Multics (original) (raw)
Multics (Multiplexed Information and Computing Service) was an extraordinarily influential early time-sharing operating system.
Initial planning and development for Multics started in 1964. Originally it was a cooperative project led by MIT (with Fernando Corbató), along with General Electric and Bell Labs. Bell Labs dropped out in 1969, and in 1970 GE's computer business, including Multics, was taken over by Honeywell.
Multics was conceived as a commercial product for GE, and it did achieve that for Honeywell, although it was not a very successful one. However, it had a powerful impact in the computer field, due to its many novel and valuable ideas; in particular, the Unix system (produced by Bell Labs personnel who had worked on Multics) and its derivatives, such as Linux, are in good part descended from Multics. Although it was much derided at the time by its critics [1], history has shown these complaints to be canards.
Among it many new ideas, it was the first operating system to provide a hierarchical file system, a feature that can be now found in virtually every operating system. It had numerous features intended to result in high availability, so that it would produce a computing utility, similar to the telephone and electricity services. To achieve this, in addition to being modular in software structure, the hardware was too, and the system could grow in size by simply added more of the appropriate resource - computing power, main memory, disk storage, etc. It was the first to have a command processor implemented as ordinary user code - an idea later used in the Unix shell (although the details are different, since Multics possessed powerful mechanisms which Unix lacks). Separate Access Control Lists on every file provided flexible information sharing, but also provided complete privacy when needed. It contained a number of standard mechanisms to allow engineers to analyze the performance of the system, as well as a number of adaptive performance optimization mechanisms. Even this extensive list does not encompass all of Multics' new ideas, though.
Novel Ideas
Multics was especially interesting for deliberately discarding a clear distinction between files (called segments in Multics) and process memory. The memory of a process consisted solely of segments which were mapped into its address space; to read or write to them, the process simply used normal CPU instructions, and the operating system took care of making sure that all the modifications were saved to disk. In POSIX terminology, it was as if every file was mmap()
ed; however, in Multics there was no concept of process memory, separate from the memory used to hold mapped in files, as Unix has. All memory in the system was part of some segment, which appeared in the file system; this included the temporary scratch memory of the process, its kernel stack, etc. (One disadvantage of this in practice, due only to the hardware architecture of the particular machines it ran on, and not a result of the basic concept, was that the size of segments was limited to 1 megabyte, and therefore extra code had to be used to work on files larger than this. In the days before large databases and, later, huge bitmap graphics, this limit was rarely encountered.)
This led to the second of Multics' major new ideas, dynamic linking, in which a running process could request that other segments be added to its address space, segments which could contain code that it could then execute. With this facility available, applications automatically used the latest version of any external routine they called, since those routines were kept in other segments, which were dynamically linked in only when a process first tried to begin execution in them. Since different processes, belonging to different users, could use different search rules, different users could end up using different versions of external routines automatically. Equally importantly, with the appropriate settings on the Multics security facilities, the code in the other segment could then gain access to data structures maintained in a different process. Thus, to interact with an application running in part as a daemon (in another process), a user's process simply performed a normal procedure call instruction, to a code segment which it had dynamically linked to (a code segment which implemented some operation associated with the daemon). The code in that segment could then modify data maintained and used in the daemon. When the action necessary to commence the request was completed, a simple procedure return instruction returned control of the user's process to the user's code.
It is worth noting that these two ideas, in their full power, are even now still not available in other widely used operating systems, despite the rapid and otherwise enormous advance in the computer field since the 1960s; although in more limited forms they are now becoming more widely accepted and available, e.g. dynamic linking.
Multics also supported extremely aggressive on-line reconfiguration; CPU's, memory banks, disk drives, etc. could all be added and removed while the system continued operating; being added into service, or removed from it, as required. (In fact, it was common practice at the MIT system, where most early software development was done, to split the system - which was a multi-processor system - into two separate systems during off-hours by incrementally removing enough components to form a second working system, leaving the rest still running the original logged-in users. System software development testing could be performed on the second machine; when testing was over, the components of the second system would be added back onto the main user system.) Since multiple CPU's were thus supported, it was thus one of the earliest multi-processor systems.
Multics was also notable for its early emphasis on computer security by design, and Multics was possibly the very first operating system to be designed as a secure system from the ground up. In spite of this, early versions of Multics were broken into, not once, but repeatedly. This led to further work on improved security that both prefigured modern security engineering techniques, and made the system much more secure; once the second-generation hardware base was adopted, with hardware support for security rings, break-ins became very rare.
In addition to having been the first operating system to provide a hierarchical file system, filenames could be of almost arbitrary length and syntax; a given file could have more than one name; and symbolic links between different file names were also supported. It was the first to use the now-standard concept of having per-process stackss in the kernel. It was also one of the first written in a high level language; PL/I was used (the B5000 system, which used Burroughs Algol, preceded Multics).
Project History
Multics was developed initially for the GE-645 mainframe, a 36-bit system; later, it was supported on the Honeywell 6180 series machines.
Bell Labs pulled out of the project in 1969; some of the people who had worked on it there went on to create the UNIX system, which shows the influence of Multics in many areas, down to the naming of commands. The name "UNIX" is itself a hack on "Multics".
Honeywell bought G.E.'s computer division, released a better hardware base, and continued system development until 1985. About 80 multi-million-dollar sites were installed, at universities, industry, and government sites. The French university system had quite a few in the early 1980s. After Honeywell stopped supporting Multics, users migrated to other systems including the UNIX system.
The last Multics machine was shut down on October 31, 2000.
Retrospective Observations
It is more than startling to realize that the permanently resident kernel of this powerful multi-processor mainframe computing utility, much derided in its day as being too large and too complex, was a mere 135 Kbytess of code. What is even more astonishing (or painful) is that the resulting system was more capable, and more powerful, than any of the far larger operating systems in common use today.
Measured another way, the entire system, including not just the operating system, but also the complex PL/I compiler, user commands, and subroutine libraries, consisted of about 1500 total source modules. These averaged roughly 200 lines of source code each, and compiled to produce a total of roughly 4.5 Mbytess of procedure code.
See also
- Fernando J. Corbató, leader of the project while M.I.T. was involved
- Jerome H. Saltzer
- Jack B. Dennis
- Peter J. Denning
- Robert M. Graham
- Victor A. Vyssotsky
Further Reading
The literature contains a large number of papers about Multics, and various components of it; a fairly complete list is available
here. The most important and/or informative ones are listed below.
- F. J. Corbat�, V. A. Vyssotsky, Introduction and Overview of the Multics System (AFIPS 1965) is a good introduction to the system..
- F. J. Corbat�, C. T. Clingen, J. H. Saltzer, Multics -- The First Seven Years (AFIPS, 1972) is an excellent review, after a considerable period of use and improvement.
Further Reading - Technical Details
- Jerome H. Saltzer, Introduction to Multics (MIT Project MAC, 1974) is a considerably longer introduction to the system, geared towards actual users.
- Elliott I. Organick, The Multics System: An Examination of Its Structure (MIT Press, 1972) is the standard work on the system, although it documents an early version, and some features described herein never appeared in the actual system.
- V. A. Vyssotsky, F. J. Corbat�, R. M. Graham, Structure of the Multics Supervisor (AFIPS 1965) describes the basic internal structure of the Multics kernel.
- Jerome H. Saltzer, Traffic Control in a Multiplexed Computer System (MIT Project MAC, June 1966) is the original description of the idea of switching kernel stacks; one of the classic papers of computer science.
- R. C. Daley, P. G. Neumann, A General Purpose File System for Secondary Storage (AFIPS, 1965) describes the file system, including the access control and backup mechanisms.
- A. Bensoussan, C. T. Clingen, R. C. Daley, The Multics Virtual Memory: Concepts and Design, (ACM SOSP, 1969) describes the Multics memory system in some detail.
- Paul Green, Multics Virtual Memory - Tutorial and Reflections is a good in-depth look at the Multics storage system.
- Roger R. Schell, Dynamic Reconfiguration in a Modular Computer System (MIT Project MAC, 1971) describes the reconfiguration mechanisms.
Further Reading - Security
- Paul A. Karger, Roger R. Schell, Multics Security Evaluation: Vulnerability Analysis (Air Force Electronic Systems Division, 1974) describes the classic attacks on Multics security by a "tiger team".
- Jerome H. Saltzer, Michael D. Schroeder, The Protection of Information in Computer Systems (Proceedings of the IEEE, September 1975) describes the fundamentals behind the first round of security upgrades; another classic paper.
- M. D. Schroeder, D. D. Clark, J. H. Saltzer, D. H. Wells. Final Report of the Multics Kernel Design Project (MIT LCS, 1978) describes the security upgrades added to produce an even more improved version.
- Paul A. Karger, Roger R. Schell, Thirty Years Later: Lessons from the Multics Security Evaluation (IBM, 2002) is an interesting retrospective which compares actual deployed security in today's hostile environment with what was demonstrated to be possible decades ago. It concludes that Multics offered considerably stronger security than most systems commercially available in 2002.
External links
- http://www.multicians.org/ is a great site with a lot of material
- Multics papers online
- Myths discusses numerous myths about Multics in some detail, including the myths that it failed, that it was big and slow, and numerous other canards, as well as a few understandable misapprehensions
- Multics security
- MIT's Multics website
- Multics Repository at Stratus Computer
- Multics at Universitaet Mainz\n