.PAPER SIZE 55,60
.TITLE ^^VIRTUAL DISK / DATA SECURITY PACKAGE\\
.SPACING 1
.LEFT MARGIN 5
.RIGHT MARGIN 55
.CENTER
^^HOW TO ACHIEVE DATA SECURITY\\
.CENTER
^^WITHOUT REALLY TRYING\\
.PARAGRAPH
^WHEN A COMPUTER FACILITY USES A ^^PDP11\\-BASED DATA SYSTEM FOR
ITS RECORD KEEPING, IT HAS A USEFUL OPERATING SYSTEM FOR TIME-
SHARING WORK, ^^IAS\\. ^HOWEVER, WHILE ^^IAS\\-BASED SYSTEMS ARE
ABLE TO PERFORM MANY DATABASE MANAGEMENT OPERATIONS, THEY ARE NOT
ALWAYS ABLE TO SAFEGUARD THEMSELVES AGAINST USERS WHO ATTEMPT TO
MODIFY THOSE DATA BASES ILLICITLY, AND THEY CANNOT PROTECT THEMSELVES
EASILY AGAINST USERS WHO, THROUGH INTENT OR ERROR, ALLOCATE HUGE
AMOUNTS OF BULK STORAGE TO THEMSELVES AND CAUSE OTHER USERS' REQUESTS
FOR SPACE TO FAIL. ^THE ^^FILES-11\\ PROTECTION SCHEME WORKS REASONABLY
WELL FOR USERS WHO CANNOT ENTER ^^MCR\\ MODE, BUT FOR THOSE WHO CAN,
THE PROTECTIONS PROVIDED CAN BE DEFEATED, TO THE POSSIBLE DANGER OF
THE DATA. ^THIS IS ESPECIALLY SERIOUS WHERE PEOPLE WORK AFTER HOURS
AND THUS HAVE ACCESS TO THE SYSTEM CONSOLE WHEN IT MAY BE UNATTENDED.
.PARAGRAPH
^THE ^VIRTUAL ^DISK FACILITY ADDRESSES BOTH THESE PROBLEMS. ^IT ALLOWS
AN INSTALLATION TO SET UP ONE OR MANY VIRTUAL DISKS ON THE PUBLIC
STORAGE AREA SO THAT THE TOTAL SPACE ON EACH IS PREDEFINED. ^THE
VIRTUAL DISK WILL NEVER GROW, AND HENCE ANYONE DOING DEVELOPMENT WHOSE
OPERATIONS ARE ON A VIRTUAL DISK CANNOT ALLOCATE MORE THAN THAT AMOUNT
OF STORAGE. ^THE DEFAULT OPERATION ALLOWS ANYONE TO ACCESS AN
UN-ENCIPHERED VIRTUAL DISK (THOUGH THE RESTRICTIONS ENFORCED FOR CIPHERED
PACKS MAY BE USED BY A LOAD-TIME OPTION). ^ALL THAT IS NEEDED IS POSSIBLY
A REASSIGNMENT OF ^^LUN\\S PRIOR TO RUNNING A TASK. ^WHERE THE VIRTUAL
DISK FACILITY IS IN USE, THE SYSTEM MAY ROUTINELY ERASE ALL FILES IN THE
USER'S ACCOUNT (POSSIBLY EXCEPTING TASK IMAGES), AS THEY SHOULD BE ON
HIS VIRTUAL DISK. ^THE VIRTUAL STORAGE FACILITY SHOULD NOT BE USED
TO INSTALL TASKS ON, BUT FOR ALL OTHER PURPOSES FUNCTIONS EXACTLY AS
A REAL DISK DOES.
.PARAGRAPH
^WHERE AN INSTALLATION HAS CONCERNS THAT A SENSITIVE DATA BASE MIGHT BE
TAMPERED WITH, THE VIRTUAL DISK FACILITY IS ABLE TO ENCIPHER THE
ENTIRE DISK USING A 64-BIT KEY THAT IS NEVER STORED ON DISK. ^THE HANDLER
WILL THEN (UNLESS AN OVERRIDE IS SPECIFIED BY THE SYSTEM MANAGER AT
SYSTEM STARTUP) RESTRICT ACCESS TO A PREDEFINED LIST OF ACCOUNTS.
^NOTE THAT EVEN THE SYSTEM MANAGER CANNOT ACCESS DATA ON AN ENCIPHERED
DISK UNLESS HE KNOWS THE ENCRYPTION KEY, AND HE CANNOT SAVE THE SYSTEM
WITH A HANDLER RUNNING AND CONTAINING VALID KEYS. ^FURTHERMORE, THE
KEYS ARE READ IN, THEN TRANSFORMED, SO THAT THE KEY ACTUALLY USED IN
CORE HAS NO RESEMBLANCE TO THE KEY ENTERED. ^IT IS DOUBTLESS SIMPLER TO
DUMP THE ENTIRE MEMORY TO FIND THE KEY THAN TO ATTEMPT TO BREAK A
64-BIT KEY, BUT IT IS NOT SIMPLE EVEN TO DO THAT. ^ALL ONE NEEDS TO
DO TO SAFEGUARD AGAINST AFTER-HOURS SKULDUGGERY IS TO UNLOAD THE
HANDLER AT THE END OF THE NORMAL DAY; THE KEYS WILL BE ERASED THEN
AND A HOSTILE USER CAN EXAMINE CORE ALL HE LIKES WITHOUT LEARNING THEM.
.PARAGRAPH
^SEVERAL LAYERS OF SECURITY ARE AVAILABLE FROM THE SYSTEM.
.PARAGRAPH
^THE DATA BASE IS ENCIPHERED WITH A LONG KEY AND A POWERFUL ALGORITHM
(RELATED TO THE ^^D.E.S.\\ ALGORITHM, BUT WITH ADDITIONAL OPERATIONS
ON THE DATA FIRST), SO THAT THE FILE CONTAINING IT LOOKS LIKE GARBAGE
TO SOMEONE EXAMINING IT WITHOUT USING THE ^^VD:\\ HANDLER. ^THE BITMAPS
AND FILE HEADERS ARE ENCIPHERED TOO, PROVIDING FURTHER CONFUSION.
.PARAGRAPH
^THE CIPHER KEYS ARE ONLY STORED IN THE HANDLER PROPER, AND MUST BE
ENTERED EVERY TIME IT IS BROUGHT UP. (^THEY ARE NOT ECHOED WHEN READ.)
^THEY ARE MODIFIED AFTER BEING READ
TO FURTHER CONFUSE THE CURIOUS.
.PARAGRAPH
^THE HANDLER USES FILES ON A REAL ^^RSX/IAS\\ DISK FOR ITS DATA, WHICH
IT OPENS WHEN LOADED AND CLOSES AT HANDLER UNLOAD. ^THIS PREVENTS
ANYONE FROM DISMOUNTING THE DISK IN USE, WHICH IN TURN PREVENTS A
SYSTEM FROM BEING SAVED WITH A RUNNING ^^VD:\\ HANDLER. ^ALSO, ANY
POWER FAIL OR SYSTEM RESTART WILL CAUSE THE HANDLER TO ERASE ANY
KEYS ENTERED.
.PARAGRAPH
^THE HANDLER CONTAINS TWO LISTS OF ACCOUNTS ABLE TO ACCESS EACH DISK.
^THE FIRST IS A LIST OF SYSTEM ACCOUNTS (FOR THE ^^ACP\\, ^^MOU\\,
ETC.) THAT MAY READ THE DISK. ^THE SECOND LIST IS UNIQUE FOR EACH
UNIT AND CONTAINS ALL OTHER ACCOUNTS. ^^FILES-11\\ PROTECTION ON
FILES AND VOLUMES IS AVAILABLE AND SUPPLEMENTED BY THE HANDLER'S
REFUSING TO ALLOW ACCESS TO THE VOLUME BY ANY ACCOUNTS NOT ON THE
LISTS THAT ARE TASKBUILT INTO IT. ^THERE ARE OVERRIDES, BUT THESE,
ENTERED ALONG WITH THE KEYS, ARE ONLY POSSIBLE TO CHANGE AT HANDLER
LOAD. ^SINCE AN INSTALLATION MAY WANT TO DO FURTHER CHECKING OF
ACCESS RIGHTS, A USER-DEFINED SUBROUTINE IS CALLED WHICH HAS
AVAILABLE TO IT SUFFICIENT INFORMATION TO CHECK ACCESSES. ^THIS
SUBROUTINE IS PASSED THE ADDRESS OF THE ^^IORQ\\ NODE OF THE ^I/^O
REQUEST IN ^R1, THE UNIT NUMBER OF THE "DISK" IN ^R0, AND THE
^^UIT\\ (DRIVER RESIDENT ^UNIT ^IDENTIFICATION ^TABLE) ADDRESS
IN ^R2. ^THIS IS SUFFICIENT INFORMATION TO ALLOW CHECKING OF TASK
NAMES AGAINST A LIST, OF SPECIAL PRIVILEGE BITS IN THE TERMINAL
^^PUD\\ ENTRY OF THE CALLER, OR ANYTHING ELSE DESIRED. ^FOR
EXAMPLE, IF A DISK WERE USED FOR AN ENCRYPTED DATA BASE, THE
SUBROUTINE MIGHT TEST WHETHER THE CALLER TASK WAS THE ^^ACP\\ OR
THE DATABASE MANAGEMENT SYSTEM'S DISK ^I/^O TASK AND REJECT ALL
OTHER ACCESSES. ^THE "ALLOW ALL USERS" OVERRIDE COULD BE USED
INITIALLY TO MOVE THE DATABASE ONTO THE CIPHERED DISK (E.G., WITH
^^PIP\\), THEN NOT USED LATER. ^THIS ALLOWS INSTALLATIONS TO
DEFINE WHAT SECURITY THEY NEED WITHIN VERY BROAD LIMITS.
^THESE ACCESS RESTRICTIONS MAY BE ENFORCED EVEN FOR UNCIPHERED
DATA IF THE INSTALLATION WISHES.
.PARAGRAPH
^THUS, THE USER OF AN ENCIPHERED DATABASE HAS ALL THE ^^FILES-11\\
PROTECTION AVAILABLE TO A PRIVATE VOLUME AND DATA ON IT, PLUS THE
HANDLER'S PROTECTION, WHICH HE MAY MAKE AS EXTENSIVE AS HE LIKES.
^MORE, HE HAS A DATABASE THAT WILL RESIST ATTEMPTS TO MODIFY IT
AT TIMES WHEN LITTLE MONITORING IS AVAILABLE.
^ALL THIS IS AVAILABLE WITH ^^NO MODIFICATIONS TO ANY DATABASE
HANDLING SOFTWARE\\; ONE MUST ONLY DIRECT THE ^^I/O\\ OF SUCH
SOFTWARE TO THE VIRTUAL DISK RATHER THAN THE REAL ONE TO USE
THESE FEATURES.
.PARAGRAPH
^IN ADDITION TO THE CIPHER KEY, ONE MAY ENTER AN EXTRA CHARACTER THAT
SPECIFIES VARIOUS OVERRIDE CONDITIONS FOR DATA ACCESS. ^THE DEFAULT
OVERRIDES MAY BE CHANGED VIA A TASKBUILDER GLOBAL PATCH, BUT
ONE CAN SPECIFY AT HANDLER LOAD ANY OF THE FOLLOWING, FOR EACH UNIT:
.LEFT MARGIN 10
.SKIP 1
.INDENT -5
1. ^DEFAULTS APPLY AS STATED; THAT IS, CIPHERED DISKS ARE ACCESS CHECKED
AND UNCIPHERED DISKS (OBTAINED BY ENTERING A SPECIAL "KEY" CONSISTING
OF 16 QUESTION MARKS) MAY BE ACCESSED BY ANYONE.
.INDENT -5
2. ^ACCESS CHECKS ARE MADE ON UNCIPHERED DISKS AS WELL AS CIPHERED ONES.
.INDENT -5
3. ^A SIMPLIFIED ENCRYPTION ALGORITHM MAY BE USED TO ENCRYPT/DECRYPT
THE DATA. ^THIS ALGORITHM RUNS FASTER THAN THE NORMAL ONE, BUT IS MUCH
LESS SECURE. ^A DISK MAY BE ENCIPHERED BY ONE OR THE OTHER ALGORITHM;
THEY CANNOT BE MIXED FOR A SINGLE UNIT, SINCE THE ALGORITHMS AND THEIR
RESULTS ARE DIFFERENT.
.INDENT -5
4. ^ALL ACCESS MAY BE DENIED TO THE UNIT (EFFECTIVELY PUTTING A UNIT
SOFTWARE OFFLINE WHERE ONE WANTS TO GUARD AGAINST ACCIDENTAL DAMAGE
TO DATA). ^THIS WILL BE USED NORMALLY WHERE THE WRONG KEY HAS BEEN
USED SINCE THE OWNER OF A DATA BASE WANTS IT STILL SECURE. ^IT PREVENTS
ANYONE USING ^^INI\\TVOLUME TO RE-INITIALIZE THE DISK.
.INDENT -5
5. ^ACCESS MAY BE PERMITTED WITHOUT RESTRICTION. (^THE ACCESS CHECK
FLAG ON UNCIPHERED DISKS OVERRIDES THIS HOWEVER). ^THIS IS USEFUL
WHERE VERY STRONG ACCESS RESTRICTIONS ARE NORMAL BUT WHERE A DATA
BASE IS BEING PUT ONTO THE CIPHERED DISK FOR THE FIRST TIME. ^USE AT
OTHER TIMES IS NOT RECOMMENDED.
.LEFT MARGIN 5
.PARAGRAPH
^NO CHANGES TO EXISTING SOFTWARE ARE NEEDED TO PROVIDE THESE SERVICES,
AND IF SPARE DEVICES WERE INCLUDED IN THE LAST ^^SYSGEN\\, NOT EVEN
THAT IS REQUIRED TO IMPLEMENT THEM. ^THE ENCRYPTION ALGORITHM IS
IN SOFTWARE AND WILL SLOW DOWN ACCESS TIMES SOMEWHAT (THE STRONG
ENCRYPTION ALGORITHM IS MUCH SLOWER THAN THE WEAK ONE), SINCE DATA
IS ROUTED THROUGH THE HANDLER. ^FOR UNCIPHERED VIRTUAL DISKS, NO
CIPHERING DELAY IS IMPOSED, BUT SOME SPEED LOSS MAY BE OBSERVED
THERE. ^FOR NORMAL CONSOLE USE, THESE DELAYS ARE NOT EASILY NOTICED,
BUT THEY ARE THE COST OF DATA SECURITY. ^IF THESE DELAYS ARE TOO COSTLY,
HOWEVER, AN INSTALLATION CAN USE THE ^^VD:\\ SYSTEM TO KEEP SENSITIVE
DATA ENCIPHERED AT NIGHT (VIA A COPY OPERATION) AND RETRIEVE IT NEXT
DAY, SECURE IN THE KNOWLEDGE IT HAS NOT BEEN TAMPERED WITH WHILE
THE SYSTEM WAS UNGUARDED.