128 ;;Quote: to ensure security, a reference monitor must be tamper proof, invoked on every data reference, and small enough to be proven correct

128 ;;Quote: security rings and memory segmentation might be provably secure; e.g., Multics, a descriptor-based system

131 ;;Quote: easily attacked Multics security via hardware, software, and procedures; extracted or modified sensitive data without detection; 250 manhours of effort

131 ;;Quote: the subverter frequently sampled the security sensitive hardware; identified code that allowed illegal access to a protected segment; was due to a field modification

142 ;;Quote: the World Wide Military Command and Control System was developed and deployed by uncleared personnel using an open time sharing system; vulnerable to trap door insertions

143 ;;Quote: a compiler or assembler can insert a trap door when compiling a ring 0 module; hidden even when recompiling the compiler

143 ;;Quote: use system initialization code to insert trap doors as the system is booted; initialization is complex and poorly understood

145 ;;Quote: passwords and security audits are no more than "security blankets" as long as hardware and software are vulnerable