Date post: | 31-Dec-2015 |
Category: |
Documents |
Upload: | hector-peters |
View: | 223 times |
Download: | 3 times |
14.1 Goal of Protection Protection was originally conceived as an
adjunct to multiprogramming operation systems, so that untrustworthy users might safely share a common logical files or memory
Modern protection concepts have evolved to increase the reliability of any complex system that makes use of shared resources
Protection (Ch.14) deals with internal problem Security (Ch. 15) Deals with external problem
14.2 Principle of Protection A key, time-tested guiding principle for
protection is the principle of least privilege.
It dictates that programs, users, and even systems be given just enough privileges to perform their tasks
Computer implemented in a computing facility under the principle of least privilege can be limited to running specific service, accessing specific remote hosts via specific service during some specific time
14.3 Domain of Protection Domain Structure:Access-right = <object-name, rights-set>where rights-set is a subset of all valid operations that can be performed on the object.
Domain = set of access-rights
Domain Each user may be a domain:
Domain switching occurs when the user is changed
Each process may be a domain: Domain switching occurs when the process sends a message to another process and then waits for a response
14.4 Access Matrix
View protection as a matrix (access matrix) Rows represent domains Columns represent objects Access(i, j) is the set of operations
that a process executing in Domain i can invoke on Object j
Access Matrix The users normally decide the contents of the
access matrix entries. When a user creates a new object Oj, the
column Oj is added to the access matrix When we switch a process from one domain to
another, we are executing an operation (switch) on a domain
Processes should be able to switch from one domain to another
Domain switching from domain Di to Dj is allowed if and only if the access right switch access(i,j)
Access Table
Allowing controlled change in the contents of the access-matrix entries requires three additional operations: Copy, Owner, and Control
Access Table: Copy right
The ability to copy an access right from one domain of the access matrix to another is denoted by an *
The copy right allows the copying of the access right only within the column for which right is defined
Access Table: Copy right
Three types of copy:1. Copy2. Transfer: a right is copied from
access(i,j) to access(k,j); it is then removed from access(i,j)
3. Limited copy: only copy the right not the *
Access Table: Owner right We need some mechanism to allow
addition of new rights and removal of some rights
If access(i,j) includes the owner right then a process executing in domain Di can add and remove any right in any entry in column j
Access Table: Control right The copy and owner rights allow a
process to change the entries in a column, a mechanism is also needed to change the entries in a row
The control right is applicable only to domain objects
If access(i,j) includes the control right, then a process executing in domain Di can “remove” any access right from row j
Implementation of Access table
Global Table Access lists for objects Capability list for domains Lock-Key Mechanism
Global Table Easiest Using<domain,object,rights-set>
Disadvantages:1. The table is usually too big to fit in
memory2. Virtual memory required3. No advantage of special groups
Access lists for objects
The resulting list for each object consists of ordered pairs
<domain, right-set>
Capability list for domains We can access each row with its
domain A capability list for a domain is a
list of objects together with operations allowed on those object
An object is often represented by its physical name or address, called capability