Hubbry Logo
MulticsMulticsMain
Open search
Multics
Community hub
Multics
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Multics
Multics
Multics
View on Wikipedia
from Wikipedia

Multics
Login screen for the BAN.AI public Multics server
DeveloperMIT, GE, Honeywell, Bell Labs
Written inPL/I, Assembly language[1]
Working stateMature, current, historic, emulator available
Source modelOpen source
Initial release1969; 56 years ago (1969)
Latest release12.8 / August 10, 2023; 2 years ago (2023-08-10)
Repository
Available inEnglish
Supported platformsGE-645, Honeywell 6000 series machines (Honeywell 6180, Series-60/Level-68, DPS-8/M mainframes)
Kernel typeMonolithic kernel
InfluencedUnix, GEORGE 3, ICL VME, PRIMOS, Domain/OS, Stratus VOS
Default
user interface		Command-line interface
LicenseOriginally proprietary,
Free software Multics License since 2007[2][3]
Preceded byCompatible Time-Sharing System
Official websitemultics-wiki.swenson.org

Multics ("MULTiplexed Information and Computing Service") is an influential early time-sharing operating system based on the concept of a single-level memory.[4][5] It has been written that Multics "has influenced all modern operating systems since, from microcomputers to mainframes."[6]

Initial planning and development for Multics started in 1964, in Cambridge, Massachusetts. Originally it was a cooperative project led by MIT (Project MAC with Fernando Corbató) along with General Electric and Bell Labs. It was developed on the GE 645 computer, which was specially designed for it; the first one was delivered to MIT in January 1967. GE offered their earlier 635 systems with the Dartmouth Time-Sharing System which they called "Mark I" and intended to offer the 645 with Multics as a larger successor. Bell withdrew from the project in 1969 as it became clear it would not deliver a working system in the short term. Shortly thereafter, GE decided to exit the computer industry entirely and sold the division to Honeywell in 1970. Honeywell offered Multics commercially, but with limited success.

Multics has numerous features intended to ensure high availability so that it would support a computing utility similar to the telephone and electricity utilities. Modular hardware structure and software architecture are used to achieve this. The system can grow in size by simply adding more of the appropriate resource, be it computing power, main memory, or disk storage. Separate access control lists on every file provide flexible information sharing, but complete privacy when needed. Multics has a number of standard mechanisms to allow engineers to analyze the performance of the system, as well as a number of adaptive performance optimization mechanisms.

Due to its many novel and valuable ideas, Multics has had a significant influence on computer science despite its faults.[7] Its most lasting effect on the computer industry was to inspire the creation of Unix, which carried forward many Multics features, but was able to run on less-expensive hardware. Unix was developed at Bell to allow their Multics team to continue their research using smaller machines, first a PDP-7 and ultimately the PDP-11.

Novel ideas

[edit]
Multics Commands reference manual

Multics implements a single-level store for data access, discarding the clear distinction between files (called segments in Multics) and process memory. The memory of a process consists solely of segments that were mapped into its address space. To read or write to them, the process simply uses normal central processing unit (CPU) instructions, and the operating system takes care of making sure that all the modifications were saved to disk. In POSIX terminology, it is as if every file were mmap()ed; however, in Multics there is no concept of process memory, separate from the memory used to hold mapped-in files, as Unix has. All memory in the system is part of some segment, which appears in the file system; this includes the temporary scratch memory of the process, its kernel stack, etc.

Segments are limited to 256 kilowords, just over 1 MB, because Multics hardware had 18-bit word addresses for the content of a segment. Larger files are "multisegment files" and are handled differently. The 256 kiloword limit was rarely encountered in practice, because at the time, one megabyte of memory was prohibitively expensive.

Another major new idea of Multics was dynamic linking, in which a running process can make external routines available by adding the segments containing them to its address space. This allows applications to always use the latest version of any external routine, since those routines are kept in other segments, which are dynamically linked only when a process first attempts to begin execution in them. Since different processes can use different search rules, different users can end up using different versions of external routines. Equally importantly, with the appropriate settings in the Multics security facilities, the code in the other segment can gain access to data structures maintained in a different process. Dynamic linking in Multics does not require special dynamic-link libraries (DLLs); a program can dynamically link to any executable segment to which it has access rights.

Thus, to interact with an application running in part as a daemon (in another process), a user's process simply performs a normal procedure-call instruction to a code segment to which it had dynamically linked (a code segment that implemented some operation associated with the daemon). The code in that segment can then modify data maintained and used in the daemon. When the action necessary to commence the request is completed, a simple procedure return instruction returns control of the user's process to the user's code.

Multics also supports extremely aggressive on-line reconfiguration: central processing units, memory banks, disk drives, etc. can be added and removed while the system continues operating. At the MIT system, where most early software development was done, it was common practice to split the multiprocessor system into two separate systems during off-hours by incrementally removing enough components to form a second working system, leaving the rest still running for the original logged-in users. System software development testing could be done on the second system, then the components of the second system were added back to the main user system, without ever having shut it down. Multics is one of the earliest multiprocessor systems.

Multics is the first major operating system to be designed as a secure system from the outset.[8] Despite this, early versions of Multics were compromised repeatedly.[9] This led to further work that made the system more secure, and prefigured modern security engineering techniques. Break-ins became very rare once the second-generation hardware base was adopted; it has hardware support for ring-oriented security, a multilevel refinement of the concept of master mode.[citation needed] A US Air Force tiger team project tested Multics security in 1973 under the codeword ZARF. On 28 May 1997, the American National Security Agency declassified this use of the codeword ZARF.

Multics is the first operating system to provide a hierarchical file system,[10][11] and file names can be of almost arbitrary length and syntax. A given file or directory can have multiple names (typically a long and short form), and symbolic links between directories are also supported. Multics is the first to use the now-standard concept of per-process stacks[disputeddiscuss] in the kernel, with a separate stack for each security ring. It is also the first to have a command processor implemented as ordinary user code – an idea later used in the Unix shell. It is also one of the first written in a high-level language (Multics PL/I),[1][12] after the Burroughs MCP system written in ESPOL, an expanded version of ALGOL.

The deployment of Multics into secure computing environments also spurred the development of innovative supporting applications. In 1975, Morrie Gasser of MITRE Corporation developed a pronounceable random word generator to address password requirements of installations such as the Air Force Data Services Center (AFDSC) processing classified information. To avoid guessable passwords, the AFDSC decided to assign passwords but concluded the manual assignment required too much administrative overhead. Thus, a random word generator was researched and then developed in PL/I. Instead of being based on phonemes or individual letters or clarities, the system employed phonemic segments (second order approximations of English) and other rules to enhance pronounceability and randomness, which was statistically modeled against other approaches.[13] A descendant of this generator was added to Multics during Project Guardian.[14]

Project history

[edit]

In 1964, Multics was developed initially for the GE-645 mainframe, a 36-bit system. GE's computer business, including Multics, was taken over by Honeywell in 1970; around 1973, Multics was supported on the Honeywell 6180 machines, which included security improvements including hardware support for protection rings.

Bell Labs pulled out of the project in 1969; some of the people who had worked on it there went on to create the Unix system. Multics development continued at MIT and General Electric. At MIT in 1975, use of Multics was declining and did not recover by 1976 to prior levels.[15][16] Finally by slashing prices, MIT managed to lure users back to Multics in 1978.[17]

In 1974 Honeywell entered into a development contract with the Air Force (with MIT as a sub-contractor) to develop a security kernel for Multics. This would involve reducing the size of the Multics hardcore by moving specific components of the supervisor out of Ring 0. One of the initial steps after carrying out a security evaluation was the implementation of a multilevel security framework within Multics called AIM (Access Isolation Mechanism). This provided mandatory access control which could be enabled to supplement the already existing discretionary access control that Multics already possessed.[18] The resulting Project Guardian ran until termination in 1976; whilst most of its changes were not added to Multics, some parts of the project such as the proposed Secure Front End Processor was productized by Honeywell as SCOMP (Secure Communications Processor).[19] The SCOMP and its STOP operating system eventually evolved via XTS-200 and XTS-300 into current XTS-400 offering of secure operating systems.[20]

Honeywell continued system development until 1985. About 80 multimillion-dollar sites were installed, at universities, industry, and government sites. The French university system had several installations in the early 1980s. After Honeywell stopped supporting Multics, users migrated to other systems, such as Unix.

In 1985, Multics was issued certification as a B2 level secure operating system using the Trusted Computer System Evaluation Criteria from the National Computer Security Center (NCSC), a division of the NSA; it was the first operating system evaluated to this level.

Multics was distributed from 1975 to 2000 by Groupe Bull in Europe, and by Bull HN Information Systems Inc. in the United States. In 2006, Bull SAS released the source code of Multics versions MR10.2, MR11.0, MR12.0, MR12.1, MR12.2, MR12.3, MR12.4 & MR12.5 under a free software license.[21]

The last known Multics installation running natively on Honeywell hardware was shut down on October 30, 2000, at the Canadian Department of National Defence in Halifax, Nova Scotia, Canada.[22]

Current status

[edit]

In 2006 Bull HN released the source code for MR12.5, the final 1992 Multics release, to MIT.[23] Most of the system is now available as free software with the exception of some optional pieces such as TCP/IP.[24]

In 2014, Multics was successfully run on current hardware using an emulator created by Multicians Harry Reed and Charles Anthony.[25] The 1.0 release of the emulator is available as of 2017.[26] Release 12.6f of Multics accompanies the 1.0 release of the emulator, and adds a few new features, including command line recall and editing using the video system.[27]

Commands

[edit]

The following is a list of programs and commands[28] for common computing tasks that are supported by the Multics command-line interface.[29][30]

File and directory access commands

[edit]
  • change_wdir (cwd) - change the working directory
  • create_dir (cd) - create a directory
  • copy (cp) - copy files
  • list (ls) - list files and directories
  • print (pr) - print the contents of a text file
  • print_wdir (pwd) - print the working directory
  • move (mv) - move a file or directory to a different directory
  • rename (rn) - rename a file without moving it

Text editors

[edit]

Document formatters

[edit]

Compilers, assemblers, and interpreters

[edit]

Email

[edit]
  • mail (ml)
  • read_mail (rdm)
  • send_mail (sdm)

On-line documentation

[edit]

Scripting

[edit]

Data processing

[edit]
  • gcos (gc) - simulator to run GCOS programs
  • sort, merge - sorting and merging of text and binary files

Login sessions

[edit]

Active functions

[edit]

The Multics shell language supports "active functions", which are similar to commands, but which return a string value. An active function is called by putting the active function name and the arguments to the active function in square brackets [ and ]. The string returned by the active function is substituted into the command in place of the call to the active function. For example, when the command echo [working_dir] is processed, the active function working_dir is run; it returns the full path of the working directory, which is substituted into the command, so that the echo command prints the working directory.

Some programs can act either as commands or as active functions; when run as a command, its result is printed, and when run as an active function, its result is returned as a string.[30]

Some common active functions are:

  • ceil - returns the smallest integer greater than or equal to the argument
  • floor - returns the largest integer less than or equal to the argument
  • home_dir (hd) - returns the home directory
  • ltrim
  • rtrim
  • trunc - returns the integer part of the argument
  • working_dir (wd) - returns the working directory

Retrospective observations

[edit]

Peter H. Salus, author of a book covering Unix's early years,[32] stated one position: "With Multics they tried to have a much more versatile and flexible operating system, and it failed miserably".[33] This position, however, is said to have been discredited in the computing community because many of Multics' technical innovations are used in modern commercial computing systems.[7][better source needed]

The permanently resident kernel of Multics, a system derided in its day as being too large and complex, was 135 KB of code.[citation needed] The first MIT GE-645 had 512 kilowords of memory (2 MiB), a truly enormous amount at the time, and the kernel used a moderate portion of Multics main memory.

The entire system, including the operating system and the complex PL/I compiler, user commands, and subroutine libraries, consists of about 1500 source modules. These average roughly 200 lines of source code each, and compile to a total of roughly 4.5 MiB of procedure code, which was fairly large by the standards of the day.

Multics compilers generally optimise more for code density than CPU performance, for example using small sub-routines called operators for short standard code sequences, which makes comparison of object code size with modern systems less useful. High code density is a good optimisation choice for Multics as a multi-user system with expensive main memory.

During its commercial product history, it was often commented internally that the Honeywell Information Systems (HIS) (later Honeywell-Bull) sales and marketing staff were more familiar with and comfortable making the business case for Honeywell's other computer line, the DPS 6 running GCOS. The DPS-6 and GCOS was a well-regarded and reliable platform for inventory, accounting, word processing, and vertical market applications, such as banking, where it had a sizeable customer base. In contrast, the full potential of Multics’ flexibility for even mundane tasks was not easy to comprehend in that era and its features were generally outside the skill set of contemporary business analysts.[citation needed] The scope of this disconnect was concretized by an anecdote conveyed by Paul Stachour, CNO/CSC:

When American Telephone and Telegraph was changing its name to just AT&T in 1983, a staffer from Honeywell’s legal department showed up and asked a Multician if he could arrange to have the name changed in all of their computerized documents. When asked when the process could be completed, the Multician replied, "It's done." The staffer repeated that he needed hundreds perhaps thousands of documents updated. The Multician explained that he had executed a global search and replace as the staffer was speaking, and the task was in fact completed.[citation needed]

Influence on other projects

[edit]

Unix

[edit]

The design and features of Multics influenced the Unix operating system, which was originally written by two Multics programmers, Ken Thompson and Dennis Ritchie.[34] Influence of Multics on Unix is evident in many areas, including the hierarchical file system, redirection, the shell, and the naming of some commands. But the internal design philosophy is quite different, focusing on keeping the system small and simple, and so correcting some perceived deficiencies of Multics because of its high resource demands on the limited computer hardware of the time.

The name Unix (originally Unics) is itself a pun on Multics. The U in Unix is rumored to stand for uniplexed as opposed to the multiplexed of Multics, further underscoring the designers' rejections of Multics' complexity in favor of a more straightforward and workable approach for smaller computers. (Garfinkel and Abelson[35] cite an alternative origin: Peter Neumann at Bell Labs, watching a demonstration of the prototype, suggested the pun name UNICS – pronounced "eunuchs" – as a "castrated Multics", although Dennis Ritchie is said to have denied this.[36])

Ken Thompson, in a transcribed 2007 interview with Peter Seibel[34] refers to Multics as "overdesigned and overbuilt and over everything. It was close to unusable. They [Massachusetts Institute of Technology] still claim it's a monstrous success, but it just clearly wasn't". On the influence of Multics on Unix, Thompson stated that "the things that I liked enough (about Multics) to actually take were the hierarchical file system and the shell — a separate process that you can replace with some other process".

Dennis Ritchie wrote that the design of UNIX was influenced by CTSS.[37]

Other operating systems

[edit]

The Prime Computer operating system, PRIMOS, was referred to as "Multics in a shoebox" by William Poduska, a founder of the company. Poduska later moved on to found Apollo Computer, whose AEGIS and later Domain/OS operating systems, sometimes called "Multics in a matchbox", extends the Multics design to a networked graphics workstation environment.

The Stratus VOS operating system of Stratus Computer (now Stratus Technologies) is very strongly influenced by Multics, and both its external user interface and internal structure bear many close resemblances to the older project. The high-reliability, availability, and security features of Multics are extended in Stratus VOS to support a new line of fault tolerant computer systems supporting secure, reliable transaction processing. Stratus VOS is the most directly related descendant of Multics still in active development and production usage today.

General Motors' Multiple Console Time Sharing System (MCTS) for the Control Data Corporation STAR-100 computer was based on Multics.

The protection architecture of Multics, restricting the ability of code at one level of the system to access resources at another, was adopted as the basis for the security features of ICL's VME operating system.

The Edinburgh Multiple Access System (EMAS) draws particularly on the one-level store concept used by Multics, providing access to files only by mapping them into memory. All memory space is associated with a segment.

See also

[edit]

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Multics

View on Grokipedia
from Grokipedia
Multics (Multiplexed Information and Computing Service) was a pioneering mainframe operating system initiated in as a collaborative research project between MIT's Project MAC, Bell Telephone Laboratories, and , aimed at creating a comprehensive, general-purpose utility to serve multiple users reliably and scalably. The development of Multics began in the early 1960s, building on the (CTSS) demonstrated at MIT in 1961, with the goal of evolving it into a more ambitious system for widespread, interactive computing. The project selected the GE-645 computer in 1964, which featured innovations like ring-based access controls for security, and the first operational Multics system booted in 1967, though full service at MIT commenced in 1969. By the , Multics supported over 1,000 users at MIT for research, education, and administrative tasks, while General Electric's computer division was acquired by in 1970, leading to commercial deployments in government, industry, and education. Key architectural features of Multics included a system using hierarchical segmentation combined with paging—allowing programs to address up to 2^18 segments of up to 2^18 36-bit words each—and a unified that treated files, devices, and directories uniformly with built-in privacy controls and automatic backups. The system emphasized from the outset, incorporating a mechanism to enforce access controls and achieving a B2 security rating from the U.S. Department of Defense in 1985, which highlighted its advanced subversion-resistant design. Written primarily in for portability, Multics provided an elegant, consistent programming environment that supported remote access and for efficient resource sharing. Multics exerted profound influence on subsequent operating systems, particularly Unix, which emerged at after their withdrawal from the project in 1969 due to delays and costs, adapting simplified concepts like hierarchical file systems and from Multics. Commercial support continued under until its cancellation in 1985, but installations persisted, with the final site at the Canadian Department of National Defence in Halifax shutting down on October 30, 2000. Today, Multics is preserved openly at MIT, enabling emulation and study of its innovations in , modularity, and multi-user computing.

Development History

Origins and Collaborators

The Multics project originated in 1964 at MIT's Project MAC, where planning began for a next-generation operating system to advance beyond the limitations of the (CTSS), which had demonstrated basic multi-user access but struggled with scalability and reliability. Motivated by the vision of a "computer utility" capable of serving a broad community, the initiative sought to create a dependable system for interactive that could support resource sharing among multiple users while maintaining individual privacy and efficiency. This effort was spurred by funding through Project MAC, which provided an initial annual budget of approximately $3-4 million to foster innovative involving academic and industry . Key collaborators included MIT's Project MAC, led by Professor , who oversaw the software design and coordination; Bell Telephone Laboratories, contributing expertise in with notable involvement from and ; and Company's Large Computer Products Division, which supplied the modified GE-645 hardware platform tailored for the project's needs. These partners brought complementary strengths: MIT's academic focus on concepts, Bell Labs' practical telecommunications experience, and GE's engineering capabilities in mainframe development. The specific goals of Multics emphasized supporting a few hundred simultaneous users through advanced , enabling each to interact as if they had sole access to the machine while ensuring secure, controlled sharing of files and resources via hardware-enforced protections. This ambitious scale aimed to transform computing from to a utility-like service, accommodating diverse applications from research to routine data processing without compromising system integrity or user isolation.

Key Milestones and Timeline

The Multics project emerged from a 1964 collaboration among MIT's Project MAC, Bell Telephone Laboratories, and to develop an advanced operating system. Development intensified in , with the delivery of a GE-635 computer to MIT in August for use as a simulator during ; this enabled initial efforts, including the creation of basic system components tested on the simulator. By late , project leaders presented Multics concepts at the Fall Joint Computer Conference, outlining its ambitious goals for resource sharing and . In January 1967, the first GE-645 mainframe hardware arrived at MIT and , marking the start of hardware-software integration; early milestones included the "Phase .5" achievement of a functional with paging and segmentation, followed by December's "Phase One" for bootloading and single-process execution, with demonstrations of these capabilities to stakeholders. The following year saw further progress, including the March "A3" milestone for and the October "Demonstrable Initial Multics" supporting eight simultaneous users. Multics became operational for public use at MIT in 1969, initially supporting a limited number of users through services; however, withdrew from the project in April 1969, citing escalating development costs and delays. In 1970, General Electric's computer division was acquired by , leading to a migration of Multics to Honeywell hardware such as the Series 60/40 and later the 6180 processor; this facilitated broader installations, including the U.S. Air Force's Air Development Center (RADC) site going operational in August 1970. Throughout the 1970s, Multics expanded to additional sites, including the U.S. Data Services (AFDSC) in 1973, various universities, and government facilities; a key event was the 1973-1974 security evaluation conducted by the and to assess Multics for handling multilevel classified (Secret and ) at AFDSC, which identified vulnerabilities in protection mechanisms but affirmed its potential with modifications. officially announced Multics as a commercial product alongside the 6180 in , boosting adoption. By the 1980s, Multics reached its peak with approximately 64 installations worldwide, including ongoing U.S. Air Force sites, the Canadian Department of National Defence (starting 1982), and universities such as the ; however, canceled further development in July 1985 amid declining demand, though the system earned a B2 security rating from the U.S. Department of Defense in August 1985 based on enhanced protections. The original MIT installation shut down in January 1988, with many sites following suit by the early 1990s, though emulations of Multics on modern hardware have sustained its study and limited use into the .

Decline and Current Status

The decline of Multics as a commercial operating system was influenced by several key factors, including its high development and operational costs, which made it less competitive against emerging alternatives. The system's tight integration with specialized hardware, following General Electric's sale of its computer division to in 1970, limited portability and increased dependency on a single vendor. Additionally, the withdrawal of from the project in 1969, due to prolonged delays and escalating expenses, deprived Multics of significant expertise and resources, accelerating its challenges. Competition from more affordable and flexible systems like Unix, which ran on cheaper minicomputers and emphasized simplicity, further eroded Multics' market position. Honeywell discontinued Multics development in 1985, marking the end of active production support, though existing installations continued operating. Over its lifetime, Multics was deployed at approximately 80 sites worldwide, primarily in , industry, and academic environments. The MIT installation shut down in January 1988, and the final remaining system at the Canadian Department of National Defence in , was decommissioned on October 30, 2000. As of 2025, Multics sees no commercial deployments but persists through open-source emulations that allow hobbyists to run the system on modern hardware. The DPS8M simulator, an open-source for the DPS 8/M architecture, enables Multics execution on platforms like Windows, macOS, and , with recent updates including Multics Release 12.8 for improved . Contributions from Multics historians like Paul Green have supported preservation efforts, including program collections and documentation that aid emulation. An active community of enthusiasts maintains these resources via sites like multicians.org, fostering ongoing interest in Multics' design principles. Its legacy is preserved in institutional archives, such as those at MIT, where hardware artifacts and documentation are held for historical study. Preservation advanced significantly with the release of Multics source code in 2007 by Bull HN Information Systems Inc. to MIT, making the final commercial release (MR12.5 from 1992) available as under an open license. This donation, coordinated through efforts like the Multics History Project, has enabled modern analysis, bug fixes, and emulator enhancements without proprietary restrictions.

Architectural Innovations

Core Design Principles

Multics was designed as a pioneering operating system, building upon the foundational concepts of the (CTSS) developed at MIT to enable efficient multi-user access to computing resources. Its core principles emphasized , controlled , and , aiming to create a reliable, continuously that could support hundreds of simultaneous users without performance degradation. This vision positioned Multics as a prototype for a "computer utility," where computing power would be as accessible and dependable as public utilities like or . Central to Multics' architecture was its time-sharing model, which supported over 300 concurrent users through segmented virtual memory and dynamic relocation mechanisms. In this approach, the virtual address space of each process was divided into variable-sized segments, each with independent attributes for size, protection, and location, allowing direct hardware addressing of information without the need for data copying or manual buffering. Dynamic relocation was achieved via segment descriptor words (SDWs) in the hardware, which stored absolute core addresses and enabled segments to be loaded anywhere in physical memory on demand, facilitating efficient sharing and paging with a page size of 1,024 36-bit words on the Honeywell 645 processor. This design ensured low-latency access for multiple users, with controlled sharing enforced through per-segment access attributes checked by the hardware. The system's hierarchical structure further embodied its principles, utilizing a ring-based scheme with eight concentric rings numbered 0 through 7 to delineate privilege levels from kernel to user. Ring 0 served as the most protected kernel space, housing critical supervisor functions, while outer rings (up to ring 7 for typical user es) operated with progressively restricted privileges, ensuring isolation through separate address spaces managed by private descriptor segments per . This ring hierarchy, combined with for controlled transitions between rings, promoted by allowing subsystems to be developed and executed independently while preventing unauthorized access, all verified on every memory reference. Multics embodied a vision through abstractions that treated shared resources as virtually infinite, particularly via a file-like representation for all persistent data in the form of segments accessible through a . This "" abstraction enabled seamless integration of storage as an boundless resource, where users could reference and manipulate data directly without concern for physical limitations, supported by demand paging and dynamic growth of segments. A key innovation in this model was absentee terminal operation, allowing computations to execute independently of active user sessions; users could submit a command file for queue-based processing, with the system handling initiation, suspension during overloads, and output delivery asynchronously, thus optimizing resource utilization across interactive and batch workloads.

Security and Protection Mechanisms

Multics pioneered advanced mechanisms in its environment, emphasizing hierarchical and discretionary access controls to safeguard resources among multiple users. These features were integral to its design, enabling secure sharing while mitigating risks of unauthorized access and . The system's relied on an 8-level ring hierarchy, numbered from 0 to 7, where ring 0 housed the most privileged kernel code and outer rings, such as ring 4, contained typical user programs. Ring transitions were strictly controlled through hardware-enforced and segment descriptor brackets, which validated calls between rings to prevent unauthorized elevation of privileges; for instance, a might allow execution from ring 5 into ring 0 only under specific conditions. This structure enforced isolation, ensuring that code in higher-numbered (less privileged) rings could access lower-ring resources only via defined entry points, reducing the compared to flat supervisor-user models. Access to files, known as segments, was managed through per-segment Access Control Lists (ACLs), which specified permissions for individual users, projects, or groups identified by principal IDs like "User.Project". Each ACL entry granted fine-grained rights, including read (r), write (w), and execute (e) for segments, or status (s), modify (m—including deletion), and append (a) for directories, allowing owners to tailor sharing precisely. Stored in the parent directory, these lists supported wildcard patterns for group access (e.g., "Jones.*") and hierarchical overrides, where directory modify rights could alter contained ACLs. User authentication occurred via password-based , requiring a user ID and project identifier, with passwords stored in encrypted form using a one-way enciphering to verify entries without exposing . This method, implemented in 1971, provided basic protection against password disclosure, though it lacked modern salting techniques. Complementing this, Multics maintained audit trails for attempts, including failed logins, last access times, and segment modifications, enabling early detection of potential intrusions through manual or procedural review of security-related events. The robustness of these mechanisms was affirmed in the 1973 Anderson Report, a U.S. study on technology, which praised Multics' descriptor-based architecture for efficient reference validation and its potential as a foundation for multilevel secure systems in military contexts, resistant to malicious unauthorized access.

File System and

The Multics file system employed a multi-level store that integrated a of storage devices, including fast for rapid access, disks for bulk storage, and tapes for archival purposes, to provide what was effectively unlimited storage capacity. Files were conceptualized as unbounded of elements—such as words, characters, or bits—without predefined sizes, allowing them to grow dynamically as content was appended. This design enabled seamless migration of active files to faster storage levels and inactive ones to slower tiers, managed automatically by the system's storage management module to optimize performance and resource utilization. The directory structure in Multics formed a hierarchical tree, with directories serving as special files that contained entries for segments, subdirectories, or , accessible via path names like >user>project>file. Each segment and directory was protected by lists (ACLs), which specified permissions such as read (r), write (w), execute (x), or append (a) for individual users, groups, or the world, stored within the directory to enforce granular control. Symbolic provided shortcuts to files or directories elsewhere in the hierarchy, while was handled by appending numeric suffixes to filenames (e.g., report.1, report.2) to maintain multiple iterations without overwriting originals. Resource management in Multics relied on a segmented model, where was divided into segments of up to 256,000 36-bit words each, loaded on demand via paging mechanisms that fetched only referenced pages into core memory. Unused segments were subject to garbage collection processes that scanned for and reclaimed space from inactive or unreferenced storage, ensuring efficient allocation across the multi-level store. This approach supported dynamic sharing and relocation of segments without fixed boundaries, enhancing multiprogramming efficiency. The I/O model treated all input/output devices uniformly as files, represented as segments within the hierarchical structure, which allowed programs to access peripherals like terminals, printers, or disks through the same stream-oriented interfaces used for regular files. This device-independent simplified application development by enabling consistent read/write operations and chaining of data transformations across devices.

Software Features and Tools

Command Interface and Utilities

The Multics Command Language (MCL) served as an interactive shell for users to communicate with the operating system, enabling concise expression of commands through a structured syntax. Commands consisted of a name followed by arguments, separated by spaces and terminated by semicolons or newlines, allowing for chained execution within a single line. This language supported active functions enclosed in brackets, such as [date] to insert the current date, which were evaluated and rescanned into the command stream for dynamic behavior. The shell, or command processor, interpreted these inputs, handling features like sets in parentheses for applying commands to multiple arguments and literal strings delimited by quotes. File utilities in Multics provided essential operations for managing segments and directories within the hierarchical file system. The print command (aliases: pr, dprint) displayed the contents of a file or queued it for output, as in print file_name to show the text of a segment. Navigation was handled by change_directory (aliases: cd, cwd), which set the current working directory, for example, cd >user_dir to switch to a user's home directory. Creation of new files or directories used create (aliases: cr), such as cr new_file to establish an empty segment. Deletion was performed with delete (alias: dl), like dl old_file to remove an entry. The copy command (aliases: cp, copy_seg) duplicated segments, e.g., copy source.epl target.epl. Directory listings were generated by listf (aliases: ls, list), which enumerated contents with options for details, as in listf >dir_path to view files in a specified directory. These utilities operated on pathnames supporting absolute and relative addressing, with pattern matching via star notation like *.* for all files. Session management commands facilitated user interaction and process control in Multics' multi-user environment. The login command (alias: l) initiated a process for a user, typically entered as login Person_id Project_id to authenticate and establish a session tied to a terminal. Conversely, logout terminated the session, releasing resources with options like -hold to preserve the process briefly, e.g., logout -brief for a summary before exit. Process interruption was achieved through stop_ variants, such as stop_run to discard the current run environment or halt ongoing operations. Real-time queries were supported by active functions like who, which listed currently logged-in users, invoked as [who] within commands to return a string of active sessions for integration into scripts or displays. These mechanisms ensured secure and efficient handling of concurrent user activities. Scripting in Multics relied on command files, stored as segments with a .ec extension (often referred to as .cmd in user contexts), which contained sequences of MCL commands for automation. Execution occurred via the exec_com command (alias: ec), such as exec_com script.ec to run a file's instructions sequentially, supporting parameter substitution with &1 for the first argument and control structures like &if for conditional logic. This allowed basic automation without the full depth of modern shell scripting, focusing on iterative and chained operations like applying print across multiple files in an iteration set: print (file1 file2).epl. Macros and absentee runs extended this capability, enabling reusable procedures for routine tasks.

Programming and Development Environments

Multics provided a rich set of programming languages and tools tailored for its segmented, multi-user environment, with serving as the primary implementation language due to its comprehensive support for system-level programming. The full compiler, developed concurrently with the operating system from 1965 onward, enabled the bulk of Multics to be written in , producing efficient directly compatible with the system's dynamic linking mechanisms. Other supported languages included for low-level utilities, for algorithmic tasks, and SNOBOL4 for pattern-matching and string processing applications. Additionally, assemblers such as ALM (Assembler Language for Multics) allowed direct hardware-level coding, facilitating custom extensions and performance optimizations. Editing tools in Multics emphasized programmability and integration with the system's hierarchical file structure. QED, a line-oriented text editor implemented in , offered basic editing capabilities with support for multiple buffers and executable command scripts, making it suitable for straightforward modification. For more advanced needs, a TECO-based editor served as a precursor to modern , providing macro-driven customization and real-time interaction; this evolved into Multics , which incorporated extensions for enhanced automation and directly within the editing session. Integrated debugging features, such as dynamic tracing and insertion tied to the runtime, allowed developers to inspect segmented code without recompilation. Build processes in Multics relied on a binder tool for linking object segments into executable forms, enabling modular assembly without traditional static loaders; this dynamic approach supported on-demand resolution of inter-segment references during execution. was managed through file naming conventions within the , where developers appended unique identifiers (e.g., timestamps or sequence numbers) to segment names to track revisions, avoiding overwrites in shared directories. Scripting and exploratory programming were facilitated by interpreters, notably Multics Lisp (based on MACLISP), which provided an interactive environment for and could interface with routines for hybrid applications. This interpreter supported compilation to native code, enhancing performance for compute-intensive tasks while maintaining the system's multi-language .

Communication and Documentation Systems

Multics provided a suite of integrated tools for user communication and documentation, enabling collaborative interactions and efficient access to system information within its multi-user environment. These systems leveraged the operating system's and segment-based storage to facilitate real-time messaging and structured document handling, predating many modern equivalents. The subsystem in Multics was built on a RUNCOM-based framework, allowing scripted automation of message handling similar to early shell scripting. Users could send messages via the send_message command (or its synonym mail), which appended content to the recipient's mailbox segment, typically located at >udd>[Project](/page/Project)>[Person](/page/Person)>[Person](/page/Person).mbx, supporting both single-line inputs and multi-line entries terminated by a period. The read_mail command enabled users to retrieve and manage incoming mail, displaying summaries with sender, date, and time details, while offering options to list, delete, save, forward, or reply to messages. This system supported early forms of threaded discussions through tools like Pat Doherty's continuum (later renamed forum in the 1970s), which organized conversations into hierarchical structures for ongoing group interactions. was also possible via send_message to active terminals, with the accept_messages command setting up event channels for real-time delivery. Documentation access relied on an interactive mechanism using info segments—structured text files stored in directories like >doc>info—which functioned as an early hypertext-like system for navigating system knowledge. The help command allowed users to query topics or commands interactively, retrieving and displaying relevant info segments paragraph by paragraph, with prompts for continuation (e.g., responding "yes" to proceed or "q" to quit). Enhancements like the list_help utility, introduced in 1975, added string-based searching across segments for more targeted retrieval. Complementing this, the browse command provided sequential or interactive viewing of text segments or files, enabling users to navigate contents line by line with filtering options, akin to paging through documents. For document processing, Multics featured the RUNOFF formatter, invoked via the runoff command, which transformed inputs into formatted output suitable for or storage as segments. This tool processed markup-like control lines (e.g., .fin for finishing input or .ind for indentation) to handle justification, margins, headers, and page breaks, bearing similarities to later systems like . It included capabilities for generating tables through structured formatting commands, supporting the creation of organized data presentations within documents. Additional facilities included the news command for disseminating system announcements, which displayed recent updates from info segments like system_changes.gi.info or message-of-the-day notices, with options to view full text. Remote access was supported via dial-up connections, using commands such as dial or connect to establish terminal sessions over telephone lines, requiring user attributes like "dialok" for security. These tools collectively emphasized Multics' focus on accessible, shared among users.

Legacy and Influence

Direct Impact on Unix

After Bell Labs withdrew from the Multics project in 1969 due to escalating costs and delays, and , who had contributed to Multics, began adapting its concepts to develop a simpler operating system on a minicomputer, leading to the creation of Unix. Unix directly borrowed Multics' , which organized files into directories with path names for easier navigation and management, replacing the PDP-7's initial flat structure. The process model in Unix, where creates a duplicating the parent and exec overlays a new program image, drew from Multics' multi-process handling and shell-based command execution, enabling efficient process creation and customization. Similarly, Unix for , introduced in 1972, were inspired by Multics' stream-splicing modules, allowing output from one command to serve as input to another without custom code. In adapting these elements, Unix deviated from Multics by simplifying security mechanisms; instead of Multics' multi-level ring protection and lists (ACLs), Unix used basic user ID (UID) and group ID (GID) permissions with mode bits on files, prioritizing ease of on resource-constrained hardware. This approach suited the smaller PDP-11 hardware, focusing on a single-level kernel without the segmented memory and granular protections of Multics. Early Unix versions from the 1970s, such as V1 through V6, incorporated Multics-inspired utilities, including the line-oriented "ed" editor developed by Thompson in 1969, which simplified the features of Multics' QED editor while retaining its core text manipulation concepts.

Broader Influences on Operating Systems

Multics' security mechanisms, particularly its lists (ACLs) and protection rings, exerted a profound influence on subsequent secure operating system designs. The ACLs provided fine-grained, per-segment permissions that enforced ownership and access isolation, while the ring-based hierarchy—ranging from ring 0 for kernel operations to outer rings for user processes—enabled layered privilege separation to mitigate unauthorized escalations. These concepts directly informed the development of the Kernelized Secure Operating System (KSOS), which adopted Multics-inspired security kernels for in government applications. In modern systems, SELinux's (MAC) policies and type enforcement draw from Multics' emphasis on reference monitors and default-deny principles, adapting them for Linux's architecture to enhance kernel-level isolation. The innovations of Multics also shaped broader operating system paradigms, particularly in mainframe environments. As one of the first comprehensive systems, Multics enabled concurrent multi-user access with segmentation and paging, allowing efficient resource allocation across diverse workloads. This model influenced systems like the DEC VMS operating system, which implemented similar multiprogramming and scheduling techniques for VAX hardware to support interactive computing in enterprise settings. Likewise, the TOPS-10 system for mainframes adopted Multics-derived primitives, including dynamic address translation and , to facilitate collaborative development environments. Multics' single-level store concept, which blurred distinctions between memory and persistent storage, prefigured the "" philosophy; this unified view resonated in , where resources like networks and devices are treated as file hierarchies, and in Linux's /proc filesystem, which exposes process and kernel data as readable files for monitoring and control. Multics' design principles extended to other specialized projects, embedding its modularity and resource management in commercial and research systems. IBM's CP-67, a time-sharing extension for System/360 Model 67, mirrored Multics' segmented addressing and user isolation to compete in academic computing. In distributed systems, Multics' modular kernel and interprocess communication influenced microkernel architectures like Mach, where message-passing and virtual memory paging echoed Multics' segmented model for portability across multiprocessors. Academically, Multics remains a in secure operating system literature, with its designs extensively cited in foundational works. Jerry Saltzer's 1974 paper on Multics protection mechanisms outlined principles like complete and least privilege, which have been referenced in hundreds of subsequent publications on and system integrity. Textbooks on operating systems, such as those covering bases, frequently invoke Multics as the exemplar for B2-level security evaluations under the TCSEC framework, underscoring its role in shaping methods for modern OS kernels.

Retrospective Evaluations

Multics is often praised for its pioneering approach to and reliability, features that were far ahead of contemporary systems in the and . The operating system incorporated mandatory access controls, hierarchical protection rings, and a design philosophy that emphasized secure information sharing among multiple users, which contributed to its achievement of a B2 rating under the (TCSEC) in the 1980s. These mechanisms influenced subsequent secure computing standards, including the foundational ideas in the TCSEC "Orange Book," by demonstrating the feasibility of robust, verifiable in a multi-user environment. Additionally, Multics' use of high-level implementation and modular subsystems provided a reliable foundation that reduced common vulnerabilities like buffer overflows through language-level safeguards and hardware-enforced execute permissions. Despite these strengths, Multics faced significant criticisms for its complexity and performance implications, which hindered its commercial viability. The system's kernel comprised approximately 250,000 by 1978, a substantial size for the era that reflected its ambitious integration of innovations like segmentation and multiple protection rings, but this led to maintenance challenges and portability issues. The eight-ring protection model, while innovative for fine-grained , introduced performance overhead in early implementations due to software-handled cross-ring transitions, although later hardware designs mitigated some of this through automated validation. This overhead, combined with the system's reliance on hardware, contributed to higher costs and slower adoption compared to simpler alternatives. Key lessons from Multics underscore the need to balance architectural ambition with practicality in operating system design. Its complexity contrasted sharply with Unix, which succeeded by adopting a simpler two-mode (user/) protection scheme while retaining essential Multics concepts like hierarchical file systems and , illustrating that and encapsulation can achieve without excessive rings or segmentation. Multics highlighted the importance of small, isolated subsystems with well-defined interfaces, a that has informed modern OS evolution toward verifiable kernels and microkernels. In 2020s analyses, Multics is retrospectively viewed as remarkably prescient, with its and segmented addressing serving as precursors to contemporary techniques in cloud environments, though its monolithic complexity raises critiques regarding scalability for distributed, resource-constrained systems like those in modern hyperscale data centers. Ongoing efforts, such as open-source simulators, continue to reveal how Multics' secure, multi-user model anticipates current needs in shared computing infrastructures.

References

  1. https://multicians.org/history.html
  2. https://cics.umass.edu/~emery/classes/cmpsci691st/readings/OS/multics-overview.pdf
  3. https://multicians.org/multics.html
  4. https://www.acsac.org/2002/papers/classic-multics.pdf
  5. https://web.mit.edu/multics-history/
  6. https://web.mit.edu/saltzer/www/publications/multics/M0130.pdf
  7. https://multicians.org/project-mac.html
  8. https://www.nokia.com/bell-labs/about/dennis-m-ritchie/hist.html
  9. https://multicians.org/fjcc1.html
  10. https://multicians.org/chrono.html
  11. https://apps.dtic.mil/sti/pdfs/ADA001120.pdf
  12. https://multicians.org/site-timeline.html
  13. https://multicians.org/b2.html
  14. https://www.crystallabs.io/unix-history/
  15. https://arstechnica.com/gadgets/2019/08/unix-at-50-it-starts-with-a-mainframe-a-gator-and-three-dedicated-researchers/
  16. https://gunkies.org/wiki/Multics
  17. https://www.computerhistory.org/tdih/october/30/
  18. https://multicians.org/multics-news.html
  19. https://dps8m.gitlab.io/blog/posts/20250602_Performance/
  20. https://multicians.org/pg/index.html
  21. https://www.cnet.com/tech/computing/open-source-history-see-multics-source-code/
  22. https://multicians.org/thvv/compatible-time-sharing-system.pdf
  23. https://multicians.org/multics-vm.html
  24. https://dl.acm.org/doi/pdf/10.1145/355602.361306
  25. https://multicians.org/saltzer-pacisim.pdf
  26. https://dl.acm.org/doi/pdf/10.1145/361011.361067
  27. https://www.multicians.org/mspm/bq-8-00.680515.absentee-introduction.pdf
  28. https://multicians.org/pg/mvm.html
  29. https://multicians.org/multics-data-security.html
  30. https://www.multicians.org/ga01-01.pdf
  31. https://www.acsac.org/2002/papers/classic-multics-orig.pdf
  32. https://www.tandfonline.com/doi/abs/10.1080/01611190701506105
  33. https://multicians.org/mtbs/mtb679.html
  34. https://csrc.nist.gov/files/pubs/conference/1998/10/08/proceedings-of-the-21st-nissc-1998/final/docs/early-cs-papers/ande72a.pdf
  35. https://www.multicians.org/fjcc4.html
  36. https://people.csail.mit.edu/saltzer/Multics/Multics-Documents/MSPM/bt-3-01.670000.multievel-storage-overview.pdf
  37. https://www.cs.utexas.edu/~witchel/380L/papers/saltzer74cacm-multics.pdf
  38. https://www.ed-thelen.org/MulticsVM.pdf
  39. https://multicians.org/rjf.html
  40. http://web.mit.edu/srz/www/multics-glossary.html
  41. https://www.multicians.org/mspm/bx-1-00.681029.command-language.pdf
  42. http://www.bitsavers.org/pdf/honeywell/large_systems/multics/AG92-06B_multicsCmds_Nov87.pdf
  43. https://multicians.org/exec-env.html
  44. https://www.multicians.org/mtbs/mtb734.html
  45. https://multicians.org/mepap.html
  46. https://multicians.org/lcp.html
  47. https://multicians.org/thvv/mail-history.html
  48. https://multicians.org/help-command.html
  49. https://www.bell-labs.com/about/history/innovation-stories/50-years-unix/
  50. https://dl.acm.org/doi/10.1145/361011.361061
  51. https://www.nokia.com/bell-labs/about/dennis-m-ritchie/qed.html
  52. https://academicworks.cuny.edu/cgi/viewcontent.cgi?article=1044&context=qb_pubs
  53. https://www.sciencedirect.com/science/article/abs/pii/S1363412705000221
  54. https://www.multicians.org/features.html
  55. https://dl.acm.org/doi/10.1145/957195.808059
  56. https://multicians.org/myths.html
  57. https://www.princeton.edu/~rblee/ELE572Papers/Fall04Readings/ProtectionRings_Schroeder&Saltzer.pdf
  58. https://www.usenix.org/system/files/login/articles/1070-multics.pdf
  59. https://multicians.org/
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.