Last week I participated in a very geeky panel discussion about a now-defunct standard for computer system security: the TCSEC. I showed some charts and diagrams about costs, error rates, and adoption of government-sponsored programs for evaluating computer security. During the panel, some audience members made the following claim:
“After its evaluation, Multics never needed a security patch.”
I admit I find this hard to believe, and it’s not consistent with my own Multics experience. However, most of my Multics experience predated the evaluation. So I ask: does anyone know if Multics had a security patch after its B2 TCSEC evaluation?
Aside from random earlier pokes at Multics while doing ARPANET maintenance in the late ’70s, I never really used Multics until I worked at Honeywell in the early 1980s. Since Multics was a Honeywell product, we generally installed the latest and greatest Multics version on our site. After I left Honeywell, I re-encountered Multics through NSA’s DOCKMASTER system. This system was pretty well locked down so I can’t say much about whether it was security patched or not. No doubt the answer to that question exceeds the default security clearance of this blog’s readership.
People were comfortable with Multics security, but I vaguely remember people referring to unexpected problems that were found and fixed. Even then, before the official Multics security evaluation, people felt that Multics was a secure, well-designed system. But I don’t remember people believing that it would never, ever require patching.
I don’t think it’s possible to leave a security system unpatched indefinitely. While it’s true that the system might in be flawless in some formal sense, it doesn’t operate in a formal world. A practical view of security doesn’t factor out its informal aspects. Those aspects hide the cracks that any sensible attacker will exploit.