Protection

Chapter14:ProtectionGoalsofProtectionDomainofProtectionAccessMatrixImplementationofAccessMatrixRevocationofAccessRightsCapability-BasedSystemsLanguage-BasedProtectionProtectionOperatingsystemconsistsofacollectionofobjects,hardwareorsoftwareEachobjecthasauniquenameandcanbeaccessedthroughawell-definedsetofoperations.Protectionproblem-ensurethateachobjectisaccessedcorrectlyandonlybythoseprocessesthatareallowedtodoso.DomainStructureAccess-right=object-name,rights-setRights-setisasubsetofallvalidoperationsthatcanbeperformedontheobject.Domain=setofaccess-rightsDomainImplementationSystemconsistsof2domains:UserSupervisorUNIXDomain=user-idDomainswitchaccomplishedviafilesystem.Eachfilehasassociatedwithitadomainbit(setuidbit).Whenfileisexecutedandsetuid=on,thenuser-idissettoownerofthefilebeingexecuted.Whenexecutioncompletesuser-idisreset.MulticsRingsLetDiandDjbeanytwodomainrings.IfjIDiDjAccessMatrixFigure1UseofAccessMatrixIfaprocessinDomainDitriestodo“op”onobjectthen“op”mustbeintheaccessmatrix.Canbeexpandedtodynamicprotection.Operationstoadd,deleteaccessrights.Specialaccessrights:ownerofOicopyopfromOitoOjcontrol–Dicanmodifyaccessrightstransfer–switchfromdomainDitoDjUseofAccessMatrix(Cont.)Accessmatrixdesignseparatesmechanismfrompolicy.MechanismOperatingsystemprovidesAccess-matrix+rules.Ifensuresthatthematrixisonlymanipulatedbyauthorizedagentsandthatrulesarestrictlyenforced.PolicyUserdictatespolicy.Whocanaccesswhatobjectandinwhatmode.ImplementationofAccessMatrixEachcolumn=Access-controllistforoneobjectDefineswhocanperformwhatoperation.Domain1=Read,WriteDomain2=ReadDomain3=ReadEachRow=CapabilityList(likeakey)Foreachdomain,whatoperationsallowedonwhatobjects.Object1–ReadObject4–Read,Write,ExecuteObject5–Read,Write,Delete,CopyAccessMatrixofFigure1WithDomainsasObjectsFigure2AccessMatrixwithCopyRightsAccessMatrixWithOwnerRightsModifiedAccessMatrixofFigure2RevocationofAccessRightsAccessList–Deleteaccessrightsfromaccesslist.SimpleImmediateCapabilityList–Schemerequiredtolocatecapabilityinthesystembeforecapabilitycanberevoked.ReacquisitionBack-pointersIndirectionKeysCapability-BasedSystemsHydraFixedsetofaccessrightsknowntoandinterpretedbythesystem.Interpretationofuser-definedrightsperformedsolelybyuser‘sprogram;systemprovidesaccessprotectionforuseoftheserights.CambridgeCAPSystemDatacapability-providesstandardread,write,executeofindividualstoragesegmentsassociatedwithobject.Softwarecapability-interpretationlefttothesubsystem,throughitsprotectedprocedures.Language-BasedProtectionSpecificationofprotectioninaprogramminglanguageallowsthehigh-leveldescriptionofpoliciesfortheallocationanduseofresources.Languageimplementationcanprovidesoftwareforprotectionenforcementwhenautomatichardware-supportedcheckingisunavailable.Interpretprotectionspecificationstogeneratecallsonwhateverprotectionsystemisprovidedbythehardwareandtheoperatingsystem.