THE PRESERVATION OF THE VALIDITY OF INFORMATION STORED IN RESOURCE-SHARING COMPUTER COMPUTER SYSTEMS IS A MAJOR SYSTEMS DESIGN QUESTION. THE ISSUES OF WHICH INFORMATION TO PROTECT, FROM WHOM, AND WITH WHAT MECHANISM ARE COMPLEX, AND REQUIRE CAREFUL ANALYSIS. PROTECTION PROBLEMS FOUND IN COMPUTER UTILITIES, SPECIFICALLY THE SECURITY FOR KERNEL-BASED MULTICS, HAVE BEEN IDENTIFIED. THE TWO INTEGRITY ENVIRONMENTS CONSIDERED ARE THE KERNEL AND THE KERNEL-DEFINED VIRTUAL (USER) ENVIRONMENT. THE CURRENT MULTICS HARDWARE BASE SUPPORTS TWO CLASSES OF PROTECTION MECHANISMS--DESCRIPTOR SEGMENTS AND RINGS OF PROTECTION. THE DESCRIPTOR PROVIDES TWO FACILITIES--AN ACCESS CAPABILITY, AND CONSTRAINTS ON THAT ACCESS BASED ON THE RING ATTRIBUTES OF THE ACCESSED NAME AS DEFINED IN THE DESCRIPTOR OF THE ASSESSING SUBJECT. A MULTICS PROCESS IS A COLLECTION OF SUBSYSTEMS, EACH OF WHICH IS A SUBJECT CONSTRAINED BY THE DISCRETIONARY RING MECHANISM, THE UNION OF WHICH CAN BE CONSIDERED A SUBJECT CONSTRAINED BY A NAME SPACE (DOMAIN) WHOSE MAPPING TO PHYSICAL OBJECTS IS DETERMINED BY THE MANDATORY PROTECTION POLICIES OF SECURITY AND INTEGRITY AND THE DISCRETIONARY USER IDENTITY POLICY. IT IS CONCLUDED THAT BECAUSE IGNORED PROTECTION PROBLEMS BECOME SECURITY AND INTEGRITY BREACHES, ENFORCED INTEGRITY POLICIES INCLUDING SUCH ACCESS CONTROLS AS IDENTIFIED IN THE PROTOTYPE SECURE COMPUTER UTILITY, MULTICS, ARE THE MOST EFFECTIVE MEANS OF PREVENTING INFORMATION SABOTAGE. REFERENCES AND DIAGRAMS ARE PROVIDED. (LWM)