[Norm Hardy, 1997: OCR performs poorly on material such as that below. Mail to [email protected] might occasionally elicit help in distress situations.]

References are presented in order of First citation. The sections in which each reference is cited appear in parentheses following the reference. Section SFR is Suggestions for Further Reading.

[1] A. Westin, Privacy and Freedom. New York: Atheneum, 1967. (I-A1, SFR)

[2] A. Miller, The Assault on Privacy. Ann Arbor, Mich.: Univ. of Mich. Press, 1971; also New York: Signet, 1972, Paperback W4934. (I-A1, SFR)

[3] Dept. of Health, Education, and Welfare, Records, Computers, and the Rights of citizens. Cambridge, Mass.: M.I.T. Press, 1973. (I-A1, SFR)

[4] R. Turn and W. Ware, "Privacy and security in computer systems," I-A1 Amer. Scientist, voL 63, pp. 196-203, Mar.-Apr. 1975. (I-A1)

[5] W. Ware, "Security and privacy in computer systems," in 1967 S,CC, AFIPS Cont. Proc., vol. 30, pp. 287-290. (I-A1)

[6] J. Anderson, "Information security in a multi-user computer environment," in Advances in Computers, vol. 12. New York: Academic Press, 1973, pp. 1-35. (I A1, SFR)

[7]J. Martin, Scurity. Accuracy, and Primey in Computer Systems. Englewood Cliffs, N.J.: Prentice-Hall, 1973. (I-A1, SFR) I

[8] R. Patrick, Security Systems Review Manual. Montvale, N.J.: AFIPS Press, 1974. (I-A1, SFR)

[9]G. Bender, D. Freeman, and J. Smith, "Function and design of DOS/360 and TOS/360," IBM Syst. J., vol. 6, pp. 2-21, 1967. (I-A2)

[10] R. Hargraves and A. Stephenson, "Dodge considerations for an educational time-sharing system," in 1969 SJCC, AFIPS ConJ. Proc., vol. 34, pp. 657-664. (I-A2)

[11] R. Meyer and L. Seawright, "A virtual machine time-sharing system," IBM Syst. J., vol. 9, pp. 199-218, 1970. (I-A2, I-B3, III-A)

[12] M l.T. Computation Center, CTSS Programmer's Cuide, 2nd ed. Cambridge, Mass.: M.I.T. Press, 1965. (I-A2, III-A)

[13] D. Stone,"PDP-IOsystem concepts end capabilities," in PDP10 Applicanons in Science, vol. II. Maynard, Mass: Digital Equipment Corp., undated (ca. 1970), pp. 32-55. (I-A2)

[14] C. Weissman,"Security controls in the ADEPT-SO time-sharing system " in 1969 FJCC, AFIPS Conf. Proc., vol. 3S, pp. 119-133. (I-A2, II-C5, III-A, III-B, SFR)

[15] D. Bobrow et al., "TENEX, a paged time sharing system for the PDP-10," Commun. ACM, vol. 15, pp. 135-143, Mar. 1972. (I-A2, II-C3)

[16] F. Corbato, 1. Saltzer, and C. Clingen, "Multics--The first seven years" in 1972 SJCC, AFIPS Conf. Proc., vol. 40, pp. 571-583. (I-A2)

[17] H. Sturgis, "A postmortem for a time sharing system," Ph.D. dissertation, Univ. of Calif., Berkeley, 1973. (Also available as Xerox Palo Alto Res. Center Tech. Rep. CSL74-1.) (I-A2, II-C2, II-E, III-A, SFR)

[18] D. Ritchie and K. Thompson, "The UNIX time-sharing system," Commun. ACM, vol. 17, pp. 365-375, July 1974. (I-A2, II-C3)

[19] B. Lampson, "Dynamic protection structures," in 1969 FJCC, AFIPS Conf. Proc., vol. 35, pp. 27-38. (I-A2, II-E, III-A)

[20] R. Needham, "Protection systems and protection implementations," in 1972 FJCC, AFIPS Conf. Proc., vol. 41, pt. 1, pp. 571-578. (I-A2, II-B3, II-E, III-A, SFR)

[21] W. Wulf etal., "HYDRA: The kernel of a multiprocessor operating system," Commun. ACM, vol. 17, pp. 337-345, June 1974. (I-A2, II-B3, III-A)

[22] R. Conway, W. Maxwell and H. Morgan, "On the implementation of security measuies in information systems," Commun. ACM, vol. 15, pp. 211-220, Apr. 1972. (I-A2)

[23] 1. Reed, "The application of information theory to privacy in data banks," Rand Corp., Tech. Rep. R-1282-NSF, 1973. (I-A2)

[24] D. Hsiso, D. Kerr, and F. Stahl, "Research on data secme systems," in 1974 NCC, AFIPS Conf. Proc., vol. 43, pp. 994-996. (I-A2 )

[25] L. Hoffman and W. Miller, "Getting a petsonal dossier from a statistical data bank," Datamation, vol. 16, pp. 74-75, May 1970. (I-A2)

[26] J. Saltzer, "Protection and the control of information sharing in Multics," Commun. ACM, vol. 17, pp. 388-402, July 1974. (I-A3, 1-B4, III-A, SFR)

[27] P. Baran, "Security, secrecy, and tamper-free considerations,' On Distributed Communications, no. 9, Rand Corp. Tech. Rep. RM-3765-PR, 1964. (I-A3, III-B)

[28] G. Popek, "A principle of kernel design," in l974 NCC, AFIPS Conf. Proc., vol. 43, pp. 977-978. (I-A3)

[29] D. Hollingsworth, "Enhancing computer system security," Rand Corp. Paper P-S064, 1973. (I-A3)

[30] B. Lampson, "Protection," in Proc. 5th Princeton Symp. Informanon Science and Systems (Mar. 1971), pp. 437-443. (Reprinted in ACM Operating Syst. Rev., vol. 8, pp. 18-24, Jan. 1974.) (I-B1, II-B2, II-E, SFR)

[31] E. Codd etal., "Multiprogramming Stretch: Feasibility considerations," Commun. ACM, vol. 2, pp. 13-17, Nov. 1959. (I-B3)

[32] W. Lonergan and P. King, "Design of the B5000 system," Datamation, vol. 7, pp. 28-32, May 1961. (I-B3, I-B5)

[33] G. Popek and R. Goldberg, "Formal requirements for virtualizable third generation architectures," Commun. ACM, vol. 17, pp. 412-421, July 1974. (I-B3)

[34] R. Goldberg, "Architecture of virtual machines," in 1973 NCC, AFIPS Conf. Proc., vol. 42, pp. 309-318. (I-B3)

[35] G. Purdy, "A high security log-in procedure," Commun. ACM, vol. 17, pp. 442-445, Aug. 1974. (I-B4)

[36] A. Evans, W. Kantrowitz and E. Weiss, "A user authontication scheme not requiring secr;cy in the computer," Commun. ACM, vol. 17, pp. 437-442, Aug. 1974. (I-B4)

[37] M. Wilkes, Time-Sharing Computer Systems, 2nd ed. New York: American-Elsevier, 1972. (I-B4, I-B5, II-A)

[38] J. Smith, W. Notz, and P. Osseck, "An experimental application of cryptography to a remotely accessed data system," in Proc. ACM 25th Nat. Conf., pp. 282-298, 1972. (I-B4, III-B, SFR)

[39] H. Feistel, "Cryptographic coding for data bank privacy," IBM Corp. Res. Rep. RC 2827, Mar. 1970. (I-B4, III-B, SFR)

[40] D. Branstad, "Security aspects of computer networks," in AIAA Computer Network Systems Conf. (Apr. 1973), Paper 73-427. (I-B4, I-B5, III-B, SFR)

[41] J. Dennis and E. Van Horn, "Programming semantics for multiprogrammed computations," Commun. ACM, vol. 9, pp. 143155, Mar. 1966. (I-B5, II-B1, II-E)

[42] J. Dennis, "Segmentation and the design of multiprogrammed computer systems," J. ACM, vol. 12, pp. 589-602, Oct. 1965. (I-B5, II-A)

[43] R. Daley and J. Dennis, "Virtual memory, processes, and sharing in Multics," Commun. ACM, vol. 11, pp. 306-312, May 1968. (I-B5)

[44] R. Watson, Timesharing System Design Concepts. New York: McGraw-Hill, 1970. (II-A)

[45] R. Fabry, "Capabilitybased addressing," Commun. ACM, voL 17, pp. 403-412, July 1974. (II-A, SFR)

[46] E. Organick, The Multics System: An Examinanon of its Structure. Cambridge, Mass.: M.I.T. Press, 1971. (II-A)

[47] ---, Computer System Organization. TheB5700/B6700Serics. New York: Academic Press, 1973. (II-A, II-B3)

[48] W. Ackerman and W. Plummer, "An implementation of a multiprocessing computer system," in Proc. ACM Symp. Operanag System Principles (Oct. 1967), Paper D-3. (II-B1)

[49] R. Fabry, "Preliminary description of a supervisor for a machine oriented around capabilities," Inst. Comput. Res. Quart. Rep., vol. 18, sec. IB, Univ. of Chicago, Aug. 1968. (II-B1)

[50] J. Iliffe and J. Jodeit, "A dynamic storage allocation scheme," Comput. J., vol. 5, pp. 200-209, Oct. 1962. (II-B1)

[51] E. A. Feustel, "On the advantages of tagged architecture," IEEE Trans. Comput.. vol. C-22, pp. 644-656, July 1973. (II-B1)

[52] L. Robinson et al., "On attaining reliable software for a secure operating system," in Int. Conf. Reliable Software (Apr. 1975), pp. 267-284. (II-B3, III-B)

[53] D. England, "Capability concept mechanism and structure in system 2s0," in IRIA Int. Workshop Protection in Operating Systems (Aug. 1974), pp. 63-82. (II-B3, III-A)

[54] D. Redell, "Naming and protection in extendible operating systems," Ph.D. dissertation, Univ. of Calif., Berkeley, 1974. (Available as M.I.T. Proj. MAC Tech. Rep. TR-140.) (II-B3, III-A, SFR)

[55] A. Bensoussan, C. Clingen, and R. Daley, "The Multics virtual memory: Concepts and design," Commun. ACM, vol. 15, pp. 308-318, May 1972. (II-B3, II-C3)

[56] B. W. Lampson, W. W. Lichtenberger, and M. W. Pirtle, "A user machine in a time-sharing system," Proc. IEEE, vol. 54, pp. 1766-1774, Dec. 1966. (II-C3)

[57] H. Bingham, "Access controls in Burroughs large systems," Privacy and Security in Computer Systems, Nat. Bur. Stand. Special Pub. 404, pp. 42-45, Sept. 1974. (II-C3)

[58] R. Daley and P. Neumann, "A general-purpose file system for secondary storage," in 1965 FJCC, AFIPS Conf. Proc., vol. 27, pt. I, pp. 213-229. (II-C4)

[59] L. Rotenberg, "Making computers keep secrets," Ph.D. dissertation, M.I.T., Cambridge, Mass., 1973. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-115.) (II-C4, II-C5, II-E, III-A, III-B, SFR)

[60] K Walters et al., "Structured specification of a security kernel," in Int. Conf. Reliable Software, Los Angeles, Calif., pp. 285-293, Apr. 1975. (ii-C5)

[61] B. Lampson, "A note on the confinement problem," Commun. ACM, vol. 1 6, pp. 613-615, Oct. 1973. (II-C5)

[62] D. Bell and L. LaPadula, "Secure computer systems," Air Force Elec. Syst. Div. Rep. ESD-TR-73-278, vols. 1, 11, and III, Nov. 1973. (II-C5, III-B)

[63] M. Schroeder and J. Saltzer, "A hardware architecture for implementing protection rings," Commun. ACM, vol. 15, pp. 157-170, Mar. 1972. (II-C5, III-A, SFR)

[64] J. Fenton, "Memoryless subsystems," Comput. J., vol. 17, pp. 143-147, May 1974. (II-C5)

[65] O. Dahl and C. Hoare, "Hierarchical program structures," in Structured Programming. New York: Academic Press, 1972, pp. 175-220. (II-E)

[66] D. Branstad, "Privacy and protection in operating systems,"Computer, vol. 6, pp. 43-46, Jan. 1973. (II-E)

[67] P. Brinch-Hansen, "The nucleus of a multiprogramming system," Commun. ACM, vol. 13, pp. 238-250, Apr. 1970. (II-E)

[68] J. LeClerc, "Memory structures for interactive computers," Ph.D. dissertation, Univ. of Calif., Berkeley, May 1966. (II-E)

[69] D. Evans and J. LeClerc, "Address mapping and the control of access in an interactive computer," in 1967 SJCC, AFIPS Conf. Proc., vol. 30, pp. 23-30. (II-E)

[70] M. Schroeder, "Cooperation of mutually suspicious subsystems in a computer utility," Ph.D. dissertation, M.I.T., Cambridge, Mass., 1972. (Also available as M.I.T. Proj. MAC Tech. Rep. TR-104.) (II-E, III-A, SFR)

[71] A. Jones, "Protection in programmed systems," Ph.D. dissertation, Carnegie-Mellon Univ., Pittsburgh, Pa.. 1973. (II-E, SFR)

[72] J. Morris, "Protection in programming languages," Commun. ACM, vol. 16, pp. 15-21, Jan. 1973. (II-E, SFR)

[73] G. Amdahl, G. Blaauw, and F. Brooks, "Architecture of the IBM System/360," IBM J. Res Develop., vol 8, pp. 87-101, Apr. 1964. (III-A)

[74] IBM Corp., "System 370/Principles of operation," IBM Corp. Syst. Ref. Lib. GA22-7000-3, 1973. (III-A)

[75] R. Bisbey, II, and G. Popek, "Encapsulation: An approach to operating system security," in Proc. ACM 1974 Annul Conf., pp. 666-675. (III-A)

[76] Dept. of Defense, Manual of Techniques and Procedures for Implementing, Deactivating, Testing, and Evaluatiing Secure Resource-Sharing ADP Systems, DOD5200.28-M, Aug. 1972. (III-A)

[77] R. Graham, "Protection in an information processing utility," Commum ACM, vol. 11, pp. 36s-369, May 1968. (III-A)

[78] S. Motobayashi, T. Masuda, and N. Takahashi, "The Hitac 5020 time-sharing system," in Proc. ACM 24th Nat. Conf., pp. 419-429, 1969. (III-A)

[79] M. Spier, T. Hastings, and D. Cutler, "An experimental implementation of the kernel/domain architecture," ACM Operating Syst. Rev., vol. 7, pp 8-21, Oct. 1973. (III-A)

[80] M.I.T. Proj. MAC, "Computer systems research," in Project MAC Progress Reporr XI: July 1973 to June 1974, pp. 155-183. (III-B)

[81] E. Burke, "Synthesis of a software security system," in Proc. ACM 1974 Annu. Conf., pp. 648-650. (III-B)

[82] W. Schiller, "Design of a security kernel for the PDP-11/45," Air Force Elec. Syst. Div. Rep. ESD-TR-73-294, Dec. 1973. (III-B, SFR)

[83] L. Molho, "Hardware aspects of secure computing," in 1970 SJCC, AFIPS Conf. Proc., vol. 36, pp. 135-141. (III-B, SFR) 199

[84] R. Fabry, "Dynamic verification of operating system decisions," Commun. ACM, vol. 16, pp. 659-668, Nov. 1973. (III-B, SFR)

[85] C. Shannon, "Communication theory of secrecy systems," Bell Syst. Tech. J., vol. 28, pp. 656-715, Oct. 1949. (III-B)

[86] S. Lipner, Chm., "A panel session--Security kernels," in 1974 NCC, AFIPS Conf. Proc., vol. 43, pp. 973-980. (III-B, SFR)

[87] R. Mathis, Chm., "A panel session--Research in data security--Policies and projects," in 1974 NCC, AFIPS Conf. Proc., vol. 43 pp. 993-999. (III-B, SFR)

[88] Institut de Recherche d'Informatique et d'Automatique (IRIA), Int. Workshop Protectlon in Operating Systems. Rocquencourt, France: IRIA, Aug. 1974. (III-B, SFR)

[89] J. Saltzer, "Ongoing research and development on information protection," ACM Operating Syst. Rev., vol. 8, pp. 8-24, July 1974. (III-B, SFR)

[90] L. Hoffman Ed., Security and Privacy in Compurer Systems. Los Angeles, Calif.: Melville Pub. Co., 1973. (SFR)

[91] C. W. Beardsley, "Is your computer insecure?" IEEE Speetrum, vol. 9, pp. 67-78, Jan. 1972. (SFR)

[92] D. Parker, S. Nycom, and S. Oura, "Computer abuse," Stanford Res. Inst. Proj. ISU 2501, Nov. 1973. (SFR)

[93] D. Kahn, The Codebreakers. New York: Macmillan, 1967. (SFR)

[94] G. Mellen, "Cryptology, computers, and common sense," in 1973 NCC, AFlPS Conf. Proc. ,vol.42, pp.569-579. (SFR)

[95] J. Anderson, "Computer security technology planning study," Air Force Elec. Syst. Div. Rep. ESD-TR-73-51, Oct. 1972. (SFR)

[96] W. Ware et al., "Security controls for computer systems," Rand Corp. Tech. Rep. R-609, 1970. (Classified confidontial.) (SFR)

[97] R. Anderson and E. Fagerlund, "Privacy end the computer: An annotated bibliography," ACM Compur. Rev., vol. 13, pp. 551-559, Nov. 1972. (SFR)

[98] J. Bergart, M. Denicoff, and D. Hsiao, "An annotated and cross-referenced bibliography on computer security and access control in computer systems," Ohio State Univ., Computer and Information Science Res. Center Rep. OSU-CISRC-T072-12, 1972. (SFR)

[99] S. Reed and M. Gray, "Controlled accessibility bibliography," Nat. Bur. Stand. Tech. Note 780, June 1973. (SFR)

[100] J. Scherf, "Computer and data base security: A comprehensive annotated bibliography," M.I.T. Proj. MAC Tech. Rep. TR-122, Jan. 1974. (SFR)