finally EXPLOI, the post-processor for flux plots, field visualisation, forces and torques. FLUX is implemented under the conversational system MULTICS on the HB68 computer of the Centre Inter-universitaire de Calcul de Grenoble. It is available in France through TRANSRAC, the french computer network, and in all western EUROPE through EURONET.

  218. Saltzer, J. H., A simple linear model of demand paging performance, Commun. ACM 17, 4, April, 1974.. Project MAC memo M0131, November 1972

    Predicting the performance of a proposed automatically managed multilevel memory system requires a model of the patterns by which programs refer to the information stored in the memory. Some recent experimental measurements on the Multics virtual memory suggest that, for rough approximations, a remarkably simple program reference model will suffice. The simple model combines the effect of the information reference pattern with the effect of the automatic management algorithm to produce a ...

  219. Saltzer, J. H., and J. F. Ossanna, Remote terminal character stream processing in Multics, AFIPS Conf Proc 36 (1970 SJCC), 621-627, 1970. Project MAC memo M0121, March 1970

    This paper describes system design and human engineering considerations pertinent to the processing of the character stream between a remote terminal and a general-purpose, interactive computer system. The Multics system is used to provide examples of: terminal escape conventions which permit input of a full character set from a limited terminal, single character editing for minor typing mistakes, and reformatting of input text to produce a canonical stored form. A formal description of the Multics canonical form for stored character strings appears in an appendix.

  220. Saltzer, J. H., and J. W. Gintell, The instrumentation of Multics, Commun. ACM 13, No. 8, 495-500, August 1970.

    An array of measuring tools devised to aid in the implementation of a prototype computer utility is discussed. These tools include special hardware clocks and data channels, general purpose programmed probing and recording tools, and specialized measurement facilities. Some particular measurements of interest in a system which combines demand paging with multiprogamming are described in detail. Where appropriate, insight into effectiveness (or lack thereof) of individual tools is provided.

  221. Saltzer, J. H., Some Observations about Decentralization of File Systems, IEEE COMPCON, pages 163-164, September 1971. Multics repository document M0128, May 1971

    An array of measuring tools devised to aid in the implementation of a prototype computer utility is discussed. These tools include special hardware clocks and data channels, general purpose programmed probing and recording tools, and specialized measurement facilities. Some particular measurements of interest in a system which combines demand paging with multiprogamming are described in detail. Where appropriate, insight into effectiveness (or lack thereof) of individual tools is provided.

  222. Saltzer, J. H., Protection and the control of information sharing in the Multics system, Commun. ACM 17, 7, July 1974. also http://portal.acm.org/citation.cfm?doid=361011.361067

    The design of mechanisms to control the sharing of information in the Multics system is described. Five design principles help provide insight into the tradeoffs among different possible designs. The key mechanisms described include access control lists, hierarchical control of access specifications, identification and authentication of users, and primary memory protection. The paper ends with a discussion of several known weaknesses in the current protection mechanism design.

  223. Saltzer, J. H., and M. D. Schroeder, The protection of information in computer systems, Proceedings of the IEEE. Vol. 63, No. 9 (September 1975), pp. 1278-1308.

    This seminal paper collected and established many the of the fundamental principles and terms used in computer security over the last three decades. In addition to the eight "Saltzer/Schroeder Design Principles" and other basic principles of information protection in section 1, it provides an overview of descriptor-based protection systems in section 2, and surveys the state of the art in section 3. Although the paper dates from 1974, most of it is still highly relevant to systems being designed today.

    ABSTRACT: This tutorial paper explores the mechanics of protecting computer-stored information from unauthorized use or modification. It concentrates on those architectural structures--whether hardware or software--that are necessary to support information protection. The paper develops in three main sections. Section I describes desired functions, design principles, and examples of elementary protection and authentication mechanisms. Any reader familiar with computers should find the first section to be reasonably accessible. Section II requires some familiarity with descriptor-based computer architecture. It examines in depth the principles of modern protection architectures and the relation between capability systems and access control list systems, and ends with a brief analysis of protected subsystems and protected objects. The reader who is dismayed by either the prerequisites or the level of detail in the second section may wish to skip to Section III, which reviews the state of the art and current research projects and provides suggestions for further reading.

  224. Saltzer, J. H., Ongoing research and development on information protection, ACM Operating Systems Review 8, 3, pp. 8-24, July, 1974.
  225. Saltzer, J. H., Naming and binding of objects, in R. Bayer, R. M. Graham, and G. Seegmuller (eds.), Operating Systems: An Advanced Course, Springer Verlag, New York, 1979, pp. 99-208. [Appendix A: Case Study of Naming in Multics, pp. 193-208.] 1979.
  226. Saltzer, J. H., On the modeling of paging algorithms, ACM Forum, Commun. ACM 19, 5, May 1976.
  227. Saltzer, J. H., Technical possibilities and problems in protecting data in computer systems, in Dierstein et al., eds, Datenschutz und Datensicherung, J. P. Bachem Verlag, Cologne, 1976.
  228. Salus, Peter H., A Quarter Century of UNIX, Addison Wesley, 1994.
  229. Sawatzky, Don L., REMAPP Multics programmer's guide, Open-file report / U.S. Department of the Interior, Geological Survey, 1980.
  230. Schaefer, Marvin, If A1 is the Answer, What was the Question? An Edgy Naïf's Retrospective on Promulgating the Trusted Computer Systems Evaluation Criteria, Proceedings of the 20th Annual Computer Security Applications Conference, 2004.

    This paper provides an introspective retrospective on the history and development of the United States Department of Defense Trusted Computer System Evaluation Criteria (TCSEC). Known to many as the Orange Book, the TCSEC contained a distillation of what many researchers considered to be the soundest proven principles and practices for achieving graded degrees of sensitive information protection on multiuser computing systems. While its seven stated evaluation classes were explicitly directed to standalone computer systems, many of its authors contended that its principles would stand as adequate guidance for the design, implementation, assurance, evaluation and certification of other classes of computing applications including database management systems and networks. The account is a personal reminiscence of the author, and concludes with a subjective assessment of the TCSEC's validity in the face of its successor evaluation criteria.

  231. Scheffler, Lee J., Optimal folding of a paging drum in a three level memory system, Proceedings of the fourth symposium on Operating system principles, January 1973.

    This paper describes a drum space allocation and accessing strategy called "folding", whereby effective drum storage capacity can be traded off for reduced drum page fetch time. A model for the "folded drum" is developed and an expression is derived for the mean page fetch time of the drum as a function of the degree of folding. In a hypothetical three-level memory system of primary (directly addressable), drum, and tertiary (usually disk) memories, the tradeoffs among drum storage capacity, drum page fetch time, and page fetch traffic to tertiary memory are explored. An expression is derived for the mean page fetch time of the combined drum-tertiary memory system as a function of the degree of folding. Measurements of the MULTICS three-level memory system are presented as examples of improving multi-level memory performance through drum folding. A methodology is suggested for choosing the degree of folding most appropriate to a particular memory configuration.

  232. Schell, R. R., Effectiveness -- the Reason for a Security Kernel, Proceedings of the National Computer Conference, 1974, pp. 975-976. 1974.
  233. Schell, Roger R., Peter J. Downey, and Gerald J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, The MITRE Corporation, Bedford, MA 01730 (Jan. 1973). MCI-73-1

    The military has a heavy responsibility for protection of information in its shared computer systems. The military must insure the security of its computer systems before they are put into operational use. That is, the security must be "certified", since once military information is lost it is irretrievable and there are no legal remedies for redress. Most contemporary shared computer systems are not secure because security was not a mandatory requirement of the initial hardware and software design. The military has reasonably effective physical, communication, and personnel security, so that the nub of our computer security problem is the information access controls in the operating system and supporting hardware. We primarily need an effective means for enforcing very simple protection relationships, (e.g., user clearance level must be greater than or equal to the classification level of accessed information); however, we do not require solutions to some of the more complex protection problems such as mutually suspicious processes. Based on the work of people like Butler Lampson we have espoused three design principles as a basis for adequate security controls:

    1. Complete Mediation -- The system must provide complete mediation of information references, i.e., must interpose itself between any reference to sensitive data and accession of that data. All references must be validated by those portions of the system hardware and software responsible for security.
    2. Isolation -- These valid operators, a "security kernel," must be an isolated, tamper-proof component of the system. This kernel must provide a unique, protected identity for each user who generates references, and must protect the reference-validating algorithms.
    3. Simplicity -- The security kernel must be simple enough for effective certification. The demonstrably complete logical design should be implemented as a small set of simple primitive operations and system database structures that can be shown to be correct.

    These three principles are central to the understanding of the deficiencies of present systems and provide a basis for critical examination of protection mechanisms and a method for insuring a system is secure. It is our firm belief that by applying these principles we can have secure shared systems in the next few years.

  234. Schell, Roger R., Information Security: Science, Pseudoscience, and Flying Pigs, Proceedings 17th Annual Computer Security Applications Conference, 2001, pp 205-216. DOI 10.1109/ACSAC.2001.991537

    The state of the science of information security is astonishingly rich with solutions and tools to incrementally and selectively solve hard problems. In contrast, the state of the actual application of science, and the general knowledge and understanding of existing science, is lamentably poor. Still we face a dramatically growing dependence on information technology, e.g., the Internet, that attracts a steadily emerging threat of well-planned, coordinated hostile attacks. A series of hard-won scientific advances gives us the ability to field systems having verifiable protection, and an understanding of how to powerfully leverage verifiable protection to meet pressing system security needs. Yet, we as a community lack the discipline, tenacity and will to do the hard work to effectively deploy such systems. Instead, we pursue pseudoscience and flying pigs. In summary, the state of science in computer and network security is strong, but it suffers unconscionable neglect.

  235. Schiller, W. L., K. J. Biba, and E. L. Burke, A preliminary specification of a Multics security kernel, MITRE Corp, Bedford MA, April 1975. WP-20119
  236. Schiller, W. L., Design and Abstract Specification of a Multics Security Kernel, MITRE Corp Bedford MA, 1977. NTIS AD-048 576
  237. Schiller, W. L. et al., Top level specification of a Multics security kernel, MITRE Corp, Bedford MA, July 1976. WP-20810
  238. Schiller, W. L., Preliminary Specification of the Answering Service, Multics design note 33, MITRE Corp, Bedford MA, 1976.
  239. Schroeder, M. D., and J. H. Saltzer, A hardware architecture for implementing protection rings, Proc ACM Third SOSP, 42-54, October 1971. Commun. ACM 15, 3, pp.157-170, March 1972. also repository M0126

    Protection of computations and information is an important aspect of a computer utility. In a system which uses segmentation as a memory addressing scheme, protection can be achieved in part by associating concentric rings of decreasing access privilege with a computation. This paper describes hardware processor mechanisms for implementing these rings of protection. The mechanisms allow cross-ring calls and subsequent returns to occur without trapping to the supervisor. Automatic hardware ...

  240. Schroeder, M. D., Engineering a security kernel for Multics, ACM Operating Systems Review 9, 5, pp. 25-32, Proc ACM 5th SOSP, November, 1975.

    This paper describes a research project to engineer a security kernel for Multics, a general-purpose, remotely accessed, multiuser computer system. The goals are to identify the minimum mechanism that must be correct to guarantee computer enforcement of desired constraints on information access, to simplify the structure of that minimum mechanism to make verification of correctness by auditing possible, and to demonstrate by test implementation that the security kernel so developed is capable of supporting the functionality of Multics completely and efficiently. The paper presents the overall viewpoint and plan for the project and discusses initial strategies being employed to define and structure the security kernel.

  241. Schroeder, M. D., Performance of the GE-645 associative memory while Multics is in operation, Proc ACM SIGOPS Workshop on System Performance Evaluation, Harvard, April 1971.

    The Multiplexed Information and Computing Service (Multics) of Project MAC at M.I.T. runs on a General Electric 645 computer system. The processors of this hardware system contain logic for both paging and segmentation of addressable memory. They directly accept two-part addresses of the form (segment number, word number) which they translate into absolute memory addresses through a series of indexed table lookups. To speed this address translation each processor contains a small, fast associative memory which remembers the most recently used address translation table entries. This paper reports the results of performance measurements on this associative memory. The measurements were made by attaching an electronic counter directly to a processor while Multics was in operation, and were taken for several associative memory sizes. The measurements show that for the observed load 16 associative registers are enough.

  242. Schroeder, M. D., D. D. Clark, and J. H. Saltzer, The Multics kernel design project, ACM Operating Systems Review 11, 5, Proc ACM 6th SOSP, West Lafayette, IN, November 1977. MIT LCS RFC 140

    We describe a plan to create an auditable version of Multics. The engineering experiments of that plan are now complete. Type extension as a design discipline has been demonstrated feasible, even for the internal workings of an operating system, where many subtle intermodule dependencies were discovered and controlled. Insight was gained into several tradeoffs between kernel complexity and user semantics. The performance and size effects of this work are encouraging. We conclude that ...

  243. Sebring, Michael M., Eric W. Shellhouse, Mary E. Hanna, and R. Alan Whitehurst, Expert Systems in Intrusion Detection: A Case Study, Proc 11th NCSC, Baltimore, USA: NBS/NCSC: pp.74-81, October 17, 1988.

    Describes MIDAS (Multics Intrusion Detection and Alerting System).

  244. Sekino, A., Response time distribution of multiprogrammed time-shared computing systems, Sixth Annual Princeton Conf on Information Sciences and Systems, Princeton, March 1972.
  245. Sekino, A., Throughput analysis of multiprogrammed virtual-memory computer systems, Proceedings of the 1973 ACM SIGME symposium .

    A model of paging behavior of programs under multiprogramming and a model of dual processor multi-memory processing system with virtual memory are developed. Combining these two models, it is possible to evaluate the throughput of multiprogrammed virtual-memory computer systems realistically. Numerical results obtained by these models are then compared with the measurement data of the Multics system of M.I.T. Finally, the effect of multiprogramming and sharing upon a system's throughput is numerically evaluated.

  246. Shafer, Fred J., Multilevel Computer Security Requirements of the World Wide Military Command and Control System (WWMCCS), LCD-78-106, April 5, 1978.

    The World Wide Military Command and Control System (WWMCCS) is a composite of military command facilities, communications, warning systems, and computers located throughout the world to support military command and control activities. A followup review was conducted to determine whether the multilevel computer security requirements of WWMCCS were being properly provided for by the Department of Defense (DOD) and if Air Force efforts to solve this problem had been properly considered by DOD. At the time of the review, WWMCCS officials had not endorsed or supported Air Force efforts on multilevel computer security even though the Air Force had demonstrated a potential for resolving the shortcomings of WWMCCS software. However, the Air Force terminated its efforts to develop multilevel computer security because of insufficient financing. The Departments of the Army and Navy also have a need for multilevel security in their computerized systems and had been waiting for the developed capability by the Air Force. The apparent need for a multilevel security system and the lack of a concentrated effort to meet it, as well as cancellation of the Air Force program which showed promise of meeting this need, resulted from a lack of centralized responsibility and authority for development of a multilevel system. An office within the Office of the Secretary of Defense should be given budget authority and responsibility for: control of all computer security research and development in DOD; review and approval of computer security requirements for all three services; review and approval of all computer security specifications, methodologies, and procurements; and review and approval of all long-range plans for WWMCCS and the services.

  247. Sibert, Olin, mxload - Read Multics Backup Tapes, HLSUA FORUM, 1988.
  248. Sibert, W. Olin, and Robert W. Baldwin, The Multics encipher_ Algorithm, Cryptologia, Volume 31, Issue 4 October 2007, pages 292 - 304.

    A fast software block encryption algorithm with a 72-bit key was written by (then) Major Roger R. Schell (United States Air Force) in April 1973 and released as part of the source code for the Multics operating system. The design of the Multics encipher_ algorithm includes features such as variable data-dependent rotations that were not published until the 1990s - 20 years after the Multics cipher. This article describes the history and details of the Multics encipher_algorithm and how it was used for Key Generation, File Encryption, and Password Hashing. A cryptographic analysis of the algorithm has not been performed, although similarities are noted with algorithms such as XTEA, SEAL, and RC5.

  249. Spafford, Eugene H., UNIX and Security: The Influences of History, Information Systems Security. Auerbach Publications. 4-3. 1995.

    Unix has a reputation as an operating system that is difficult to secure. This reputation is largely unfounded. Instead, the blame lies partially with the traditional use of Unix and partially with the poor security consciousness of its users. Unix's reputation as a nonsecure operating system comes not from design flaws but from practice. For its first 15 years, Unix was used primarily in academic and computer industrial environments --- two places where computer security has not been a priority until recently. Users in these environments often configured their systems with lax security, and even developed philosophies that viewed security as something to avoid. Because they cater to this community, (and hire from it) many Unix vendors have been slow to incorporate stringent security mechanisms into their systems. This paper describes how the history and development of Unix can be viewed as the source of many serious problems. Some suggestions are made of approaches to help increase the security of your system, and of the Unix community.

  250. Speckman, Wendy S., Multics STATPAC user handbook: Part 2, a guide with examples to basic statistical programs and more advanced general operation, U.S. Geological Survey, 1983.
  251. Spicer, Robert A., MAGIC, computer programs for paleontologists available on MULTICS, Reports-Open file series - United States Geological Survey, 1980.
  252. Spier, M. J., and E. I. Organick, The Multics inter-process communication facility, Proc ACM Second SOSP, 83-91, October 1969.

    Essential to any multi-process computer system is some mechanism to enable coexisting processes to communicate with one another. The basic inter-process communication (IPC) mechanism is the exchange of messages among independent processes in a commonly accessible data base and in accordance with some pre-arranged convention.By introducing several system wide conventions for initiating communication, and by utilizing the Traffic Controller it is possible to expand the basic IPC mechanism into a general purpose IPC facility. The Multics IPC facility is an extension of the central supervisor which assumes the burden of managing the shared data base and of respecting the IPC conventions, thus providing a simple and easy way for the programmer to use the interface.

  253. Spratt, Lindsey L., The transaction resolution journal: extending the before journal, ACM SIGOPS Operating Systems Review, Volume 19 Issue 3, July 1985.
  254. Stachour, Paul, and David Collier-Brown, You Don!t Know Jack About Software Maintenance, Communications of the ACM, Vol. 52 No. 11, Pages 54-58, Nov 2009.

    Long considered an afterthought, software maintenance is easiest and most effective when built into a system from the ground up.

  255. Stamen, Jeffrey P., and Robert M. Wallace, Janus: a data management and analysis system for the behavioral sciences, ACM CSC-ER, Proc 1973 national conference, 1973.

    This paper describes the Janus data management and analysis system which has been designed at the Cambridge Project. A prototype of Janus is currently running on the Multics time-sharing system at M.I.T. The data model for the design of Janus is very general and should be usable as a model for data handling in general, as well as for Janus in particular. The Janus command language is an English-like language based on procedural functions - such as define, display, and delete - which act on logical objects from the data model, such as datasets, attributes and entities. For example, delete-attribute, define-attribute and define-dataset are all commands. The implementation of Janus is interesting for a number of reasons: it runs on the Multics system which has segmented and paged memory; it is based almost entirely on datasets (tables), which describe each other as well as themselves; and it is organized in a functionally modular way that is often talked about, but less often done.

  256. Stanke, Edward C., II, An Associative Processor Study, The RADCAP Project, Rept. for 1 Sep 72-30 Nov 76, Rome Air Development Center, Griffiss AFB N Y, Feb 1978. DTIC ADA052717

    The underlying objective of the Rome Air Development Center Associative Processor (RADCAP) Project is to investigate solutions to data processing problems which strain conventional approaches due to high data rates and heavy processing requirements. One group of data processing functions, those inherent in the USAF Airborne Warning and Control System (AWACS, now called the E-3A), have been chosen as being representative of this class of problems. This report describes the results of a five-year project which involved the implementation of the AWACS functions on the RADCAP testbed system which consists of a STARAN S-1000P associative processor interfaced to a Honeywell Information Systems 645-MULTICS computer (later upgraded to a HIS 6180). Based on these results, the key characteristics of an associative processor to handle this type of problem are identified and some general conclusions as to the applicability of associative/parallel processing to real-world, real-time processing problems are drawn. The report also makes some general statements concerning the future of associative/parallel processing.

  257. Stein, Arthur, Processor and memory allocation in multics and TSS, Thesis (M.B.A.)--Bernard M. Baruch College, 1977.
  258. Stern, J. A., Multics Security Kernel Top Level Specification, ESD-TR-76-368, Honeywell Information Systems Inc Mclean Va Federal Systems Operations, November 1976. NTIS AD-A060 000/7

    Air Force Systems Command terminated the effort which this document describes before the effort reached its logical conclusion. This report is incomplete but was published in the interest of capturing and disseminating the computer security technology that was available at the time of the termination.

  259. Stern, J. A., Discretionary Access Control, memo, 15 March 1976.
  260. Steuert, James, and Jay Goldman, The relational data management system: A perspective, SIGFIDET 1974: Proceedings of the 1974 ACM SIGFIDET (now SIGMOD) workshop on Data description, access and control.

    In this paper, the functional capabilities and economic features of the Relational Data Management System (RDMS) are discussed. RDMS is a generalized on-line data management system written in PL/1 for the Multics operating system. The basic concepts of RDMS are introduced and the similarities between the conventional file concept and the relation concept are discussed. A data-base is shown to be a set of relations. By generalizing the concept of field to be a property of the data-base, and by labeling relations with the names of their columns (fields), relations of a data-base may be implicitly linked by virtue of having a common column or field name (the dataclass name). On-line commands for operations on two such relations which yield a third result relation are illustrated. Other facilities of RDMS, such as computational, report-generation, and query-report packages are discussed. In RDMS, the relation concept is implemented as a matrix of reference numbers which refer to character string datums which are stored elsewhere in distinct dataclass files. In addition to significant storage savings, this allows a single representation-independent logical interface to the storage and access of character string data. RDMS was developed from graduate work done at M.I.T. by L. A. Kraning and A. I. Fillat in 1970 and is now being used by the administrative departments at M.I.T.

  261. Strachey, Christopher, Time-sharing in large fast computers, Proc Int. Conf on Info Processing, UNESCO, June, 1959, 336-341.
  262. Teichroew, D., A. Hershey, and S. Spewak, User Requirements Language (URL) User's Manual. Part I. (Description) H6180/Multics/Version 3.2., Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 200 pages, F19628-76-C-0197, ESD TR-78-127-VOL-1. NTIS ADA054096

    This report is part of a series that deals with a Computer-Aided Design and Specification Analysis Tool (CADSAT). The purpose of the tool is to describe the requirements for information processing systems and to record such descriptions in machine-processable form. The major components of CADSAT are the User Requirements Language (URL) and the User Requirements Analyzer (URA) which can operate in an interactive computer environment. This report describes how the formal URL may be used to define systems. It explains the language statements available, their use and application on a Honeywell 6180 Multics Computer.

  263. Teichroew, D., A. Hershey, and S. Spewak, User Requirements Language (URL) User's Manual. Part II. (Reference) H6180/Multics/Version 3.2., Michigan Univ Ann Arbor Dept of Industrial and Operations Engineering, 450 pages, F19628-76-C-0197. ESD TR-78-127-VOL-2

    This report is part of a series that deals with a Computer-Aided Design and Specification Analysis Tool (CADSAT). Its purpose is to describe the requirements for information processing systems and to record such descriptions in machine-processable form. The major components of CADSAT are the User Requirements Language (URL) and the User Requirement Analyzer (URA) which can operate in an interactive computer environment. In parts I and II, this report describes how the formal URL may be used to define systems. It explains the language statements available, their use and application on a Honeywell 6180 Multics Computer. This manual describes the User Requirements Language (URL) to be used with Version 3.2 of the User Requirements Analyzer (URA). Part I gives a detailed description of the URL statements available and their use. Part II is a reference manual which gives the proper syntax for each statement.

  264. Turner, Richard, An interactive simulator for MATHILDA-RIKKE on multics: Concept, design and implementation, Computer Science Dept., University of Southwestern, Louisiana, 1977.
  265. US Deputy Assistant Secretary of Defense, Wartime Manpower Planning System ADP System Users Manual, DoD 1100-19-M, March 1987.
  266. US Department of Defense, Computer Security Evaluation Center, DoD Directive 5215.1, October 25, 1982.

    This Directive establishes the DoD Computer Security Evaluation Center (CSEC), provides policy, and assigns responsibilities for the technical evaluation of computer system and network security, and related technical research.

  267. Van Vleck, T. H., An example of industry-university cooperation: Multics, Proc IRIA Tenth Anniversary Conf, Paris, June 1978.
  268. Van Vleck, T. H., and C. T. Clingen, Implementation of security concepts in a large-scale operating system, Proc Honeywell Security Symposium, Monaco, December 1980.
  269. Van Vleck, T. H., and C. T. Clingen, The Multics system programming process, Proc IEEE COMPCON 78, Atlanta, May 1978.

    Reprinted in IEEE Tutorial on Software Maintenance, 1981. Features of the Multics system programming process lead to high programmer productivity with a small programming staff and a finished system with high software reliability. Other workers' predictions of increasing difficulty of system maintenance with time have not been observed; reasons for this are suggested.

  270. Van Vleck, T. H., Control of access to computer system resources, Proc IEEE COMPCON 74, San Francisco, February 1974.
  271. Van Vleck, T. H., The administration and management of Multics, Project MAC Multics Symposium, January 1971.
  272. Van Vleck, Tom, Electronic Mail and Text Messaging in CTSS, 1965-1973, IEEE Annals of the History of Computing Vol. 34, No. 1: January-March 2012, pp. 4-6. DOI 10.1109/MAHC.2012.6

    My colleague Noel Morris and I implemented both an electronic mail command and a text messaging facility for the Massachusetts Institute of Technology's Compatible Time-Sharing System (CTSS) in 1965.

  273. Vestal, Stanley Curtis, Diane Anderson, and Henry Nirsberger, GCOS/Multics File Transfer Facility, Honeywell Information Systems Inc Minneapolis Minn, 440 pages, F30602-73-C-0327, RADC TR-75-137. NTIS ADA013109

    Rome Air Development Center currently operates two R and D computer facilities: an HIS GCOS system and an HIS Multics system. Another Air Force site also operates both a GCOS and a Multics installation. In both cases, the GCOS system has preceded the Multics system by several years. There is thus a large GCOS user applications and data files. Many of these users desire to transfer these programs, applications, and data files from the GCOS environment to the Multics environment in order to take advantage of the unique design features of the Multics system. To facilitate this transfer, and to make the process as simple and easy to use as possible, Rome Air Development Center contracted with Honeywell Information Systems to specify, design, and implement procedures and software to provide an integrated capability for the transfer of information, programs, and procedures from the GCOS to the Multics environment. This technical report describes the activities conducted in the performance of this contract.

  274. Vestal, Stanley Curtis, and Henry Nirsberger, GCOS/Multics File Transfer Tool., Honeywell Information Systems Inc Minneapolis Minn, 157 pages, F30602-75-C-0162, RADC TR-75-312. NTIS ADA019748

    The effort described in this report consisted of enhancements to the GCOS/Multics File Transfer Facility which was developed under contract. The facility provides for the transfer of data files from the GCOS environment to the Multics environment. In particular, data base and file backup facilities, performance monitoring instrumentation, and Inner Ring Program/Data Protection have been added.

  275. Vestal, S. C., T. Krocak, H. S. Schwenk, and A. Levy, Virtual Machine Monitor Performance Analysis, Honeywell Information Systems Inc Minneapolis Minn, 178 pages, F30602-77-C-0097, RADCTR-78-251. NTIS ADA065087

    This report describes the H6180 Virtual Machine Monitor Performance Analysis. Included as part of this report is a description of the Virtual Machine Monitor. This report also includes an approach for enhancing the baseline VMM functionality by use of a service machine to control peripheral sharing. The actual experimentation performed in this effort identifies the feasibility of a VMM in a Programming Environment and the performance tradeoffs required for its optimized utilization.

  276. Vinograd, D. R., What's a system to do? -- Assuring system data integrity, Proc IEEE Conf, September 1971.
  277. Vyssotsky, V. A., F. J. Corbató, and R. M. Graham, Structure of the Multics Supervisor, AFIPS Conf Proc 27, 203-212, 1965.

    This paper is a preliminary report on a system which has not yet been implemented. Of necessity, it therefore reports on status and objectives rather than on performance.

  278. Wade, W., M. Mortara, P. Leong, and V. Frost, Interactive Communication Systems Simulation Model--ICSSM, IEEE Journal on Selected Areas in Communications 2, 1, Jan 1984, pp 102-128.

    The design of ICSSM, a nonreal time computer-aided simulation and analysis tool for communications systems, is presented, ICSSM is capable of supporting modeling, simulation, and analysis of any system representable in terms of a network of multiport functional blocks. Its applicability is limited only by the modeler's ingenuity to decompose the system to functional blocks and to represent these functional blocks algorithmically. ICSSM has been constructed modularly, consisting of five subsystems to facilitate the tasks of formulating the model, exercising the model, evaluating and showing the simulation results, and storing and maintaining a library of modeling elements, analysis, and utility subroutines. It is written exclusively in ANSI Standard Fortran IV language, and is now operational in a Honeywell DPS 7/80 M computer under the MULTICS Operating System. Description of a recent simulation using ICSSM and some generic modules of general interest developed as a result of the modeling work are also presented.

  279. Walden, David, and Tom Van Vleck, Compatible Time Sharing System (1961-1973) Fiftieth Anniversary Commemorative Overview, IEEE Computer Society, Washington DC, 2011. 3MB

    The IEEE Computer Society History Committee prepared a document in June 2011 in honor of the 50th anniversary of CTSS, edited by Dave Walden and Tom Van Vleck. It contains an extensive bibliography and interviews with Corby, Marge Daggett, Bob Daley, Peter Denning, David Alan Grier, Dick Mills, Roger Roach, Allan Scherr, and Tom Van Vleck.

  280. Waldrop, M. Mitchell, The Dream Machine: J. C. R. Licklider and the Revolution That Made Computing Personal, Viking Press, 2001.

    The history of time-sharing and networks and ARPA's part in supporting the activities. It has one or two chapters which focus on CTSS and Multics. It also includes the saga of PARC.

  281. Walter, K. G., J. M. Gilligan, S. I. Schaen, W. F. Ogden, W. C. Rounds, D. G. Shumway, D. D. Schaeffer, K. J. Biba, F. T. Bradshaw, and S. R. Ames, Structured specification of a Security Kernel, Proceedings of the SIGPLAN international conference on Reliable software, pp 285 - 293, Los Angeles, California, 1975.

    Certifying an entire operating system to be reliable is too large a task to be practicable. Instead, we are designing a Security Kernel which will provide information security. The kernel's job is to monitor information flow in order to prevent compromise of security. Sound design is encouraged by using a technique called Structured Specification, in which successively more detailed models of the Security Kernel are developed. The initial model, M0, is an abstract description which formalizes governmental security applied to computer systems. Subsequent levels of modeling provide increasingly more detail, and gradually the models begin to resemble a particular system (Multics in this case). The second model, M1, defines a tree-structured file system, and an interagent communication system while M2 adds details concerning segmentation in a dynamic environment. It is intended that the final level of modeling will specify the primitive commands for the kernel of a Multics-like system and will enumerate precisely those assertions which must be proved about the implementation in order to establish correctness.

  282. Walter, K. G., W. F. Ogden, W. C. Rounds, F. T. Bradshaw, S. R. Ames, and D. G. Shumway, Primitive Models for Computer Security, 23 January 1974, Case Western Reserve University, Cleveland, OH: HQ Electronic Systems Division, Hanscom AFB, MA.. ESD-TR-74-117
  283. Watson, R., Time-Sharing System Concepts, McGraw Hill, 1970.
  284. Weeldreyer, J. A., and O. D. Friesen, Multics Relational Data Store: An Implementation of a Relational Data Base Manager, Proc 11th Hawaii Intl Conf on System Sciences, Vol 1, pp. 52-66. 1978.
  285. Weizenbaum, Pm, Creating a campus on-line news system, Proceedings of the 4th annual international conference on Systems documentation .

    Information Systems, MIT's campus-wide computing service organization, recently reorganized and strengthened its resources. Out of this recent effort came the decision to explore several ways of reporting on the expanded range of systems and services we offer. One service that central computing facilities must provide is timely notice of changes to the supported systems. This paper presents the design and implementation of Information Systems' "On-Line News System", which keeps users updated about changes in the wide variety of services offered by Information Systems.

  286. Whiteside, Thomas, Computer Capers: Tales of Electronic Thievery, Embezzlement, and Fraud, New York: Thomas Y. Crowell Co., NY, 1978. ISBN 0-690-01743-X
  287. Whitmore, Jerold, André Bensoussan, Paul Green, Douglas Hunt, Andrew Kobziar, and Jerry Stern, Design for Multics security enhancements, ESD AFSC Hanscom AFB Mass, 1974. ESD-TR-74-176

    The results of a 1973 security study of the Multics Computer System are presented detailing requirements for a new access control mechanism that would allow two levels of classified data to be used simultaneously on a single Multics system. The access control policy was derived from the Department of Defense Information Security Program. The design decisions presented were the basis for subsequent security enhancements to the Multics system.

  288. Whitmore, J., A. Bensoussan, P. Green, D. Hunt, and A. Kobziar, Design for Multics Security Enhancements, Honeywell Information Systems Inc., Cambridge Mass,, December 1973. NTIS AD-A030 801/5

    The results of a 1973 security study of the Multics computer system are presented detailing requirements for a new access control mechanism that would allow two levels of classified data to be used simultaneously on a single Multics system. The access control policy was derived from the Department of Defense Information Security Program. The design decisions presented were the basis for subsequent security enhancements to the Multics system.

  289. Withington, P. T., Design and Abstract Specification of a Multics Security Kernel, Volume 2, MITRE Corp Bedford MA, March 1978. NTIS AD-A053 148/3
  290. Withington, P. T., A Secure Flat File System for Multics, MITRE Corp Bedford MA. no date.
  291. Wolman, B. L., Debugging PL/I programs in the Multics environment, AFIPS Conf Proc 41, Part I, (1972 FJCC), 507-514, AFIPS Press, 1972.

    One of the popular misconceptions concerning PL/I is that programs written in PL/I are necessarily inefficient and hard to debug. Several years experience with the Multics PL/I compiler running on the Honeywell 645 has shown that in spite of the apparent complexity of the PL/I language, PL/I programs are easily debugged in the Multics environment, even by novice users who are newcomers to PL/I and are unfamiliar with the Honeywell 645. In most cases the user can debug his program symbolically without having to refer to a listing of the generated instructions or add debugging output statements to the program. This is due to a number of factors: * the run-time environment provided by the system. * the implementation of PL/I. * the availability of a variety of powerful debugging facilities.

  292. Woodward, J. P. L., Design and Abstract Specification of a Multics Security Kernel. Volume 3, MITRE Corp Bedford MA, March 1978. NTIS AD-A053 149/1
  293. Yntema, Douwe B., Arthur P. Dempster, John P. Gilbert, John C. Klensin, Wren M. McMains, William Porter, Jeffrey P. Stamen, and Raymond A. Wiesen, The Cambridge Project's Consistent System, Proceedings of the ACM annual conference, August 1972.

    One of the main goals of the Cambridge Project is a Consistent System of programs, data, and models for use in the behavioral sciences. A framework for the System has been constructed on the Multics time-sharing system at M.I.T., and a collection of programs has begun to accumulate within it. This session will be devoted to that framework and to three examples of subsystems that are being fitted into it. They will be described briefly, and the reasons why they are expected to be more useful when surrounded by the rest of the Consistent System will be discussed.

  294. Yntema, Douwe B., The Cambridge Project: Computer Methods for Analysis and Modeling of Complex Systems, Massachusetts Institute of Technology, AD-783 626, pp. 1-29 , Feb. 1974. DTIC AD0783626

    The Cambridge Project is a cooperative effort by a number of scientists at M.I.T. and Harvard; its purpose is to make the digital computer more useful and usable by scientists in the basic and applied behavioral sciences, and in other sciences that have similar computing problems. The most notable single achievement of the half year covered in this report was the transfer of the entire Consistent System from the old Multics computer, which was a Honeywell 645, to a new Multics computer, a Honeywell 6180, and the subsequent transfer to another 6180 operated by the Air Force Data Services Center.

Interviews

  1. Campbell-Kelly, Martin, Paul Ceruzzi, Daniel Bricklin, and Robert M. Frankston, Oral history interview with Dan Bricklin and Bob Frankston, Martin Campbell-Kelly and Paul Ceruzzi, 7 May 2004, Needham, Massachusetts..

    Dan Bricklin and Bob Frankston discuss the creation of VisiCalc, the pioneering spreadsheet application. Bricklin and Frankston begin by discussing their educational backgrounds and experiences in computing, especially with MIT's Multics system. Bricklin then worked for DEC on typesetting and word-processing computers and, after a short time with a small start-up company, went to Harvard Business School. After MIT Frankston worked for White Weld and Interactive Data. The interview examines many of the technical, design, and programming choices in creating VisiCalc as well as interactions with Dan Fylstra and several business advisors. Bricklin comments on entries from his dated notebooks about these interactions. The interview reviews the incorporation of Software Arts in 1979, then describes early marketing of VisiCalc and the value of product evangelizing.

  2. Frenkel, K. A., and F. J. Corbató, An interview with Fernando Jose Corbató, Commun. ACM 34 No. 9, September 1991.

    All systems will fail. The question is not whether some mishap will happen, but rather what to do when it does occur. In this Turing Award address, Corbató examines the problems associated with the development of ambitious or complex systems and identifies why they always fail. Sources of complexity that contribute to this failure include the number of personnel required, the levels of management, the lack of willingness to report bad news, and the inability of any one person to understand the complete system. He offers solutions to each of these problems, including simplicity in design, use of metaphors, constrained languages for design, anticipation of errors, design for modification, cross education of team members, and learning from past mistakes. Frenkel's interview, conducted after Corbató's Turing Award lecture, complements it. The questions and answers provide a comprehensive overview of the development of the time-sharing systems CTSS and Multics, and a good overview of some of the individuals involved in these efforts. One of the most interesting parts of this interview is the support (or lack of interest) of some of the major computer manufacturers in the 1960s, including GE, IBM, and DEC. The support of Bell Labs for Multics and its eventual disengagement are examined. The relationship between UNIX and Multics is discussed in some detail, as are the problems in the development of these systems. The discussion concludes with an examination of the transition from mainframes to workstations and PCs. (Thomas C. Richards)

  3. Lee, J. A. N., Robert Rosin, F. J. Corbató, R. M. Fano, M. Greenberger, J. C. R. Licklider, D. T. Ross, and A. L. Scherr, The Project MAC Interviews, IEEE Annals of the History of Computing, vol. 14, no. 2, pp. 14-35, Apr-Jun, 1992.

    On the day following the Celebration of the 25th anniversary of Project MAC held in Cambridge on October 16 and 17, 1988, two small groups of participants in the developments of CTSS and Project MAC met to exchange recollections about their activities. These interviews are separated into two parts, concentrating on each of the two developmental stages of time-sharing, although it was impossible to strictly maintain the separation since the discussions naturally overlapped the time periods. By choice, the interviewers guided the discussion to concentrate on the more personal and background aspects of this history, since the technological history has been well documented in the open literature.

  4. Morris, Errol, T. H. Van Vleck, F. J. Corbató, R. M. Fano, and J. H. Saltzer, Did My Brother Invent E-Mail With Tom Van Vleck?, conducted by Errol Morris in June 2011, New York Times Opinionator blog.

    Interviews about the development of CTSS, electronic mail, and Multics with Van Vleck, Corbató, Fano, and Saltzer.

  5. Norberg, Arthur L., and F. J. Corbató, An interview of Fernando Corbató, conducted by Arthur L. Norberg on 18 April 1989 and 14 November 1990, Charles Babbage Institute call number OH 162.

    Corbató discusses computer science research, especially time-sharing, at the Massachusetts Institute of Technology (MIT). Topics in the first session include: Phil Morse and the establishment of the Computation Center, Corbató's management of the Computation Center, the development of the WHIRLWIND computer, John McCarthy and research on time-sharing, cooperation between International Business Machines (IBM) and MIT, and J. C. R. Licklider and the development of Project MAC. Topics in the second session include: time-sharing, the development of MULTICS by the General Electric (GE) Computer Division, IBM's reaction to MIT working with GE, the development of CTSS, the development of UNIX in cooperation with Bell Labs, interaction with the Information Processing Techniques Office of the Defense Advanced Research Projects Agency, interaction with Honeywell after they purchased GE's Computer Division, and the transformation of Project MAC into the Laboratory for Computer Science.

  6. Norberg, Arthur L., and R. M. Fano, An interview of Robert M. Fano, conducted by Arthur L. Norberg on 20-21 April 1989, Charles Babbage Institute call number OH 165.

    Fano discusses his move to computer science from information theory and his interaction with the Advanced Research Projects Agency (ARPA). Topics include: computing research at the Massachusetts Institute of Technology (MIT); the work of J. C. R. Licklider at the Information Processing Techniques Office of ARPA; time-sharing and computer networking research; Project MAC; computer science education; CTSS development; System Development Corporation (SDC); the development of ARPANET; and a comparison of ARPA, National Science Foundation, and Office of Naval Research computer science funding.

  7. O'Neill, Judy E., and Jack B. Dennis, An Interview with Jack Dennis, Judy O'Neill and Jack Dennis, 31 Oct 1989, Cambridge, Massachusetts..

    Dennis describes his educational background and work in time-sharing computer systems at the Massachusetts Institute of Technology (MIT). The interview focuses on time-sharing. Dennis discusses the TX0 computer at MIT, the work of John McCarthy on time-sharing, and the influence of the Information Processing Techniques Office of the Advanced Research Projects Agency (later the Defense Advanced Research Projects Agency) on the development of time-sharing. Dennis also recalls the competition between various firms, including Digital Equipment Corporation, General Electric, Burroughs, and International Business Machines, to manufacture time-sharing systems. He describes the development of MULTICS at General Electric.

  8. Walden, David, and F. J. Corbató, Fernando Corbató, IEEE Annals of the History of Computing Vol. 34, No. 1: January-March 2012, pp. 83-87. DOI 10.1109/MAHC.2012.8

    An interview with Corby by Dave Walden, IEEE History Commitee

  9. Webber, Steven H., and F. J. Corbató, Oral History of Fernando Corbató conducted by Steven Webber on February 1, 2006, Computer History Museum reference number X3438.2006.

    Fernando Corbató reviews his early educational and naval experiences in the Eddy program during World War II. Corbató attended Cal Tech and MIT, where he received his PhD under the tutelage of Professor Phil Morse and worked with Whirlwind. A detailed exploration of Corbató's time-sharing systems projects including the Compatible Time-Sharing System (CTSS), Project MAC, and Multics completes the oral history.

  10. Yost, Jeffrey R., and Roger R. Schell, An interview with Roger R. Schell, Ph.D, conducted by Jeffrey R. Yost on 1 May 2012, Charles Babbage Institute call number OH 405. OH 405

    Dr. Roger R. Schell, a retired U.S. Air Force Colonel and current president of AEsec Corporation, is one of the foremost contributors to and authorities on "high assurance" computer security. In this oral history he discusses his formulation of the secure kernel and reference monitor concepts (in the early 1970s), his work that led to security enhancements to Honeywell-Multics (mid-1970s), his role as deputy director of the National Computer Security Center (including leadership on TCSEC or "The Orange Book" in the early to mid-1980s), and commercial (high assurance) computer security enterprises he's led since retiring from the Air Force.

  11. Yost, Jeffrey R., and David Elliott Bell, Oral history interview with David Elliott Bell, Oral history interview by Jeffrey R. Yost, 24 September 2012, Reston, VA. Charles Babbage Institute, University of Minnesota call number OH411.. OH 411

    David Elliott Bell is a mathematician and computer security pioneer who co-developed the highly influential Bell-LaPadula security model. This interview discusses the context of his pivotal computer security work at MITRE Corporation, and his later contributions at the National Security Agency and Trusted Information Systems (including his leadership on TIS's Trusted Xenix B2-rated system).

  12. Yost, Jeffrey R., and Thomas H. Van Vleck, Oral history interview with Thomas Van Vleck, conducted by Jeffrey R. Yost on 24 October 2012, Charles Babbage Institute call number OH 408. OH 408

    Thomas Van Vleck is a time-sharing and computer security pioneer. As a user he worked with MIT's Compatible Time-Sharing System (CTSS) and MULTICS as a MIT student prior to helping to design enhancements (including security enhancements) to the MULTICS system first as a technical staff member at MIT and later on Honeywell-MULTICS as a technical staff member and manager at Honeywell. The interview discusses the security issues/risks on CTSS that resulted in modest changes (password protection) to CTSS and influenced the far more extensive security design elements of MULTICS. His long association w/ MULTICS in both the MIT and Honeywell setting provides unique perspective on the evolution of MULTICS security over the long term. He also briefly discusses his post-Honeywell career working on computer security as a manager at several other firms.

  13. Yost, Jeffrey R., and Steven B. Lipner, Oral history interview with Steven B. Lipner, conducted by Jeffrey R. Yost on 15 August 2012, Charles Babbage Institute call number OH 406. OH 406

    Steven B. Lipner is a computer security pioneer with more than 40 years of experience as a researcher, development manager, and general manager in IT Security. He helped form and served on the Anderson Panel for the Air Force in the early 1970s (was MITRE's representative), oversaw path breaking computer security high assurance mathematical model work at MITRE later that decade, was a leader in Digital Equipment Corporation's (DEC) effort to build an A1 (TCSEC certification) system in the 1980s, and led the creation of Microsoft's Security Development Lifecycle in the 2000s. This interview focuses primarily on Lipner's involvement on the Anderson Panel, his work at MITRE, and his work at DEC.

  14. Yost, Jeffrey R., and Peter G. Neumann, Oral history interview with Peter G. Neumann, conducted by Jeffrey R. Yost on 03 Jun 2013, Charles Babbage Institute call number OH 425. OH 425

    In this interview, computer security pioneer Peter G. Neumann relates his education at Harvard University (A.B. in Math, S.M. and Ph.D. in Applied Math), including an influential (to his perspective and career) two-hour long meeting/discussion as an undergraduate with Albert Einstein (discussing "complexity" and other topics). The vast majority of the interview addresses the many facets of his highly influential career in computer security research. With regard to the latter, this includes discussion of his work at Bell Labs and extensive involvement with MULTICS security, and his subsequent four-decade (and continuing) career as a research scientist at SRI International. He tells of his work and leadership with the Provably Secure Operating System (PSOS), research and writing on risks (including moderating the ACM Risks Forum), insider misuse and intrusion-detection systems (IDES, NIDES, EMERALD), and his current work on two DARPA-funded projects that builds on key lessons of the past to design and develop secure/trustworthy computer systems. He also relates the computer security research infrastructure and how it evolved, as well as comments on a number of other topics such as the major computer security conferences and the range of perspectives of researchers in the computer security research community.

  15. Yost, Jeffrey R., and Daniel J. Edwards, Oral history interview with Daniel J. Edwards, conducted by Jeffrey R. Yost on 02 Jul 2013, Charles Babbage Institute call number OH 427. OH 427

    In this oral history, computer security pioneer Daniel Edwards discusses his long-term career as a computer security researcher at the National Security Agency (NSA). He discusses Trojan Horse attacks, a term he introduced in the computer security field to describe a particular type of computer security vulnerability of hidden malicious code within a seemingly harmless program. He provides perspective on the evolving relationship of communications security (COMSEC) and computer security (COMPUSEC) at the NSA. Edwards became part of the NSA's National Computer Security Center and was principally involved with the development of the NCSC's/DOD's Trusted Computer Security Evaluation Criteria (TCSEC) and elaborates on the processes and considerations in developing and refining this influential set of computer security standards.

  16. Yost, Jeffrey R., and Peter J. Denning, Oral history interview with Peter J. Denning, conducted by Jeffrey R. Yost on 10 April 2013, Charles Babbage Institute call number OH 423. OH 423

    This interview focuses on Peter Denning's pioneering early contributions to computer security. This includes discussion of his perspective on CTSS and Multics as a graduate student at MIT, pioneering (with his student Scott Graham) the critical computer security concept of a reference monitor for each information object as a young faculty member at Princeton University, and his continuing contributions to the computer security field in his first years as a faculty member at Purdue University. Because of an extensive, career spanning oral history done with Denning as part of the ACM Oral History series (which includes his contributions as President of ACM, research on operating systems, and principles of computer science), this interview is primarily limited to Denning's early career when computer security was one of his fundamental research areas.

Newspaper & magazine articles about Multics

  1. Fano, Robert M., Excerpts from "The MAC System: A Progress Report", IEEE Annals of the History of Computing, vol. 14, no. 2, pp. 10-11, Apr-Jun, 1992.
  2. Fano, Robert M., The Computer Utility and the Community, IEEE Annals of the History of Computing, vol. 14, no. 2, pp. 39-41, Apr-Jun, 1992.
  3. Frankston, Robert M., Nonhistory of IBM Time-Sharing, (letter), IEEE Annals of the History of Computing, vol. 18, no. 3, pp. 72-73, Fall, 1996.

    Yes, Multics was a market failure but not because the market had changed. It was because Honeywell (which bought out the GE computer division) worked hard not to sell it. ...Did the world pass Multics by? As noted above, Honeywell wounded it and then eventually killed it. But Unix, though weak as an implementation of Multics, has achieved great success in the marketplace.

  4. Gedda, Rodney, CIO Blast from the Past: 40 years of Multics, 1969-2009, CIO.

    October 2009 marked an important milestone in the history of computing. It was exactly 40 years since the first Multics computer system was used for information management at the Massachusetts Institute of Technology.

  5. Kornel, Amiel, Honeywell decision puts Groupe Bull in sticky situation, Computerworld Vol. XX, No. 2, p 15, January 13, 1986.
  6. Korzeniowski, Paul, Honeywell phasing out Multics line, Computerworld, Vol. XX, No. 2, p 1, January 13, 1986.
  7. Lee, J. A. N., Time-Sharing at MIT: Introduction, IEEE Annals of the History of Computing vol. 14, no. 1, pp. 13-15, Jan.-Mar. 1992.

    Introduction to an issue describing the beginnings of time-sharing at MIT.

  8. Metcalfe, Bob, Internet services moving us back toward Multics utility computing of old, InfoWorld, October 18, 1999.
  9. Schell, R. R., "Computer Security: The Achilles' Heel of the Electronic Air Force", Air University Review, January - February 1979, p. 16, 1979.

    It is not easy to make a computer system secure, but neither is it impossible. The greatest error is to ignore the problem.

  10. staff, Honeywell introduces commercial version of its large Multics computer system, Wall Street Journal, p 9, January 18, 1973.
  11. staff, FORD WEIGHING HONEYWELL BOYCOTT?, Datamation, In the LOOK AHEAD column, p. 10., June 1, 1986.
  12. Verity, John W., Multics users face their maker, Datamation, Vol. 32, No. 9, 102-112, May 1, 1986.
  13. Whiteside, Thomas, Dead Souls in the Computer, The New Yorker, 29 Aug 1977, pp 59-62.
  14. Yadron, Danny, Man Behind the First Computer Password: It's Become a Nightmare, Digits: WSJ blog.

    In the early 1960s, Fernando Corbató helped deploy the first known computer password.

Videos

  1. Corbató, Fernando J., Timesharing: A Solution to Computer Bottlenecks, John Fitch, MIT Science Reporter, May 16, 1963. (27:38 video)

    Aired on WGBH-TV Boston. The initial sequence shows the CTSS account of M1416 786 (Bob Daley) running a square root program.

  2. Fano, Robert M., Prof. Fano explaining scientific computing, ARPA film. (9:28 video)

    Short film from 1964 taken in Prof. Fano's Project MAC office. He uses CTSS from an Model 35 Teletype.

MIT Project MAC TRs and TMs

Source: LCS document handed out at the Project MAC 25th reunion, updated by Jerry Saltzer 5/8/98. The Library 2000 project at MIT scanned many old MAC TRs and the images were available on a server provided by the MIT libraries.

See also the LCS on-line list of publications.

  1. Bawden, Alan, Glenn S. Burke, and Carl W. Hoffman, MacLisp Extensions, MAC-TM-203, July 1981.
  2. Benedict, Gordon, An Enciphering Module for Multics, MAC-TM-50 (Lucifer for Multics), 7-1-1974.
  3. Bratt, R. G., Minimizing the naming facilities requiring protection in a computer utility, MAC-TR-156 (S.M. thesis), September 1975. 6.5M

    This thesis examines the various mechanisms for naming the information objects stored in a general-purpose computing utility, and isolates a basic set of naming facilities that must be protected to assure complete control over user interaction and that allow desired interactions among users to occur in a natural way. Minimizing the protected naming facilities consistent with the functional objective of controlled, but natural, user interaction contributes to defining a security kernel for a general-purpose computing utility. The security kernel is that complex of programs that must be correct if control on user interaction is to be assured. The Multics system is used as a test case, and its segment naming mechanisms are redesigned to reduce the part that must be protected as part of the supervisor. To show that this smaller protected naming facility can still support the complete functionality of Multics, a test implementation of the design is performed. The new design is shown to have a significant impact on the size and complexity of the Multics supervisor.

  4. Clark, D. D., R. M. Graham, J. H. Saltzer, and M. D. Schroeder, The classroom information and computing service, MAC-TR-80, January 1971.

    This report describes the Classroom Information and Computing Service (Clics), a pedagogical computer-based information system that is used as a case study in the subject "Information Systems" in the Department of Electrical Engineering at M.I.T. Clics is an abstraction of the Multiplexed Information and Computing Service (Multics) that is being implemented by Project MAC at M.I.T. As such, it is an example of a computer utility. Clics is derived from Multics by a combination of simplifying the mechanisms of Multics and removing some of its more exotic features; and embodies research into ways to simplify the mechanisms of Multics without sacrificing service objectives. This report is a specification of the hardware, control programs, and system implementation language of the Clics system, as developed to date. The system is specified in sufficient detail for students to develop a structural as well as a functional understanding of its operation and mechanisms. As the primary case study for an undergraduate subject, Clics provides specific examples of the complexities in a general purpose information system, and methods of coping with them.

  5. Clark, D. D., An input-ouput architecture for virtual memory computer systems, MAC-TR-117 (Ph.D. thesis), January 1974. 7.2M

    In many large systems today, input/output is not performed directly by the user, but is done interpretively by the system for him, which causes additional overhead and also restricts the user to whatever algorithms the system has implemented. Many causes contribute to this involvement of the system in user input/output, including the need to enforce protection requirements, the inability to provide adequate response to control signals from devices, and the difficulty of running devices in a virtual environment, especially a virtual memory. The goal of this thesis was the creation of an input/output system which allows the user the freedom of direct access to the device, and which allows the user to build input/output control programs in a simple and understandable manner. This thesis presents a design for an input/output subsystem architecture which, in the context of a segmented, paged, time-shared computer system, allows the user direct access to input/output devices. This thesis proposes a particular architecture, to be used as an example of a class of suitable designs, with the intention that this example serve as a tool in understanding the large number preferable form.

  6. Clark, D. D., Ancillary reports: kernel design project, MAC-TM-87, June 1977.

    contents:

    1. Repaired Security Bugs in Multics (2/7/73) by J. H. Saltzer. (reprint of RFC-5)
    2. A Census of Ring 0 (9/5/73) by V. L. Voydock (reprint of RFC-37)
    3. Some Multics Security Holes which were Closed by 6180 Hardware (1/28/74) by J. H. Saltzer, P. A. Janson, D. H. Hunt (reprint of RFC-46)
    4. Some Recently Repaired Security Holes of Multics (1/28/74) by J. H. Saltzer, D. H. Hunt (reprint of RFC-47)
    5. Patterns of Security Violations: Multiple References to Arguments (11/8/74) by H. C. Forsdick, D. P. Reed (reprint of RFC-59)
    6. A Two-Level Implementation of Processes for Multics (9/8/76) by R. M. Frankston (reprint of RFC-123)
    7. Further Results with Multi-Process Page Control (2/9/77) by R. F. Mabee (reprint of RFC-135)

    See individual entries for the RFCs.

  7. Corbató, F. J., System requirements for multiple-access, time-shared computers, MAC-TR-3, May 1964. 907K

    It is now clear that it is possible to create a general-purpose time-shared multiple access system on most contemporary computers. However, it is equally clear that none of the existent computers are well designed for multiple access systems. At present, good service to a few dozen simultaneous users is considered state-of-the-art. Discussions include: clocks, memory protection and supervisor mode, program relocation and common subroutines which expose the reader to the difficulties encountered with contemporary machines when multiple user multiple-processor systems are considered.

  8. Deitel, H. M., Absentee computations in a multiple-access computer system, MAC-TR-52 (S.M. thesis), August 1968. 4.0M
  9. Denning, P. J., Resource allocation in multiprocess computer systems, MAC-TR-50 (Ph.D. Thesis), May 1968. 6.1M
  10. Denning, P. J., Queueing models for file memory operations, MAC-TR-21 (S.M. Thesis), May 1965. 2.3M

    A model for the auxiliary memory function of a segmented, multiprocessor, time-shared computer system is set up. A drum system in particular is discussed, although no loss of generality is implied by limiting the discussion to drums. Particular attention is given to the queue of requests waiting for drum use. It is shown that a shortest access time first queue discipline is the most efficient, with the access time being defined as the time required for the drum to be positioned, and is measured from the finish of service of the last request to the beginning of the data transfer for the present request. A detailed study of the shortest access time queue is made, giving the minimum access time probability distribution, equations for the number in the queue, and equations for the wait in the queue. Simulations were used to verify these equations; the results are discussed. Finally, a general Markov Model for Queues is discussed in an Appendix.

  11. Dennis, J. B., and E. C. Van Horn, Programming semantics for multiprogrammed computations, MAC-TR-21, 1966. 2.3M
  12. Dennis, J. B., Program structure in a multi-access computer, MAC-TR-11, May 1964. 1.3M
  13. Fillat, A. I., and A. L. Kraning, Generalized organization of large data-bases: a set-theoretic approach to relations, MAC-TR-70 (S.M. and S.B. thesis), June 1970. 5.5M
  14. Forsdick, H. C., and D. P. Reed, Patterns of Security Violations: Multiple References to Arguments, CSR-RFC-59, Nov 8 1974.

    part 5 of MAC-TM-87

  15. Frankston, R. M., A Two-Level Implementation of Processes for Multics, CSR-RFC-123, Sep 8 1976.

    part 6 of MAC-TM-87

  16. Frankston, R. M., The computer utility as a marketplace for computer services, MAC-TR-128 (S.M. & E.E. thesis), May 1974. 5.8M
  17. Gifford, D., Hardware estimation of a process's primary memory requirements, MAC-TM-81 (S.B. Thesis), May, 1976. 2.3M
  18. Graham, R. M., File management and related topics, MAC-TM-12, September 1970. 2.3M
  19. Graham, R. M., Use of high level language for systems programming, MAC-TM-13, September 1970. 938K
  20. Greenbaum, H. J., A simulator of multiple interactive users to drive a time-shared computer system, MAC-TR-58 (S.M. Thesis), October 1968. 3.5M
  21. Greenberg, B. S., An experimental analysis of program reference patterns in the Multics virtual memory, MAC-TR-127 (S.M. thesis), May 1974. 8.4M

    This thesis reports the design, conducting, and results of an experiment intended to measure the paging rate of a virtual memory computer system as a function of paging memory size. This experiment, conducted on the Multics computer system at MIT, a large interactive computer utility serving an academic community, sought to predict paging rates for paging memory sizes larger than the existent memory at the time. A trace of all secondary memory references for two days was accumulated, and simulation techniques applicable to "stack" type page algorithms (of which the least-recently-used discipline used by Multics is one) were applied to it. A technique for interfacing such an experiment to an operative computer utility in such a way that adequate data can be gathered reliably and without degrading system performance is described. Issues of dynamic page deletion and creation are dealt with, apparently for the first reported time. The successful performance of this experiment asserts the viability of performing this type of measurement on this type of system. The results of the experiment are given, which suggest models of demand paging behavior.

  22. Grochow, J. M., The graphic display as an aid in the monitoring of a time-shared computer system, MAC-TR-54 (S.M. thesis), November 1968. 2.3M

    The problem of dynamic observation of the state of a time-shared computer system is investigated. The Graphical Display Monitoring System was developed as a medium for this experimental work. It is an integrated system for creating graphic displays, dynamically retrieving data from Multics Time-Sharing System supervisor data bases, and on-line viewing of this data via the graphic displays. On-line and simulated experiments were performed with various members of the Multics staff at Project MAC in an effort to determine what data is most relevant for dynamic monitoring, what display formats are most meaningful, and what sampling rates are most desirable. The particular relevance of using a graphic display as an output medium for the monitoring system is noted. As a guide to other designers, a generalized description of the principles involved in the design of this on-line, dynamic monitoring device includes special mention of those areas of particular hardware or software system dependence. Several as yet unsolved problems relating to time-sharing system monitoring, including those of security and data base protection, are discussed.

  23. Huber, A. R., A multi-process design of a paging system, MAC-TR-171 (S.M. thesis), December 1976. 5.7M

    This thesis presents a design for a paging system that may be used to implement a virtual memory on a large scale, demand paged computer utility. A model for such a computer system with a multi-level, hierarchical memory system is presented. The functional requirements of a paging system for such a model are discussed, with emphasis on the parallelism inherent in the algorithms used to implement the memory management functions. A complete, multi-process design is presented for the model system. The design incorporates two system processes, each of which manages one level of the multi-level memory, being responsible for the paging system functions for that memory. These processes may execute in parallel with each other and with user processes. The multi-process design is shown to have significant advantages over conventional designs in terms of simplicity, modularity, system security, and system growth and adaptability. An actual test implementation on the Multics system was carried out to validate the proposed design.

  24. Hunt, D. H., A case study of intermodule dependencies in a virtual memory, system, MAC-TR-174 (S.M. thesis), December 1976. 5.5M

    A problem currently confronting computer scientists is to develop a method for the production of large software systems that are easy to understand and certify. The most promising methods involve decomposing a system into small modules in such a way that there are few intermodule dependencies. In contrast to previous research, this thesis focuses on the nature of the intermediate module dependencies, with the goal of identifying and eliminating those that are found to be unnecessary. Using a virtual memory subsystem as a case study, the thesis describes a structure in which apparent dependencies can be eliminated. Owing to the nature of virtual memory subsystems, many higher level functions can be performed by lower level modules that exhibit minimal interaction. The structuring methods used in this thesis, inspired by the structure of the LISP world of atomic objects, depend on the observation that a subsystem can maintain a copy of the name of an object without being dependent upon the object manager. Since the case study virtual memory subsystem is similar to that of the Multics system, the results reported here should aid in the design of similar sophisticated virtual memory subsystems in the future.

  25. Janson, P. A., Removing the dynamic linker from the security kernel of a computing utility, MAC-TR-132 (S.M. thesis), June 1974. 6.8M
  26. Janson, P. A., Using type extension to organize virtual memory mechanisms, MAC-TR-167 (Ph.D. thesis), September 1976. 9.1M
  27. Jones, Malcolm, Incremental Simulation on a Time-Shared Computer, MAC-TR-48 (OPS/3 language), 1-1-1968. 7.5M
  28. Karger, P. A., Non-discretionary access control for decentralized computing systems, MAC-TR-179 (S.M. thesis), May 1977. 3.8M

    (Also available as NTIS AD-A040 808/8)

  29. Kent, Steve, Encryption-Based Protection Protocols For Interactive User-Computer Communication, MAC-TR-162, 6-1-1976. 5.9M

    This thesis develops a complete set of protocols, which utilize a block cipher, e.g., the NBS data encryption standard, for protection interactive user-computer communication over physically unsecured channels. The use of the block cipher protects against disclosure of message contents to an intruder, and the protocols provide for the detection of message stream modification and denial of message service by an intruder. The protocols include facilities for key distribution, two-way login authentication, resynchronization following channel disruption, and expedition of high priority messages. The thesis presents designs for modules to implement the protocols, both in the terminal and in a host computer system, and discusses the results of a test implementation of the modules on Multics.

  30. Luniewski, A. W., A simple and flexible system initialization mechanism, MAC-TR-180 (S.M. thesis), May 1977. 3.8M
  31. Mabee, R. F., Further Results with Multi-Process Page Control, CSR-RFC-135, Feb 9 1977.

    part 7 of MAC-TM-87

  32. Mason, A. H., A layered virtual memory manager, MAC-TR-177 (S.M. & E.E. thesis), May 1977. 4.4M
  33. Montgomery, W. A., A secure and flexible model of process initiation for a computer utility, MAC-TR-163 (S.M. & E.E. thesis), June 1976. 6.4M

    This thesis demonstrates that the amount of protected, privileged code related to process initiation in a computer utility can be greatly reduced by making process creation unprivileged. The creation of processes can be controlled by the standard mechanism for controlling entry to a domain, which forces a new process to begin execution at a controlled location. Login of users can thus be accomplished by an unprivileged creation of a process in the potential user's domain, followed by authentication of the user by an unprivileged initial procedure in that domain. The thesis divides the security constraints provided by a computer utility into three classes: Access control, prevention unauthorized denial of service, and confinement. We develop a model that divides process changing, resource control, authentication, and environment initialization. We show which classes of security constraints depend on each of these functions and show how to implement the functions such that these are the only dependencies present. The thesis discusses an implementation of process initiation for the Multics computer utility based on the model. The major problems encountered in this implementation are presented and discussed. We show that this implementation is substantially simpler and more flexible than that used in the current Multics system.

  34. Pitman, K. M., The Revised MacLisp Manual, MAC-TR-295, 1 Jun 1983.

    MACLISP is a dialect of Lisp developed at M.I.T.'s Project MAC (now the MIT Laboratory for Computer Science) and the MIT Artificial Intelligence Laboratory for use in artificial intelligence research and related fields. Maclisp is descended from Lisp 1.5, and many recent important dialects (for example Lisp Machine Lisp and NIL) have evolved from Maclisp. David Moon's original document on Maclisp, The Maclisp Reference Manual (alias the Moonual ) provided in-depth coverage of a number of areas of the Maclisp world. Some parts of that document, however, were never completed (most notably a description of Maclisp's I/O system); other parts are no longer accurate due to changes that have occurred in the language over time. This manual includes some introductory information about Lisp, but is not intended as tutorial. It is intended primarily as a reference manual; particularly, it comes in response to user's please for more up-to-date documentation. Much text has been borrowed directly from the Moonual, but there has been a shift in emphasis. While the Moonual went into greater depth on some issues, this manual attempts to offer more in the way of examples and style notes. Also, since Moon had worked on the Multics implementation, the Moonual offered more detail about compatibility between ITS and Multics Maclisp. While it is hoped that Multics users will still find the information contained herein to be useful, this manual focuses more on the ITS and TOPS-20 implementations since those were the implementations most familiar to the author.

  35. Rappaport, R. L., Implementing multi-process primitives in a multiplexed computer system, MAC-TR-55 (S.M. thesis), November 1968. 3.6M

    In any computer system primitive functions are needed to control the actions of processes in the system. This thesis discusses a set of six such process control primitives which are sufficient to solve many of the problems involved in parallel processing as well as in the efficient multiplexing of system resources among the many processes in a system. In particular, the thesis documents the work performed in implementing these primitives in a computer system, the Multics system, which is being developed at Project MAC of M.I.T. During the course of work that went into the implementation of these primitives, design problems were encountered which caused the overall design of the programs involved to go through two iterations before the performance of these programs was deemed acceptable. The thesis discusses the way design of these program evolved over the course of work.

  36. Reed, D. P., Processor multiplexing in a layered operating system, MAC-TR-164 (S.M. thesis), July 1976. 7.1M

    This thesis presents a simply structured design for the implementation of process in a kernel-structured operating system. The design provides a minimal mechanism for the support of two distinct classes of processes found in the computer system - those which are part of the kernel operating system itself, and those used to execute user-specified computations. The design is broken down into two levels, one which implements a fixed number of virtual processors, which are then used to run kernel processes, and are multiplexed to provide processes for user computation. Eventcount primitives are provided, in order to provide a simple unified interprocess control communication mechanism. The design is intended to be used in the creation of a secure kernel for the Multics Operating System.

  37. Richards, M., A. Evans, and R. Mabee, The BCPL reference manual, MAC-TR-141, December 1974.

    BCPL is a language which is readable and easy to learn, as well as admitting of an efficient compiler capable of generating efficient code. It is made self consistent and easy to define accurately by an underlying structure based on a simple idealized object machine. The treatment of data types is unusual and it allows the power and convenience of a language with dynamically varying types and yet the efficiency of FORTRAN. BCPL has been used successfully to implement a number of languages and has proved to be a useful tool for compiler writing. The BCPL compiler itself is written in BCPL and has been designed to be easy to transfer to other machines; it has already been transferred to more than ten different systems.

  38. Rodriguez Jr, H., Measuring user characteristics on the Multics system, MAC-TM-89 (S. B. Thesis), August 1977.
  39. Saltzer, J. H., Traffic control in a multiplexed computer system, MAC-TR-30 (Sc.D. Thesis), July, 1966. 3.3M
  40. Saltzer, J. H., Introduction to Multics, MAC-TR-123, February 1974. 14.2M

    The Multics project was begun in 1964 by the Computer Systems Research group of M.I.T. Project MAC. The goal was to create a prototype of a computer utility. This technical report represents the Introduction to the users manual for the Multics System. It is published in this form as a convenient method of communications with researchers and students of computer system design. It is divided into three major parts: 1) Introduction to Multics, 2) Reference Guide to Multics and 3) Subsystems Writers' Guide to Multics.

  41. Saltzer, J. H., Repaired Security Bugs in Multics, CSR-RFC-5, Feb 27 1973.

    part 1 of MAC-TM-87

  42. Saltzer, J. H., P. A. Janson, and D. H. Hunt, Some Multics Security Holes which were Closed by 6180 Hardware, CSR-RFC-46, Jan 28 1974.

    part 3 of MAC-TM-87

  43. Saltzer, J. H., and D. H. Hunt, Some Recently Repaired Security Holes of Multics, CSR-RFC-47, Jan 28 1974.

    part 4 of MAC-TM-87

  44. Schell, R. R., Dynamic reconfiguration in a modular computer system, MAC TR-86, 1971. 5.9M

    This thesis presents an orderly design approach for dynamically changing the configuration of constituent physical units in a modular computer system. Dynamic reconfiguration contributes to high system availability by allowing preventative maintenance, development of new operating systems, and changes in system capacity on a non-interference basis. The design presented includes the operating system primitives and hardware architecture for adding and removing any (Primary or secondary) storage module and associated processing modules while the system is running. Reconfiguration is externally initiated by a simple request from a human operator and is accomplished automatically without disruption to users of the system. This design allows the modules in an installation to be partitioned into separate non-interfering systems. The viability of the design approach has been demonstrated by employing it for a practical implementation of processor and primary memory dynamic reconfiguration in the Multics system at M.I.T.

  45. Schroeder, M. D., Cooperation of mutually suspicious subsystems in a computer utility, MAC-TR-104 (Ph.D. Thesis), September 1972. 4.9M
  46. Schroeder, M. D., D. D. Clark, J. H. Saltzer, and D. M. Wells, Final report of the Multics kernel design project, MAC-TR-196, March 1978. 3.7M
  47. Sekino, A., Performance evaluation of multiprogrammed time-shared computer systems, MAC-TR-103 (Ph.D. thesis), September 1972.

    This thesis presents a comprehensive set of hierarchically organized modular analytical models developed for the performance evaluation of multiprogrammed virtual-memory time-shared computer systems using demand paging. The hierarchy of models contains a user behavior model, a secondary memory model, a program behavior model, a processor model, and a total system model. This thesis is particularly concerned with the last three models. The program behavior model developed in this thesis allows us to estimate the frequency of paging expected on a given processing system. The processor model allows us to evaluate the throughput of a given multi-processor multi-memory processing system under multiprogramming. Finally, the total system model allows us to derive the response time distribution of an entire computer system under study. Since all major factors (such as various system overhead times and idle times) which may decrease a system's computational capacity available for users' useful work are explicitly considered in the analyses using the above models, the performance predicted by these analyses is very realistic. A comparison of the performance of an actual system, the Multics system of M.I.T., and the corresponding performance predicted by these analyses confirms the accuracy of performance prediction by these models. Then, these analyses are applied to the optimization of computer systems and to the selection of the best performing system for a given budget. The framework of a performance evaluation using these hierarchically organized analytical models guides human intuition in understanding the actual performance problems and provides us with reliable answers to most of the basic quantitative performance questions concerning throughput and response time of actual modern large-scale time-shared computer systems.

  48. Smith, A. A., Input-output in time-shared, segmented multiprocessor systems, MAC-TR-28 (S.M. thesis), June 1966. 1.5M
  49. Stern, J. A., Backup and recovery of on-line information in a computer utility, MAC-TR-116 (S.M. & E.E. thesis), January 1974. 4.2M

    This thesis describes a design for an automatic backup mechanism to be incorporated in a computer utility for the protection of on-line information against accidental or malicious destruction. This protection is achieved by preserving on magnetic tape recent copies of all items of information known to the on-line file system. In the event of a system failure, file system damage is automatically assessed and missing information is recovered from backup storage. For isolated mishaps, users may directly request the retrieval of selected items of information. The design of the backup mechanism presented in this thesis is based upon existing backup mechanism contained in the Multics system. As compared to the present Multics backup system, the new design lessens overhead, drastically reduces recovery time from system failures, eliminates the need to interrupt system operation for backup purposes, and scales up significantly better with on-line storage growth.

  50. Van Horn, E. C., Computer design for asynchronously reproducible multiprocessing, MAC-TR-34 (Ph.D. thesis), November 1966. 7.3M
  51. Vogt, C. M., Suspension of processes in a multiplexed computer system, MAC-TM-14, September 1970.
  52. Voydock, V. L., A Census of Ring 0, CSR-RFC-37, Sep 5 1973.

    part 2 of MAC-TM-87

Multics Manuals

Published by Honeywell.

Al Kossow at bitsavers.org has scanned many Honeywell Multics manuals and placed them online.

  1. 43A239851 DSS181-DSS190 Specification , May 1974 (5.5 MB pdf)
  2. 43A239854 600B IOM Specification , Jul 1975 (6.2 MB pdf)
  3. 58009906 DPS8 System Manual , Freestanding DPS8 Multics , Aug 1982 This manual is intended as a general system review and maintenance aid for TAC personnel in analyzing and diagnosing system problems beyond level 1 procedure. (4.4 MB pdf)
  4. 58009917 DPS8 CPU Installation Instructions , Aug 1984 Installation instructions for a DPS8 CPU. Unpacking, inspection, cable routing, and power-up. (1.5 MB pdf)
  5. 60132445 FEP Coupler Specification , Nov 1977 (3.7 MB pdf)
  6. AG90 Multics Programmer's Manual: Introduction to Programming on Multics , Dec 1981 (7 MB pdf)
  7. AG91 Multics Programmer's manual: Reference Guide , Dec 1975 (11 MB pdf)
  8. AG91 Multics Programmer's manual: Reference Guide , Jan 1987 (36 MB pdf)
  9. AG92 Multics Programmer's manual: Commands and Active Functions , Feb 1980 861 pages. (39 MB pdf)
  10. AG92 Multics Programmer's manual: Commands and Active Functions , Nov 1987 (60 MB pdf)
  11. AG93 Multics Programmer's manual: Subroutines and I/O Modules , Nov 1986 (64 MB pdf)
  12. AG94 Multics PL/I Language Specification , Mar 1981 (14 MB pdf)
  13. AG95 The Multics Virtual Memory , Jun 1972 (reprint of Bensoussan, Clingen, and Daley paper; "Access Control to the Multics Virtual Memory"; and "Series 6000 Features for the Multics Virtual Memory") (11 MB pdf)
  14. AK15 The Multics System Summary Description , (brochure) , 1974
  15. AK24 Multics Software Overview Product Brief , 1973
  16. AK26 Multics Model 6180 Hardware Product Brief , 1973
  17. AK27 The Multics System , (brochure) , 1973
  18. AK27-2 The Multics System , (brochure) , 1975
  19. AK27-3 The Multics System , (brochure) , 1977
  20. AK50 Multics System Administrators' Manual , Feb 1973 An early version of the MSAM. (4 MB pdf)
  21. AK50 Multics System Administrators' Manual , Dec 1987 The Trusted Facilities Manual required for B2 certification is contained in Part VI "Assuring System Security" and Appendix B "Audit Tables and Include Files" of AK50-03 (Renamed the "Multics System Administration Procedures Manual", May 1985). Part VI consists of Chapters 18 through 26 of the manual and provides guidelines for the system administrator on how to manage Multics as a secure system. [info from Ed Ranzenbach] (21 MB pdf)
  22. AK51 Multics Project Administrators' Manual , Feb 1985 (4 MB pdf)
  23. AK52 Multics Administrative Functions Product Brief , 1973
  24. AK92 Multics Programmer's manual: Subsystem Writer's Guide , Mar 1979 (20 MB pdf)
  25. AK95 Multics APL Users' Guide , Dec 1985 (11 MB pdf)
  26. AK96 Multics Programmer's manual: System Programmer's Supplement
  27. AL39 Multics Processor Manual , Nov 1985 461 pages. (18 MB pdf)
  28. AL39-01C Multics Processor Manual , Nov 1985 358 pages. (1.5 MB searchable pdf thanks to Bob Mabee)
  29. AM81 Multics Operator's Handbook , Nov 1986 (29 MB pdf)
  30. AM82 Multics BASIC , Feb 1981 (29 MB pdf)
  31. AM82 Multics BASIC Update , Dec 1984 (2 MB pdf)
  32. AM83 Multics PL/I Reference Manual , Sep 1978 (31 MB pdf)
  33. AN05 GCOS Environment Simulator , Dec 1985 (6 MB pdf)
  34. AN50 Guide to Multics Manuals
  35. AN51 System Tools PLM , 1979 This Program Logic Manual (PLM) is not structured in the same manner as most others in this series. The System Tools PLM consists only of a number of command and subroutine descriptions with no design motivation, implementation description, or data structure description except what is needed to describe the use of the command or subroutine as a tool. (source at web.mit.edu)
  36. AN52 Multics System Metering , Feb 1979 (5 MB pdf)
  37. AN53 Multics System Dump Analysis , June 1975 (5 MB pdf) (source at web.mit.edu)
  38. AN54 PL/I Compiler PLM , Aug 1974 The PL/1 compiler translates a source program written in the PL/1 language into an equivalent Multics standard object segment. This compiler represents an implementation of the PL/1 language as defined in the PL/1 Language Manual (Order No. AG94). The entire compiler is written in the same language, and therefore, is self reproducible. (runoff source at web.mit.edu)
  39. AN57 Multics User Ring Input/Output System PLM , May 1977 (13 MB pdf) (source at web.mit.edu)
  40. AN61 Multics Storage System: Program Logic Manual , Sep 1978 Internal logic of the Multics Storage System. (23 MB pdf) (source at web.mit.edu)
  41. AN63 Multics ALM Assembler SDN , February 1975 (1 MB pdf)
  42. AN69 Multics Message Segment Facility SDN , Oct 1979 (3 MB pdf) (source at web.mit.edu)
  43. AN70 System Initialization Program Logic Manual , Feb 1975 (8 MB pdf)
  44. AN70 System Initialization Program Logic Manual , May 1984 (8 MB pdf) (source at web.mit.edu)
  45. AN71 Reconfiguration Program Logic Manual , June 1974 (2 MB pdf)
  46. AN71 Reconfiguration Program Logic Manual , Apr 1977 (2 MB pdf) This document describes the implementation and design of the Multics dynamic reconfiguration software for the major hardware modules of the system. This document is limited to processor, system controller and bulk store memory reconfiguration although there are many more hardware and software switchable modules in the system. (source at web.mit.edu)
  47. AN76 Multics Carry Facility , Feb 1981 (1 MB pdf)
  48. AN77 Multics GCOS Environment Simulator , Apr 1977 (source at web.mit.edu)
  49. AN80 Level 68 & DPS8/M Library Maintenance SDN , May 1979 (6 MB pdf) (source at web.mit.edu)
  50. AN82 Multics Standards SDN , June 1980 (3 MB pdf) Description of the Standards, Conventions, and Guidelines Used in the Software and Documentation of the Multics Operating System. (source at web.mit.edu)
  51. AN83 FORTRAN Compiler PLM , Mar 1979 The FORTRAN Program Logic Manual (PLM) deals solely with the parse and semantic translation phases of the Multics FORTRAN Compiler. (source at web.mit.edu)
  52. AN85 Multics Communication System SDN , Oct 1979 (14 MB pdf)
  53. AN87 Multics Hardware and Software Formats PLM , March 1980 (7 MB pdf) (source at web.mit.edu)
  54. AR97 Multics System Diagnostic Aids , Dec 1983 (7 MB pdf)
  55. AS40 Multics Graphics System , Aug 1981 (12 MB pdf)
  56. AS43 Multics COBOL Users' Guide , Jul 1981 (12 MB pdf)
  57. AS44 Multics COBOL Reference Manual , Jul 1981 (20 MB pdf)
  58. AS68 Multics Administrator's Manual - Registration and Accounting
  59. AT58 Multics FORTRAN , Dec 1983 (8 MB pdf)
  60. AT59 Multics DFAST Subsystem Users' Guide , Mar 1976 (3 MB pdf)
  61. AT71 MSU0402 Manual , Oct 1983 (1 MB pdf)
  62. AU25 Multics FAST Subsystem Reference Guide , Sep 1979 (5 MB pdf)
  63. AU77 Multics Online Test and Diagnostics Reference Manual , Mar 1984 (7 MB pdf)
  64. AW17 Multics Pocket Guide: Commands and Active Functions , Apr 1976 (2 MB pdf)
  65. AW32 Multics SORT/MERGE , Jul 1976 (2 MB pdf)
  66. AW53 Multics Relational Data Store (MRDS) -- Reference Manual , Mar 1984 (15 MB pdf)
  67. AX31 VIP 72xx Operator Manual , May 1981 (3 MB pdf)
  68. AX49 Multics Peripheral Input/Output , Jul 1982 (10 MB pdf)
  69. AY03 MSU0500 Manual , Dec 1979 (1 MB pdf)
  70. AY34 Datanet Operator Manual , May 1980 (7 MB pdf)
  71. AZ03 System Programming Tools , (includes TECO) , Jul 1982 (16 MB pdf)
  72. AZ49 Logical Inquiry and Update System (LINUS) , Aug 1986 (7 MB pdf)
  73. AZ98 Multics WORDPRO Reference Guide , Jul 1983 (13 MB pdf)
  74. CC34 Multics Bulk Input/Output
  75. CC69 Multics Report Program Generator (MRPG) Reference Manual , Nov 1982 (7 MB pdf)
  76. CC70 FORTRAN Users' Guide , Dec 1983 (9 MB pdf)
  77. CC74 Multics Administrator's Manual - Resource Control
  78. CC75 Multics Administrator's Manual - Communications Administration , Dec 1983 (6 MB pdf)
  79. CC75 Multics Administrator's Manual - Communications Administration , Feb 1985 (6 MB pdf)
  80. CC92 Multics Communications Input/Output , Jul 1982 (8 MB pdf)
  81. CC96 Multics Transaction Processing Reference Manual , Jun 1979 (3 MB pdf)
  82. CG18 Multics Remote Batch Facility (Level 68 to Level 6) , Jul 1979 (2 MB pdf)
  83. CG40 QEDX Text Editor User's Guide , Feb 1983 (6 MB pdf)
  84. CH23 Multics Extended Mail System User's Guide , Feb 1982 (8 MB pdf)
  85. CH24 New Users' Introduction to Multics -- Part I , Nov 1979 (4 MB pdf)
  86. CH25 New Users' Introduction to Multics -- Part II , Nov 1979 (4 MB pdf)
  87. CH26 Multics Error Messages: Primer and Reference Manual , Sep 1980 ( MB pdf)
  88. CH27 Emacs Manual , December 1979 (14 MB pdf)
  89. CJ27 Emacs Text Editor User's Guide , December 1979 (7.6 MB pdf)
  90. CJ52 Emacs Extension Writer's Guide , January 1980 (3.5 MB pdf)
  91. CJ52 Emacs Extension Writer's Guide , Jul 1982 (9.4 MB pdf)
  92. CJ97 Multics Page Processing System Utility Manual , May 1980 (1 MB pdf)
  93. CP31 Level 68 Introduction to Emacs
  94. CP50 Multics Text Editor (TED) Reference Manual , Oct 1985 (7 MB pdf)
  95. CP51 Multics Menu Creation Facilities , Feb 1985 (8 MB pdf)
  96. CP92 VIP7201 Reference Manual , Jul 1983 (6 MB pdf)
  97. CT38 Resource Control User Guide , Jun 1981 (3 MB pdf)
  98. CW99 PRU901 Manual , May 1982 (4 MB pdf)
  99. CX20 Fundamentals of Multics Executive Mail
  100. CX72 Executive Facilities Editing Operations Ref Card
  101. CY73 Inter-Multics File Transfer Facility Ref Manual , Dec 1983 (3 MB pdf)
  102. CY74 Multics Forum Interactive Meeting System Users' Guide , Feb 1985 (10 MB pdf)
  103. CY93 PRU7070 Handbook , Dec 1982 (5 MB pdf)
  104. DB37 DSS190 Reference , May 1974 (2.6 MB pdf)
  105. DF48 Series 60 Level 68 DPS Pocket Guide , June 1978
  106. DJ18 Guide to Multics Wordpro for New Users
  107. DL92 Honeywell Multics Distributed Processing System, Summary Overview , 1982
  108. DL92 Multics brochure , 1982 (21.5 MB pdf)
  109. DS44 Honeywell Multics , (brochure) , 1983
  110. DS45 Honeywell DPS8/Multics , (brochure) , 1983
  111. DU06 Fundamentals of Multics Forum Interactive Meeting System
  112. DU34 DPS8 Site Preparation Manual , Jan 1986 (5 MB pdf)
  113. DV74 Texto Reference Manual
  114. DW19 Multics MegaCalc User's Guide
  115. DX71 Fundamentals of Multics Executive Forum
  116. F01 Introduction to Multics Course Notes , Oct 1978 (20 MB pdf)
  117. F15C Multics Course Notes F15C , Sep 1983 (7 MB pdf)
  118. F15D Multics Course Notes F15D , May 1981 (15 MB pdf)
  119. F21 Multics Course Notes F21 , Jul 1981 (11 MB pdf)
  120. F80 Multics Course Notes F80 , Mar 1983 (18 MB pdf)
  121. F86 Multics Course Notes F86 (7 MB pdf)
  122. F88 Multics Course Notes F88 (10 MB pdf)
  123. GA01 Multics Data Security , (brochure) , 1983 Based on Dave Jordan's article in Scientific Honeyweller, June 1981
  124. GB58 Multics Common Commands Manual , (GB18?) , Feb 1983 (10 MB pdf)
  125. GB59 DPS 6/Multics Satellite 6M Reference Manual
  126. GB60 Multics HASP Service and Utility
  127. GB61 Operator's Guide to Multics , Dec 1987 (13 MB pdf)
  128. GB62 Multics Pascal User's Guide
  129. GB63 Multics Report Writer Reference Manual , Jan 1985 (5 MB pdf)
  130. GB64 Administration, Maintenance, and Operations Commands , Nov 1986 (26 MB pdf)
  131. GB65 Multics/Personal Computer File Transmission Facility
  132. GB66 Multics On-Line Work Station Environment User's Guide
  133. GL71 Multics Simplified Computing and Filing Facility
  134. GN08 Multics Emacs Reference Card
  135. HH07 Multics C User's Guide , Nov 1987 (7 MB pdf)
  136. YL77 Multics Cray Station Users' Guide

Multics Repository Documents

Internal design documents used by the development team in the 1960s. Three series, M, G, and B, for MIT, GE, and Bell Labs. This table is derived from TOC memos M0116, M0117, M0118, and M0119.

  1. B0005 EPL Design Journal #4, 08/09/65, McIlroy, M. D.
  2. B0008 FJCC: Structure of Multics Supervisor, 9/16/65, Vyssotsky, V. A., F. J. Corbató, and R. M. Graham
  3. B0009 FJCC: General Purpose File System, 09/16/65, Daley, R. C., and P. G. Neumann
  4. B0010 FJCC: Communication in I/O Switching, 9/17/65, Ossanna, J. F., L. Mikus, and S. D. Dunten
  5. B0021 Debugging and Multics (supersedes M0039), 11/09/65, Brown, W. S.
  6. B0039 Software Tools for Monitoring and Tracing in Multics, 02/15/66, Gimpel, J. F.
  7. B0043 Big Computing and Multics, 03/30/66, McIlroy, M. D.
  8. B0044 EPL Manual -Reprint IBM Operating System/360 PL/I: Language Specifications, 04/66, IBM
  9. B0045 A Proposed Outerview of Performance Monitoring in Multics, 04/13/66, Gimpel, J. F.
  10. B0057 Character Conversion for PRT-202 Line Printer, 05/10/66, Vyssotsky, V. A.
  11. B0060 Fault Tags and the IT modifier in the 645 Processor, 06/03/66, Tague, B. A.
  12. B0066 Proposed Context Editor Edit(Audit), 07/22/66, Kaiman, A.
  13. B0067 Some Thoughts and Ideas Pertaining to Tasking , 01/08/68, Farber, D. J., and R. L. Wexelblat
  14. B0086 Compendium of PL/I (EPL) Run-Time Library, 06/15/17, Hyde, J. P.
  15. B0088 QED Text EdItor, 08/05/67, Thompson, K. L.
  16. B0095 Current History Permuted Index BTL/GE/MIT, 08/01/66, Serido, J.
  17. B0097 Current Permuted Index BTL/GE/MIT, 05/17/68, Serido, J.
  18. B0099 Obsolete Permuted Index BTL/GE/MIT, 05/17/68, Serido, J.
  19. B0100 The Multics Device Utility Package (DUP), OS/27/68, Jones, S. W.
  20. G0004 636 Simulation Package, 08/30/65, Ziegler, G. G.
  21. G0006 Free Standing GECOS - GIOC Version, nd, McGee, R. C.
  22. G0007 Proposal for Developing Multics Documentation, 10/11/65, Haig, H. C., R. C. McGee, and B. A. Tague
  23. G0012 GE-645 Bootstrap Assembler(BSA), 01/01/66, anonymous
  24. G0013 Peripheral T and D Interface with 645 Software, 02/03/66, Matthews, H. D.
  25. G0015 On-Line Testing in a 636 Time-Sharing System, 10/21/65, Mikus, L. E.
  26. G0016 Memo on 645 Mnemonics, 01/18/66, McGee, R. C.
  27. G0029 Design Notebook Appendix C.Rev., 03/11/65, Oliver, G. A.
  28. G0030 Memo on Las Vegas Changes, 04/19/66, McGee, R. C.
  29. G0031 Definition of Inactive Mode in the GIOC, 04/20/66, McGee, R. C.
  30. G0034 645 Utility Program, 05/12/66, Hobbs, R. J., and R. M. Foster
  31. G0036 M50EB00131 -Performance Specification -Multics Assembler , 06/15/66, McGee, R. C.
  32. G0037 SPS-B-645 Simulator, 08/9/66, McGee, R. C.
  33. G0038 SPS-B Multics Assembler (M50EB00131), 08/22/66, McGee, R. C.
  34. G0039 SPSB 645 Free-Standing Simulator (M50EB00171) , 08/22/66, McGee, R. C.
  35. G0040 EPS MTH211 and MTH311 Magnetic Tape Units, 08/22/66, McGee, R. C.
  36. G0041 SPS GE-645 Gecos-IOC Version (M50EB00006), 08/22/66, McGee, R. C.
  37. G0042 SCU Instruction Format, 11/22/66, Stoller, G. S.
  38. G0043 SPS-C Multics/Gecos Monitor (M50EB00188), 09/01/66, McGee, R. C.
  39. G0044 SPS-B GE-645 PL/I Compiler (M50EB00175), 09/01/66, McGee, R. C.
  40. G0045 EPS Extended Character Set Printer Subsystem (PRT202) (M50EB00070), 09/01/66, McGee, R. C.
  41. G0046 Errata G0042, 12/05/66, Stoller, G. S.
  42. G0047 600 Series GE Specifications , 12/08/66, Bash, J. L.
  43. G0048 Distribution of Specifications , 12/12/66, Bash, J. L.
  44. G0049 Fortran IV Language Manual, 01/12/67, Bash, J. L.
  45. G0050 GIOC Manual, 01/12/67, Bash, J. L.
  46. G0051 Correction to G0049, 01/12/67, Bash, J. L.
  47. G0053 Renumbering of Repository Document, INDEX, 05/11/67, Bash, J. L.
  48. G0054 Revised INDEX, 06/16/67, Bash, J. L.
  49. G0055 Compendium of PL/I (EPL) Run-Time Mathematics Library , 09/01/67, Goldberg, I. B.
  50. G0056 Current INDEX Revision, 09/13/67, Bash, J. L.
  51. G0057 Current VOCAB Revision, 09/25/67, Bash, J. L.
  52. G0058 Phase I Test Experiment, 10/02/67, Shy, I.
  53. G0059 The Multics Operating System , 05/67, CISL
  54. G0060 EPL User's Reference Manual, 12/67, CISL
  55. G0061 CISL User Manuals on MULTICS (memo), ND, Bash, J. L.
  56. G0062 Current INDEX Revision, 01/26/68, Bash, J. L.
  57. G0063 CTSS Console User's Manual , 01/68, CISL
  58. G0065 Errata to EPL User's Reference Manual, 02/05/68, Benjafield, G.
  59. G0066 Memo Re: G0067, 02/12/68, CISL
  60. G0067 Handbook of Operating Information, Configuration A/Multics , 11/68, CISL
  61. G0068 Current Revision of VOCAB , 02/15/68, Bash, J. L.
  62. G0069 Intermediate Update of INDEX and VOCAB, 03/08/68, Bash, J. L.
  63. G0070 EPL User's Reference Manual, Revision 1, 04/68, CISL
  64. G0071 Multics PL/I Language Reference Manual Questionnaire, 05/09/69, Bash, J. L.
  65. G0072 EPLBSA Manual, 04/68, CISL
  66. G0073 Initial Multics Console User's Manual, 07/68, CISL
  67. G0074 EPL Glossary of Terms, 08/68, Hart, J. E.
  68. G0075 GE-645 Address Modification , 09/68, Riesenberg, D. J.
  69. G0076 Updates to the Glossary of Multics Terms (Vocabulary) , 09/04/68, Bash, J. L.
  70. G0077 Interim FL Reference Manual, 10/29/68, Riesenberg, D. J.
  71. G0078 Interim I/O Document, 12/20/68, Goudy, M. L.
  72. G0080 Significant Features of Multics PL/I , 01/21/69, Freiburghouse, R. A.
  73. G0081 Compatibility Consideration of the PL/I Implementation , 01/21/69, Freiburghouse, R. A.
  74. G0082 Update to EPL Manual G0070, 01/22/69, Bash, J. L.
  75. G0084 MULTICS Condensed Guide, 06/69, CISL
  76. G0085 Chapter I of MULTICS User Procedures (Calls to the File System), 07/01/69, Hart, J. E.
  77. G0086 Multics User Procedures Update (Chapter 1), 07/28/69, Hart, J. E.
  78. G0087 Chapter II of MULTICS User Procedures (Interim Document on I/O Calls), 08/06/69, Bash, J. L.
  79. G0088 Multics User Procedures Update (Chapter I) , 08/15/69, Hart, J. E.
  80. G0089 Update to G0087, Interim Document on I/O Calls, ND, Bash, J. L.
  81. G0090 Working paper on Program Naming Problems in a Shared Tree Structured Hierarchy, 08/22/69, Clingen, C. T.
  82. G0091 A User's Guide to the MULTICS Fortran Implementation, 10/69, Freiburghouse, R. A.
  83. G0092 A User's Guide to the MULTICS PL/I Implementation, 10/69, Freiburghouse, R. A.
  84. M0047 FJCC: Intro. & Overview of Multics, 9/17/65, Corbató, F. J., and V. A. Vyssotsky
  85. M0048 FJCC: System Design of a Computer for Time Sharing Applications, 9/17/65, Glaser, E. L., J. F. Couleur, and G. A. Oliver
  86. M0049 FJCC: Some Thoughts about the Social Implications of Accessible Computing , 9/17/65, David, E. E.
  87. M0052 Debugging Aids for the Multics System (Revised) , 11/09/65, Wagner, D. B.
  88. M0054 Proposal for a System of Clocks for Multics , 11/16/65, Saltzer, J. H.
  89. M0058 Outline of Proposed Interactive Debugging Aids for Multics, 1/19/66, Wagner, D. B.
  90. M0060 Thoughts About Operating Multics, 12/17/65, Oppert, D. E.
  91. M0062 System Metering , 3/17/66, Widrig, D. R.
  92. M0063 Conversion of Typset Files to Flexowriter Tapes, 3/11/66, Magnuski, H. S.
  93. M0065 Operational Description of the EPLBSA Assembler , 5/26/66, Poduska, J. W.
  94. M0066 Resource Management and Accounting for Multics, 6/26/66, Van Vleck, T. H.
  95. M0070 Character Handling and PL/I, 6/30/66, Saltzer, J. H.
  96. M0071 ASCII Graphics on Multics , 6/30/66, Saltzer, J. H.
  97. M0076 Operating Procedures for the Model 2201 Flexowriter to Prepare Documents for Multics , 8/25/66, Selwyn, L. L.
  98. M0077 Traffic Control in a Multiplexed Computer System, 0/22/66, Saltzer, J. H.
  99. M0082 Examples of PL/I Subroutines, 11/22/66, Corbató, F. J., and A. Evans
  100. M0085 Use of QED and ROFF, 1/19/67, Graham, R. M.
  101. M0086 A Guide to Multics for Subsystem Writers-I, 3/67, Organick, E. I.
  102. M0087 A Guide to Multics for Subsystem Writers-II, 4/67, Organick, E. I.
  103. M0089 Error in hash-coding algorithm, 4/10/67, Corbató, F. J., and A. Evans
  104. M0090 A Guide to Multics for Subsystem Writers Chapter III, 8/67, Organick, E. I.
  105. M0094 Virtual Memory, Processes, and Sharing in Multics , 10/14/67, Daley, R. C., and J. B. Dennis
  106. M0095 Protection in an Information Processing Utility, 10/14/67, Graham, R. M.
  107. M0103 PL/I As a Tool for System Programming , 07/02/68, Corbató, F. J.
  108. M0104 A Paging Experiment with the Multics System , 07/68, Corbató, F. J.
  109. M0105 Sensitive Issues in the Design of Multi-Use Systems, 11/12/68, Corbató, F. J.
  110. M0106 A Guide to Multics for Subsystem Writers Chapter IV, 01/69, Organick, E. I.
  111. M0107 A Guide to Multics for Subsystem Writers -Chapter V, 02/69, Organick, E. I.
  112. M0108 A Guide to Multics for Subsystem Writers -Chapter VI, 03/69, Organick, E. I.
  113. M0109 Annotated Bibliography of Multics, 04/16/69, Saltzer, J. H., and R. M. Graham
  114. M0110 BCPL Manual for Multics, 07/30/69, Evans, A.
  115. M0111 The Multics Virtual Memory, 10/69, Bensoussan, A., C. T. Clingen, and R. C. Daley
  116. M0112 The Instrumentation of Multics, 10/69, Saltzer, J. H., and J. W. Gintell
  117. M0113 The Role of Motherhood in the Pop Art of System Programming, 08/21/69, Neumann, P. G.
  118. M0114 The Multics Interprocess Communication Facility , 07/29/69, Spier, M. J., and E. I. Organick
  119. M0115 System performance effects of the new PL/I compiler , 10/14/69, Corbató, F. J.
  120. M0116 MAC Repository list, 12/01/69, Gardner, R.
  121. M0117 GE Repository List, 07/19/69, Gardner, R.
  122. M0118 GE Repository list, 12/01/69, Gardner, R.
  123. M0119 BTL Repository list, 12/01/69, Gardner, R.
  124. M0132 A Multics Process (System 17.11a), 12/8/72, Greenberg, B., and M. Miyazaki

Multics Design Document Series

The Multics Design Document series, specifically produced by Honeywell for the B2 evaluation effort, includes some documents written for the project. Others were existing manuals that were found to be adequate for the evaluation but were to eventually be re-written for consistency. [info from Ed Ranzenbach]

  1. MDD-001 Overview and Index of Multics Design Documents (Margulies, B.) Introduction to Multics Design Documents. The index of all Multics Design Documents.
  2. MDD-002-01 Multics Security Model -- Bell and La Padula (Tague, R. Michael) The Multics system enforces a security policy that is an implementation of the security model described by Bell and La Padula. This Multics Design Document (MDD) presents the relationship between the actual implementation in Multics and the model.
  3. MDD-003 Overview of the Multics TCB (Sibert, W. Olin) Overview of the Multics Virtual Memory System, Metering, and the Supervisor.
  4. MDD-004-01 Multics Functional Testing (Dickson, Paul) This MDD contains documentation on the Multics Functional Testing Suite.
  5. MDD-005-02 System Initialization (Farley, Paul) The internal organization of Multics System Initialization.
  6. MDD-006-01 Directory Control (Dixon, Gary C.) Internal Organization of the Directory Control and the Address and Name Space Management functions within the Multics system.
  7. MDD-007-01 VTOCE File System (Sharpe, Ed) The management and internal organization of storage system physical disk volumes on Multics.
  8. MDD-008 Online Storage Volume Management (Sharpe, Ed) This MDD describes the management of Online Storage Volumes.
  9. MDD-009 Resource Control Package (Pozzo, Maria M.) This MDD covers the management and internal organization of resources (devices and volumes) on Multics.
  10. MDD-010-01 System / User Control (Swenson, E., and Jim Lippard) The management and internal description of the system/user control subsystem on Multics.
  11. MDD-011 Page Control (Honeywell) unpublished
  12. MDD-012-01 I/O Interface (IOI) (Jones, Chris) This MDD describes the features and operations of the I/O interfacer (IOI), as well as those hardware features which make its operation possible.
  13. MDD-013 Multics Message Segment Facility (Pandolf, Michael A.) Description and documentation of the internal and user interfaces of the Multics Message Segment Facility.
  14. MDD-014 Hierarchy Backup Dumper (Honeywell) unpublished
  15. MDD-015 Interprocess Communication (Honeywell) unpublished
  16. MDD-016 Volume Backup Dumper (Honeywell) unpublished
  17. MDD-017 Multics I/O SysDaemon (Gilcrease, George) An overview of the operation of the I/O SysDaemon. The scope of this document is a synopsis of the I/O SysDaemon software: a description of the primary associated databases, and a narrative of the order of events and communication between the I/O SysDaemon coordinator process and a representative driver process.
  18. MDD-018 Reconfiguration (Honeywell) unpublished
  19. MDD-019 Traffic Control (Coren, Robert S.) This document describes the policies and algorithms of Multics Traffic Control, which is that part of the supervisor that manages the allocation of processors among processes.
  20. MDD-020 Multics Runtime Environment (Weaver, Melanie) Explanation of the runtime environment, including process structure and initialization, ring crossing mechanisms, object format and dynamic linking, area management, and condition signalling and handling.
  21. MDD-021 Fault and Interrupt Handling (Honeywell) unpublished
  22. MDD-022 System Administration (Honeywell) unpublished
  23. MDD-023 Online T&D (Honeywell) unpublished
  24. MDD-024 System Logging (Sharpe, Ed) Describes the system logging mechanisms. This document also provides a foundation for MDD-029 "Security Auditing".
  25. MDD-025 Hardcore I/O (Honeywell) unpublished
  26. MDD-026 Salvaging and Scavenging (Honeywell) unpublished
  27. MDD-027 MCS (Honeywell) unpublished
  28. MDD-028 SysDaemons (Honeywell) unpublished
  29. MDD-029 Security Auditing (Sharpe, Ed) Describes the system security audit trail. Some descriptions in this document are dependent upon the contents of MDD-024 "System Logging".

Multics Operating Staff Notes

Documents given to machine operators at the MIT and GE/Honeywell development sites. Later incorporated into Honeywell manuals.

  1. MOSN-A001 Operational Changes for MR4.0 (Van Vleck, T. H.) Initial operator documents for NSS, describing BOS changes and operator command changes. (2.0M pdf)

Multics Alternative Documentation

Here is a list, thanks to Bruce Sanderson, of documents produced by Warren Johnson and Jim Homan, describing operational lore useful to site analysts and operators.

  1. MAD-001 Multics Alternative Documentation, 10/29/80, Johnson, W.
  2. MAD-001.A Multics Alternative Documentation, 2/20/81, Johnson, W.
  3. MAD-001.B Multics Alternative Documentation, 3/3/81, Johnson, W.
  4. MAD-002 Reading Processor Lights, 10/29/80, Johnson, W.
  5. MAD-003 Multics Metering and Tuning, 10/30/80, Johnson, W.
  6. MAD-003.A Multics Metering and Tuning, 2/24/81, Johnson, W.
  7. MAD-004 Channel Master File, 11/5/80, Johnson, W.
  8. MAD-004.A Channel Master File, 4/17/81, Johnson, W.
  9. MAD-005 Disk Space Monitoring, 11/10/80, Homan, J.
  10. MAD-005.A Disk Space Monitoring, 7/7/81, Homan, J.
  11. MAD-006 So you're going to 6250 bpi..., 11/13/80, Homan, J.
  12. MAD-007 Operator Message Facility, 11/18/80, Homan, J.
  13. MAD-008 Recovery from ESD Failure, 11/18/80, Homan, J.
  14. MAD-009 Knocking the Initializer out of a loop, 11/19/80, Johnson, W.
  15. MAD-010 Sending Interrupt from IOM to System Console, 2/25/81, Johnson, W.
  16. MAD-011 Fac_Totum.SysDaemon, 4/22/81, Homan, J., and W. Johnson
  17. MAD-011.A Factotum.SysDaemon, 7/7/81, Homan, J., and W. Johnson
  18. MAD-011.B Factotum.SysDaemon, 7/21/81, Homan, J., and W. Johnson
  19. MAD-012 Multics Failure Analysis, 5/21/81, Johnson, W.
  20. MAD-013 RCPRM For Tape Library Management, 6/1/81, Homan, J.
  21. MAD-014 Setting SAT Bit Count, 8/3/81, Johnson, W.
  22. MAD-015 Site Library Maintenance, 5/10/82, Homan, J., and W. Johnson
  23. MAD-016 Auto-Reboot Redone, 7/30/82, Homan, J.
  24. MAD-017 Yet Another start_up.ec Spiel, 3/29/83, Homan, J.
  25. MAD-018 Tools For Maintaining System Tables And Exec_coms, 3/29/83, Homan, J.
  26. MAD-019 Installing A New Multics Site, 5/31/83, Homan, J.
  27. MAD-020 Survey of Privileged Accesses, 3/28/83, Homan, J.

Local Site memos

Memos local to particular sites.

  1. MIT IPC, MIT Author Maintained Library, April 1975

    Documentation for 34 commands, 7 active functions, and 25 subroutines contributed by the MIT user community, including XPL, TECO and BCPL. (5.6M pdf)

  2. MIT IPC, MIT Installation Maintained Library, July 1974

    Documentation for 5 commands and 2 subroutines installed locally at the MIT site, including Multics versions of BMD and SSP. (1.8M pdf)