WIXLIB

CITEDREFERENCESI, J. J. Donovan and S. E. Madnick. “Hierarchical approach to computer system integrity,” I B M S?.c.tc.msJorrrircrl14, No. 2. 188-202 (1975).2. P. Brinch-Hansen, “The nucleus of a multiprogramming system.” C ‘ o m m r r nic.crrion.r oJ’/hc’ACM 13, No. 4, 238-250 (April 1970).3. W. A. Wulf, et al., “Hydra-The kernelof a multiprocessor operating system.” Comm tnicc/tion,soj’thc A C M 17, N o . 6, 337-345 (June 1974).4. A. K. Jones and W. A . Wulf. “Towards the design of secure systems.” Proc,rcding.s o f t h e Workshop 011 Protrc./ion in Opcrcrting Systcms, I R I A . Rocquencourt, France, 121 - 134 (August 1974).5.A. K. Jones and R . J. Lipton,“Theenforcement of security policies forcomputation,” 5/11 Syrnpo.virrm o n OpProting .S,vstcm Principl(v, Op( rcltingSystems R 1 i e 1 No.3 9 , 5 (1975).6. M. D. Schroeder, C o o p r o t i o n o f ’ Mntrrally S l t s p i c i o r r s S n b r v . s t ni n ,(I ConrputcJr Utility. Ph. D. Thesis. MAC TR-104, Massachusetts Institute ofTechnology (September 1972).7. W. A. Wulf, “Reliable hardwarelsoftware architecture,” I E E E Tron.scrc,fion.\o n Sqftrt rrreEn,ginc,c,ring SE-1, No. 2, 233-240 (June 1975).8. Z. Manna, “The correctness of programs.” J O I I I I ofN I Compntrr und Syxf e r n Scicnc,r.s 2, I 19 - 127 (May 1969).9. J. P. Anderson, “Computer security technology planning study,” ESD-TR73-51 (October1972).10. P. G . Neumann et al., A Provah/v S c n Oprratingr Sys/c,m, SRI Project2581, Stanford Research Institute, Menlo Park, California 94025.11. J . P.Anderson.“Informationsecurityin amulti-usercomputerenvironment,” Advtrnws in Computers, M. Rubinoff.editor,1-35.AcademicPress, New York, New York( 1972).12. G. Popekand C. ��A F l P S Conjerenco Proceeding.\, Notionrrl Comprrtcr Conf2,rence 43, 145152 (1974).13. W. L. Schiller, Design of( Srcrtrity K r r n c l j h r ( I PDP-I 1/45, MITRE Technical Report, Bedford, Massachusetts (June 1973).14. R. A. Meyer and L. H. Seawright. “A virtual machine time-sharing system.”I B M Systems J o i r m c r l 9, No. 3, 199- 2 1 8 ( I970 j.15. G . S. actice,”A F l P S Conf(,renc.r Procerdings, Spring Joint Compirter ConJ’rronc,e40,417-429 (1972).16. J . S. Fenton, “Memoryless subsystems,” The Computrr Jolrrnal 17. No. 2,143-147 (May 1974).17. J. D. Bagley et al., “Sharing data and services in a virtual machine system,”5th Symposium o n Opcrcrting Systen? Princ.ip/e.s,O p ( l r t i l lLYy.\trms,qRel.iel1’9, NO. 5, 82-88 (1975).18. R. S. Fabry, “Dynamic verificationof operating system decisions,” Communicutions oj’tllr ACM 16, No. I I , 659-668 (November 1973).19. L. A. Belady and C . Weissman, “Experiments with secure resource sharingfor virtual machines,” Procrcdiwg.s o j / h e Worhshop on Protrr.fion it/ Operating Systems, IRIA, Rocquencourt, France, 27-33 (August 1974).20.J. K. Millen,“Securitykernelvalidationin practice,” 5 t h Symposirrnl o nOperating System Principles, OpcrtrtinK Sy.stcJm.5K c 1 i r t t9,. No. 5 , I O - 17 inSupplement to Proceedings ( 1975).21. J . H. Saltzer, “Protection and the controlof information in MULTICS,”Communicwtions o f t h c A C M 14, N o . 7, 388-402 (July 1974).C. S. Chandersekaran and K. S. ShankaPBurroughs CorporationPaoli, Pennsylvania 19301“Although the authors are associated with the Burroughs Corporation, the viewsexpressed in this letter are solely their own.NO.3.1976FOKUM

In our paper,’ we showed that a hierarchically structured operating system,suchasproducedby avirtual machine system,should provide substantially bettersoftwaresecuritythanaconventional two-level multiprogramming operating system approach. As noted in that paper, the hierarchical structure andvirtual machine concepts are quite controversial and,in fact, thepaper has received a considerable amount of attention, such asin the letter by Chandersekaran and Shankar.This letterprovidesafurtherconfirmation, clarification, andelaboration upon concepts introduced in our earlier paper. Furthermore, based upon our recent research, it is shown that suchvirtual machine systems have a significant advantage in the development of advanced decision support systems.backgroundandterminologyIn recentyearstherehasbeen a significant amount of researchand literature in thegeneralareas of securityandintegrity. Asnoted in ourpaper,thereaderis urged to use thereferences inthat paper as a startingpoint for further information on thesesubjects. Of special note, the report by Scherf2 provides a comprehensive and annotated bibliography of over 1,000 articles,papers, books, and other bibliographies on these subjects. Otherimportant sources include the six volumes of findings of the ISMData Security Study3 (theScherf report is included in Volume 4).Although there has been a considerable amount of attention andwriting devoted to these areas, a precise and standardized vocabulary has not yet emerged. As stated in the recent paper bySaltzer and Schroeder:‘ “The ’ are frequently used in connection with informationstoring systems. Not all authors use theseterms in the sameway.” As an example of the lack of a comprehensive terminology source, Chandersekaran and Shankar found it necessary todraw upon six different references to define less than a dozenterms. Hopefully, as this area matures and stabilizes, it will bepossible to reconcile these different viewpoints and arrive at amutually agreed upon and standardized set of terminology. Inthe meantime, the reader may wish to study the glossary provided in Saltzer and S h r o e d e rwhich, by the way, indicates thatprotection and security are essentially interchangeable terms inagreement with our usage and in contrastto theopinions ofChandersekaran and Shankar.270DONOVAN A N D MADNICKI B M SYST J

In our paper, it was shown that a hierarchically structured operating system can provide substantially better software securityand integrity thanaconventional two-level multiprogrammingoperatingsystem. A virtual machine facility, such as VM/370,‘makes it possible to convert a two-level conventional operatingsystem into a three-level hierarchically structured operating system.Furthermore,by using independentredundantsecuritymechanisms, a high degree of security is attainable.The proofs previously presented support the intuitive argumentthat a hierarchical-structured redundant-security approach basedupon independent mechanisms is better than a two-level mechanism or even a hierarchical one based on the same mechanism.More simply stated, if one stores his jewels in a safe, he maythink his jewels are more secure if he stores that safe inside another safe. But the foolish man might (so he won’t forget) usethe same combination for both safes. If a burglar figures out howto open the first safe (either accidently or intentionally), he willfindit easy to open the inside safe. However, if two differentlocking mechanisms and combinations are used, then the jewelsare more secure as the burglar must break the mechanism ofboth safes. As explained in our earlier paper,the virtual machineapproach can provide that additional security.The concept of “load” used in our paper is sometimes misunderstood, such as in the letter of Chandersekaran and Shankar. Itrefers to “the number of different requests issued, the variety offunctions exercised, the frequency of requests, etc.” (Reference1, page 195), not merely the number of users. Hence, our conclusion is supported in that a complex operating system supporting a wide range of users and special-purpose functions is morelikely to contain design and/or implementation flaws and is thussusceptible to integrity failures than a simpler operating system.Othershave also come to thisconclusion. For example, itisnoted in the concluding remarks of the recent study of VM/370integrity by Attanasio et that: “Thevirtual machine architecture embodied in V M / greatlyOsimplifies an operating systemin most areas and hence increases the probability of correct implementation and resistance to penetration.”There seems to be general agreement on the key point that thereshould be “. . . mechanismsthatenforcetheisolation ofdifferentlayers”asstatedby Chandersekaran and Shankar. Aspreviously stated (Reference 1, page 198), “in order to providetheneeded isolation, futureVMM’S may be designed with increased redundant security . . .” A source of possible confusionmay arise from the fact that some readers assume that our discussion of hierarchical operating systems and the VM/370 examVM/370 example is exactlyple are synonymous,whereas,thethat: an example. Mostof the V M / penetration Oproblems, suchNO.31976FORUM

as UO, noted by Chandersekaran and Shankar are attributableto the lack of independent redundant security mechanisms eitherin V M / orO in theoperatingsystemsrunning on the virtualmachines. For example, under standard VM/370, the CMS operating system provides minimal constraints on user-originated I/Oprograms. This is usually viewed as one of CMS’S advantages,from a flexibility point of view, but this does present unnecessary opportunities for penetration. In the V M / integrity Ostudyby Attanasio et al.,‘ it was reported that “Almost every demonstrated flaw in the system was found to involve the input/output(I/o) in some manner.” In other words,penetration was easiestinthe area where the approach of independent redundant securitymechanisms was not fully employed.Flaws, such as noted above, need not exist in a hierarchicallystructuredoperatingsystem.Without elaboratingunduly,Goldberg7has shown that it is possible to build economicalhardware support for the hierarchical structure so as to eliminate the need for the VMM to betrapped in order to processoperating system level interruptions. In fact, IBM has adopted someof these approaches as part of the “VM assist”’ hardware feature s .Additional usesandbenefitsproachof the virtual machine ap-Thus, although V M / containsOsome flaws,’ these flaws are notinherent in the virtual machine approach and can be eliminated.It is our understanding that various other computer manufacturers are also exploring this approach.Our recent research in the development of advanced decisionsupport systems,especially in the areaof energy policymaking,” lohas provided an example of additional uses and benefits of thevirtual machine approach. Advanced decision support systems”are characterized by:specifics of problem area are unknownproblem keeps changingresultsare needed quicklyresults must be produced at low costsdata neededforthoseresultsmay have complex securityrequirements since they come from various sources.This class of problems is exemplified by the public and privatedecision-making systems we have developed in the energy area.We have found that the problems that decision-makers in the

Figure 1f:eResidential consumption of energyinMassachusetts24Cv)30LY22c3 ;RESIDENTIAL CONSUMPTION OF ENERGY PER HOUSEHOLD IN MASSACHUSETTSA specific example of such a system can be found in our recently developedNew England Energy Management Information System (NEEMIS).” This facility is presently being used bythe state energy offices in New England for assisting the regionin energy policymaking.Many of the NEEMIS studies are concerned about the economicimpact of certain policies. For example, during a presentation ofNEEMIS’ at the November 7,1975 New England Governors’Conference, Governor Noel of Rhode Island requested an analysis of the impact on his state of a proposed decontrol programin light of likely OPEC oil prices. These results could be used in adiscussion at a meeting with President Ford later that afternoon.Thissituationillustratesseveralof therequirements (e.g., results needed quickly and problem not known long in advance)for an advanced decision support system.In other studies, it is often necessary to analyze and understandlong-term trends. For example, using data supplied by theArthur D. Little C O . , ’we were able to trace the trends in totalenergy consumption in an averageMassachusetts home from1962 to 1974. We were interested in studying the amount of increased consumption, the pattern of increase over the years, andthe extent to which conservation measures may have reducedconsumption in recent years. Figure 1 is the graph produced byNEEMIS showing energy consumption versus time. To our surNO.3*1976FORUM273

prise, it indicated a roughly continuous decrease in consumptionfor the average Massachusetts home throughout the entire period under study in spite of increased use of air conditioners andother electrical andenergy-consuming appliances.The object of this study suddenly changed to try to understandthe underlying phenomenon and validate various hypotheses. Inthis process, it was necessary to analyze several other data series and use additional models. Several important factors wereidentified including: ( 1 ) census data that indicated that the average size of a home unit had been getting smaller, (2) weatherdata that indicated that the region was having warmer winters,and ( 3 ) construction data that indicated that the efficiency ofheat-generating equipment had been improving.We had begun the analysis thinking that only consumption datawas needed; as it developed, a sophisticated analysis using several other data series was actually needed. This changing natureof the problem or perception of the problem is a typical characteristic in decision supportsystems. We have found similarproblems in our work in the development of a system of leadingenergy indicators for FEA” l 4 and in medical decision supportsystems.’’GMISapproachTo respond to the needs for advanced decision support systems,we havefocusedon technologies thatfacilitate transferability ofexisting models and packages onto one integrated system eventhough these programs may normally run under “seemingly incompatible’’ operatingsystems.Thisallows ananalysttorespond to a policymaker’s request more generally and at less costby building on existing work. Different existing modeling facilities,econometricpackages,simulation, statistical,data-basemanagement facilities canbe integrated intosuch a facility,which has been named the Generalized Management Information System (GMIS) facility.Further, because of the data management limitations of many ofthese existing tools (e.g., econometric modeling facilities), wehave also focused on ways to enhance at low cost their datamanagement capabilities. Our experience with virtual machines,discussed in the next section, indicates it is a technology thathas great benefit in all the above areas.GMISconfiguration274Under an M.I.T./IBM JointStudyAgreementwehavedevelopedthe GMIS software facilityIfitosupporta configuration of virtualmachines. The present implementation operates on an IBM system/370 Model 158 at the IBM Cambridge Scientific Center.17The present configuration is depicted in Figure 2 whereeachbox denotes a separate virtual machine. Those virtual machinesacross the topof the figure each contain their own operating sysDONOVAN A N D MADNICKIBM SYST J

Figure 2Overview of thesoftwarearchitectureof GMlSMULTIUSERINTERFACE" CHINEtern andexecute programs thatprovide specific capabilities,whether they be analytical facilities, existing models, or database systems. All these programs can access data managed bythe general data management facility running on the VM ( 1 ) virtual machine depicted in the center of the page.A sample use of the CMIS architecture might proceed as follows.Auseractivatesamodel, say in the APL EPLAN machine(EPLAN" is an econometric modeling package).That modelrequests data from thegeneral data base machine (called theTransaction Virtual Machine, orTVM), which responds by passing back the requested data. Note that all the analytical facilitiesand data base facilities may be incompatible with each other, inthat they may run under different operating systems. The communications facility between virtual machines in CMIS is described in References 16 and 19.GMlS softwarehasbeen designed using ahierarchicalapproach.1"21Several levels dfsoftware exist, where eachlevel onlycalls the level below it. Each higher level contains increasinglymore general functions and requires less user sophistication foruse.Users of each virtual machine havetheincreasedprotectionmechanism discussed in ourpaper.' We havealso found increased effectiveness in using systemsthatwerepreviouslybatch-oriented but can be interactive under VM.We remain enthusiastic about the potential of virtual machineconcepts and strongly recommend this approach. VM technologycoupled with other technologies, namely, interactive data basesystems and hierarchical system structuring have distinct comparativeadvantagesforabroad class of problems, especialiyin decision support systems.NO.3.1976FORUM

the potential of VM concepts. One such area is to extend theconfiguration of Figure 2 to add access to other datamanagement systems. However, more research is needed in the unresolved issues of locking, synchronization, and communicationbetween the virtual machines and related performance issues.We suspect our arguments will not completely resolve the controversy regarding virtual machine systems. But for users, decision makers, and managers, we want to add hope that this technology can greatly aid in providing tools to them.ACKNOWLEDGMENTWe wish to acknowledge the following organizations for theirsupport of work reported herein.The initial research on security and integrity issues was supported in part by the IBM Data Security Study.The recent applications of the virtual machine approach to decision supportsystemshavebeen supported in part by theM.I.T./IBM JointStudyon information systems.Specialrecognition is given to the staff of the IBM Cambridge ScientificCenter for their help in implementing these ideas and to Mr.Greenberg, coordinators of the Joint Study for their managerialsupport.We acknowledgethemembers of the IBM San Jose ResearchCenter for the useof their relational data base system,SEQUEL,"and for their assistance in adapting that system for use withinGMIS and energy applications.The development of the New England Energy Management Information System was supported in part by the New EnglandRegional Commission under Contract No. 1053068.Other applications of this work were supported by the FederalEnergy Office Contract No. 14-01-001-2040 and The NationalFoundation/March of Dimes contract to the Tufts NewEnglandMedical Center.We acknowledge the contributions of our colleagues within theSloan School's Center for Information SystemsResearchandwithin the M . I . T . Energy Laboratoryfortheirhelpful suggestions, especially those of Michael Scott Morton, Henry Jacoby,

CITED REFERENCES AND FOOTNOTE1 . J . J . Donovan and S. E. Madnick, “Hierarchical approach to computer system integrity,” I B M Systems Journul 14, No. 2, 188- 202 ( 1975).2. J. Scherf, y,Master’s Thesis,MassachusettsInstituteof Technology, Alfred P. SloanSchool of Management, Cambridge, Massachusetts (1973).3. DatuSecurityundDatuProcessing,Volumes 1-6,Nos.G320-1370(3320-1376,IBMCorporation,Data ProcessingDivision,White Plains,New York (1974).4. J. H. Saltzer and M. D. Schroeder, “The protection of information in computer systems,” Proceedings o f t h e IEEE 63, No. 9, 1278- 1308 (September 1975).5. IBMVirtualMachineFacility/370: Introduction, No. ite Plains, New York (July1972).6. C. R. Attanasio, P. W. Markstein, and R. J. Phillips, “Penetrating an operating system: a study of VM/370 integrity.” IBM Systems Journul 15, No. 1,102- I I6 (1976).7.R.P.Goldberg,ArchitecturulPrinciples J;ir iversity,Cambridge, Massachusetts (November 1972) .8. F. R. Horton,“Virtual machine assist: Performance,” Guide 37, Boston,Massachusetts (1973).9. Energy Indicutors, Final working paper submitted to the F.E.A. in connection with a study of Information Systems to Provide Leading Indicators ofEnergy Sufficiency, M.I.T. Energy Laboratory Working PaperNo.MITEL-75-004WP (June 1975).IO. J. J. Donovan, L. M. Gutentag, S. E. Madnick, and G . N . Smith, “An application of a generalized management information system to energy policy anddecision making-The user’s view,” AFIPS Conference Proceedings, Nutional Computer Conference ( I 975).1 I . G. A. Gorry and M. S. Scott Morton, “A fr

mation is one case of a potential security violation." The pos- sibility of correct information modification after a security violation has taken place usually does not occur in practice. If one could design a system such that there is no modification of infor- mation possible after a security violation has been detected, this