Bài giảng Operating system Concepts - Module 18: Protection

Nội dung text: Bài giảng Operating system Concepts - Module 18: Protection

1. Module 18: Protection n Goals of Protection n Domain of Protection n Access Matrix n Implementation of Access Matrix n Revocation of Access Rights n Capability-Based Systems n Language-Based Protection Operating System Concepts 18.1 Silberschatz, Galvin and Gagne 2002
2. Protection n Operating system consists of a collection of objects, hardware or software n Each object has a unique name and can be accessed through a well-defined set of operations. n Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so. Operating System Concepts 18.2 Silberschatz, Galvin and Gagne 2002
3. Domain Structure n Access-right = where rights-set is a subset of all valid operations that can be performed on the object. n Domain = set of access-rights Operating System Concepts 18.3 Silberschatz, Galvin and Gagne 2002
4. Domain Implementation (UNIX) n System consists of 2 domains: F User F Supervisor n UNIX F Domain = user-id F Domain switch accomplished via file system. 4 Each file has associated with it a domain bit (setuid bit). 4 When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. Operating System Concepts 18.4 Silberschatz, Galvin and Gagne 2002
5. Domain Implementation (Multics) n Let Di and Dj be any two domain rings. n If j < I Di  Dj Multics Rings Operating System Concepts 18.5 Silberschatz, Galvin and Gagne 2002
6. Access Matrix n View protection as a matrix (access matrix) n Rows represent domains n Columns represent objects n Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj Operating System Concepts 18.6 Silberschatz, Galvin and Gagne 2002
7. Access Matrix Figure A Operating System Concepts 18.7 Silberschatz, Galvin and Gagne 2002
8. Use of Access Matrix n If a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix. n Can be expanded to dynamic protection. F Operations to add, delete access rights. F Special access rights: 4 owner of Oi 4 copy op from Oi to Oj 4 control – Di can modify Dj access rights 4 transfer – switch from domain Di to Dj Operating System Concepts 18.8 Silberschatz, Galvin and Gagne 2002
9. Use of Access Matrix (Cont.) n Access matrix design separates mechanism from policy. F Mechanism 4 Operating system provides access-matrix + rules. 4 If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced. F Policy 4 User dictates policy. 4 Who can access what object and in what mode. Operating System Concepts 18.9 Silberschatz, Galvin and Gagne 2002
10. Implementation of Access Matrix n Each column = Access-control list for one object Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read  n Each Row = Capability List (like a key) Fore each domain, what operations allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy Operating System Concepts 18.10 Silberschatz, Galvin and Gagne 2002
11. Access Matrix of Figure A With Domains as Objects Figure B Operating System Concepts 18.11 Silberschatz, Galvin and Gagne 2002
12. Access Matrix with Copy Rights Operating System Concepts 18.12 Silberschatz, Galvin and Gagne 2002
13. Access Matrix With Owner Rights Operating System Concepts 18.13 Silberschatz, Galvin and Gagne 2002
14. Modified Access Matrix of Figure B Operating System Concepts 18.14 Silberschatz, Galvin and Gagne 2002
15. Revocation of Access Rights n Access List – Delete access rights from access list. F Simple F Immediate n Capability List – Scheme required to locate capability in the system before capability can be revoked. F Reacquisition F Back-pointers F Indirection F Keys Operating System Concepts 18.15 Silberschatz, Galvin and Gagne 2002
16. Capability-Based Systems n Hydra F Fixed set of access rights known to and interpreted by the system. F Interpretation of user-defined rights performed solely by user's program; system provides access protection for use of these rights. n Cambridge CAP System F Data capability - provides standard read, write, execute of individual storage segments associated with object. F Software capability -interpretation left to the subsystem, through its protected procedures. Operating System Concepts 18.16 Silberschatz, Galvin and Gagne 2002
17. Language-Based Protection n Specification of protection in a programming language allows the high-level description of policies for the allocation and use of resources. n Language implementation can provide software for protection enforcement when automatic hardware- supported checking is unavailable. n Interpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system. Operating System Concepts 18.17 Silberschatz, Galvin and Gagne 2002
18. Protection in Java 2 n Protection is handled by the Java Virtual Machine (JVM) n A class is assigned a protection domain when it is loaded by the JVM. n The protection domain indicates what operations the class can (and cannot) perform. n If a library method is invoked that performs a privileged operation, the stack is inspected to ensure the operation can be performed by the library. Operating System Concepts 18.18 Silberschatz, Galvin and Gagne 2002
19. Stack Inspection Operating System Concepts 18.19 Silberschatz, Galvin and Gagne 2002