silberschatz and galvin chapter 19
play

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard - PDF document

Feb 02, 2024 •277 likes •437 views

Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection Goals of protection schemes Domain of protection Mechanisms access matrix implementation of access matrix revocation of access

  1. Silberschatz and Galvin Chapter 19 Protection CPSC 410--Richard Furuta 4/26/99 1 Protection ¥ Goals of protection schemes ¥ Domain of protection ¥ Mechanisms Ð access matrix ¥ implementation of access matrix ¥ revocation of access rights Ð Capability-based systems Ð Language-based protection CPSC 410--Richard Furuta 4/26/99 2 1

  2. Goals of protection schemes ¥ Operating system consists of a collection of hardware and software objects Ð CPU, memory segments, printers, disks, tape drives Ð files, programs, semaphores ¥ Each object has a unique name; is accessed through a well- defined set of operations Ð Essentially abstract data types ¥ Purpose of protection: to ensure that each object is accessed correctly and only by those processes that are allowed to do so Ð need to know principle CPSC 410--Richard Furuta 4/26/99 3 Goals of protection schemes ¥ Why protection? Ð Prevent mischief Ð Make sure that program components use resources in compliance with policies for resources Ð Protect from certain user errors ¥ Separation of policy from mechanism Ð Policy: what will be done Ð Mechanism: how it will be done ¥ Separating policy from mechanism allows change to policy without requiring changes to underlying mechanism (reconfiguration instead) CPSC 410--Richard Furuta 4/26/99 4 2

  3. Protection domain structure ¥ Protection domain --specifies the resources that a process may access. Defines a set of objects and the operations that may be invoked on each object. A domain is a set of access rights ¥ Access right --the ability to execute an operation on an object; a subset of all valid operations that can be performed on the object Ð <object-name, rights-set> ¥ Domains can share access rights CPSC 410--Richard Furuta 4/26/99 5 Protection domain structure CPSC 410--Richard Furuta 4/26/99 6 3

  4. Protection domain structure ¥ Association between a process and a domain may be static or dynamic Ð static: set of resources available to the process is fixed through the processÕ lifetime Ð static is easier to implement than dynamic Ð Static association plus need-to-know requires mechanisms to change the content of a domain ¥ one phase may require read access but not write access ¥ another may require only write access ¥ need-to-know implies that we provide only the minimum needed access rights at all times Ð Dynamic association provides these means CPSC 410--Richard Furuta 4/26/99 7 Protection domain structure ¥ What defines a domain? Ð Each user is a domain ¥ access depends on userÕs identity ¥ domain switching occurs when users change (login/ logout) Ð Each process is a domain ¥ access depends on processÕ identity ¥ Domain switching occurs when process sends a message to another and then waits for answer Ð Each procedure is a domain ¥ set of objects that can be accessed corresponds to local variables ¥ Domain switching occurs when procedure call made CPSC 410--Richard Furuta 4/26/99 8 4

  5. Domain implementation examples ¥ System consists of 2 domains: Ð User Ð Supervisor CPSC 410--Richard Furuta 4/26/99 9 Domain implementation examples ¥ UNIX Ð Domain = user-id Ð Domain switch accomplished via file system. ¥ Each file has associated with it a domain bit (setuid bit). ¥ When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. Ð Some other systems do not allow change of user id. Here, user access to protected objects has to use different mechanisms. For example, a daemon process that mediates access to the object. CPSC 410--Richard Furuta 4/26/99 10 5

  6. Domain implementation examples ¥ Multics rings (MIT late 1960Õs) Ð Let D i and D j be any two domain rings. Ð If j < i Þ D i Í D j CPSC 410--Richard Furuta 4/26/99 11 Domain implementation examples ¥ Multics system Ð Ring D 0 corresponds to monitor mode; has the most privileges Ð each memory segment includes ring number and access bits to control reading, writing, and execution Ð process can only access segments associated with rings with greater than or equal number, restricted according to the access bits Ð Domain switching is procedure oriented--procedure called in a different ring. Further controls on how those switches can occur (see following) CPSC 410--Richard Furuta 4/26/99 12 6

  7. Domain implementation examples ¥ Multics domain switching Ð Makes use of the following ¥ access bracket: a pair of integers, b1 and b2, such that b1 £ b2 ¥ limit: an integer b3, such that b3 > b2 ¥ list of gates: identifies entry points (gates) at which segments may be called Ð Process in ring i calls a procedure (segment) with access bracket (b1,b2) ¥ Call allowed if b1 £ i £ b2 ¥ Current ring number of the process remains i ¥ Otherwise, see following CPSC 410--Richard Furuta 4/26/99 13 Domain implementation examples ¥ Multics domain switching Ð When the callerÕs ring number is not in the calleeÕs access bracket ¥ i < b1 Ð Call allowed since this is a transfer to a ring with fewer privileges Ð Parameters may need to be copied into an area accessible to the called procedure ¥ i > b2 Ð Call permitted only if b3 £ i (b3 is the limit ) and the call has been directed to one of the designated entry points in the list of gates Ð This is a call to a procedure with higher privileges, but in a controlled manner CPSC 410--Richard Furuta 4/26/99 14 7

  8. Domain implementation examples ¥ Multics domain model Ð Does not enforce need-to-know (as you have access to all segments in higher numbered rings) Ð More general models (which are also simpler) used in modern computer systems CPSC 410--Richard Furuta 4/26/99 15 Access Matrix ¥ Rows: domains ¥ Columns: objects ¥ Access(i,j) defines the set of operations that a process, executing in domain D i can invoke on object O j ¥ Process in Domain D i can execute operation op on Object O j only if there is a corresponding entry in the access matrix CPSC 410--Richard Furuta 4/26/99 16 8

  9. Access matrix O1 O2 O3 O4 D1 read execute read write write D2 write print D3 execute read print CPSC 410--Richard Furuta 4/26/99 17 Access Matrix ¥ Allowing processes to switch among domains Ð Can be controlled by including domains in access matrix Ð ÒswitchÓ access right allows switching to the specified domain O1 O2 O3 O4 D1 D2 D3 D1 read execute read switch write write D2 write print D3 execute read print switch switch CPSC 410--Richard Furuta 4/26/99 18 9

  10. Access Matrix ¥ Allowing controlled change to the access matrix Ð Operations to add, delete access rights. Ð Special access rights: ¥ owner of object O i Ð Can add/remove operations in column i ¥ copy op from D i to D j Ð Copy within column (i.e., to additional domains for object for which the right is defined) Ð Variant: transfer of right, not copy Ð Variant: limit propagation (copy cannot be copied) ¥ control Ð D i can modify D j s access rights Ð D i can remove access rights from row j CPSC 410--Richard Furuta 4/26/99 19 Access Matrix ¥ Access matrix design separates mechanism from policy. Ð Mechanism ¥ Operating system provides Access-matrix + rules. ¥ It ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced. Ð Policy ¥ User dictates policy. ¥ Who can access what object and in what mode. CPSC 410--Richard Furuta 4/26/99 20 10

  11. Access Matrix Implementation ¥ Want to implement efficiently but usually matrix is sparse ¥ Simple implementation: global table of triples <domain, object, rights set> Ð Problems: large table, hence too big for memory (has to be on secondary storage either explicitly or via virtual memory). Requires added I/O Ð Difficult to take advantage of special groupings of objects--for example if an object allows everyone to read it, it must have separate entry in every domain CPSC 410--Richard Furuta 4/26/99 21 Access Matrix Implementation ¥ Object-centric implementation Ð Access list implementation. Columns in access matrix are implemented as an access list, kept by the object (list of <domain, rights-set> pairs) Ð Easy extension also provides default set of access rights (search local list, if operation on object not found check default set) CPSC 410--Richard Furuta 4/26/99 22 11

  12. Access Matrix Implementation ¥ Domain-centric implementation Ð each row in the access matrix can be implemented as a capability list kept by the process (<object, access- rights> list) Ð simple possession of capability means that specified rights are granted Ð manipulation and passing of capabilities has to be implemented by OS--capability-based protection assumes that capabilities never migrate into user space. CPSC 410--Richard Furuta 4/26/99 23 Access Matrix Implementation ¥ Lock-key mechanism Ð Objects have list of unique bit patterns, called locks Ð Domains have list of unique bit patterns, called keys Ð Process executing in a domain can access an object only if the domain has a key that matches one of the locks of the object Ð As with capabilities, users cannot examine or manipulate locks and keys directly CPSC 410--Richard Furuta 4/26/99 24 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly

Chapter 20 Silberschatz and Galvin Security Protection and Security Protection is a strictly internal problem Protection: mechanism for controlling the access of programs, processes, or users to the resources defined by a computer

499 views • 16 slides
Silberschatz and Galvin Chapter 12 I/O Systems CPSC 410--Richard Furuta 3/19/99 1 Topic

Silberschatz and Galvin Chapter 12 I/O Systems CPSC 410--Richard Furuta 3/19/99 1 Topic

Silberschatz and Galvin Chapter 12 I/O Systems CPSC 410--Richard Furuta 3/19/99 1 Topic overview I/O Hardware Application I/O Interface Kernel I/O Subsystem Transforming I/O requests to hardware operations Performance

528 views • 16 slides
Silberschatz and Galvin Chapter 6 Process Synchronization CPSC 410--Richard Furuta 2/26/99 1

Silberschatz and Galvin Chapter 6 Process Synchronization CPSC 410--Richard Furuta 2/26/99 1

Silberschatz and Galvin Chapter 6 Process Synchronization CPSC 410--Richard Furuta 2/26/99 1 Topics discussed Process synchronization Mutual exclusion--hardware Higher-level abstractions Semaphores Monitors Classical

633 views • 24 slides
Silberschatz and Galvin Chapter 15 Network Structures CPSC 410--Richard Furuta 3/30/99 1

Silberschatz and Galvin Chapter 15 Network Structures CPSC 410--Richard Furuta 3/30/99 1

Silberschatz and Galvin Chapter 15 Network Structures CPSC 410--Richard Furuta 3/30/99 1 Chapter Topics Background and motivation Network topologies Network types Communication issues Network design strategies CPSC

265 views • 22 slides
Silberschatz and Galvin Chapter 4 Processes CPSC 410--Richard Furuta 01/19/99 1 Chapter

Silberschatz and Galvin Chapter 4 Processes CPSC 410--Richard Furuta 01/19/99 1 Chapter

Silberschatz and Galvin Chapter 4 Processes CPSC 410--Richard Furuta 01/19/99 1 Chapter overview Introduction to processes, process control blocks Introduction to process scheduling Operations on processes Cooperating

582 views • 30 slides
Silberschatz and Galvin Chapter 7 Deadlocks CPSC 410--Richard Furuta 2/26/99 1 Deadlocks

Silberschatz and Galvin Chapter 7 Deadlocks CPSC 410--Richard Furuta 2/26/99 1 Deadlocks

Silberschatz and Galvin Chapter 7 Deadlocks CPSC 410--Richard Furuta 2/26/99 1 Deadlocks Deadlocks Definition Prevention Avoidance Detection Definition: A set of processes is in a deadlock state when every process in

624 views • 20 slides
Silberschatz and Galvin Chapter 1 Introduction CPSC 410--Richard Furuta 01/19/99 1 Chapter

Silberschatz and Galvin Chapter 1 Introduction CPSC 410--Richard Furuta 01/19/99 1 Chapter

CPSC 410-Richard Furuta Silberschatz and Galvin Chapter 1 Introduction CPSC 410--Richard Furuta 01/19/99 1 Chapter Overview What is an operating system? History of operating systems structure tradeoffs CPSC 410--Richard

237 views • 10 slides
Silberschatz and Galvin Chapter 2 Computer-System Structures CPSC 410-501 Fall 1994 01/19/99 1

Silberschatz and Galvin Chapter 2 Computer-System Structures CPSC 410-501 Fall 1994 01/19/99 1

CPSC 410-Richard Furuta Silberschatz and Galvin Chapter 2 Computer-System Structures CPSC 410-501 Fall 1994 01/19/99 1 Topics CPU/Device interface I/O structure Storage structure and hierarchy Hardware protection CPSC 410-501

689 views • 14 slides
Silberschatz and Galvin Chapter 8 Memory Management CPSC 410--Richard Furuta 2/24/99 1 Memory

Silberschatz and Galvin Chapter 8 Memory Management CPSC 410--Richard Furuta 2/24/99 1 Memory

Silberschatz and Galvin Chapter 8 Memory Management CPSC 410--Richard Furuta 2/24/99 1 Memory Management Goal: permit different processes to share memory--effectively keep several in memory at the same time Eventual meta-goal: users

771 views • 36 slides
Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics

Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics

Silberschatz and Galvin Chapter 5 CPU Scheduling CPSC 410--Richard Furuta 01/19/99 1 Topics covered Basic concepts/Scheduling criteria Non-preemptive and Preemptive scheduling Scheduling algorithms Algorithm evaluation CPSC

422 views • 20 slides
Silberschatz and Galvin Chapter 10 File-System Interface CPSC 410--Richard Furuta 2/26/99 1

Silberschatz and Galvin Chapter 10 File-System Interface CPSC 410--Richard Furuta 2/26/99 1

Silberschatz and Galvin Chapter 10 File-System Interface CPSC 410--Richard Furuta 2/26/99 1 File System Interface Physical storage mechanisms (see 2.3 and 2.4) Files--logical storage unit (abstract) that is independent of actual

372 views • 23 slides
Silberschatz and Galvin Chapter 17 Distributed File Systems CPSC 410--Richard Furuta 4/15/99 1

Silberschatz and Galvin Chapter 17 Distributed File Systems CPSC 410--Richard Furuta 4/15/99 1

Silberschatz and Galvin Chapter 17 Distributed File Systems CPSC 410--Richard Furuta 4/15/99 1 Distributed File Systems Naming and Transparency Remote File Access Stateful versus Stateless Service File Replication CPSC

178 views • 16 slides
Silberschatz and Galvin Chapter 11 File System Implementation CPSC 410--Richard Furuta 4/28/99

Silberschatz and Galvin Chapter 11 File System Implementation CPSC 410--Richard Furuta 4/28/99

Silberschatz and Galvin Chapter 11 File System Implementation CPSC 410--Richard Furuta 4/28/99 1 File System Implementation: Overview Organization Allocation Free-space management Directory implementation CPSC 410--Richard

350 views • 18 slides
Silberschatz and Galvin Chapter 3 Operating System Structures CPSC 410-Richard Furuta 01/19/99

Silberschatz and Galvin Chapter 3 Operating System Structures CPSC 410-Richard Furuta 01/19/99

CPSC 410--Richard Furuta 1/21/991/21/99 Silberschatz and Galvin Chapter 3 Operating System Structures CPSC 410-Richard Furuta 01/19/99 1 Different actors view OS differently Operating system designers -- systems components and

471 views • 18 slides
Silberschatz and Galvin Chapter 13 Secondary Storage Structure CPSC 410--Richard Furuta 3/30/99

Silberschatz and Galvin Chapter 13 Secondary Storage Structure CPSC 410--Richard Furuta 3/30/99

CPSC 410-501 Fall 1994 Silberschatz and Galvin Chapter 13 Secondary Storage Structure CPSC 410--Richard Furuta 3/30/99 1 Secondary Storage Structure Topics Disk Structure Disk Scheduling Disk Management Swap-Space Management

385 views • 16 slides
Computer-System Architecture Operating System Concepts 2.2 Silberschatz, Galvin and Gagne

Computer-System Architecture Operating System Concepts 2.2 Silberschatz, Galvin and Gagne

Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection General System Architecture Operating System Concepts Silberschatz, Galvin and Gagne

371 views • 15 slides
Wyvern: Designing a Language for Security Jonathan Aldrich contributions from: Aaron Craig

Wyvern: Designing a Language for Security Jonathan Aldrich contributions from: Aaron Craig

Wyvern: Designing a Language for Security Jonathan Aldrich contributions from: Aaron Craig aldrich@cs.cmu.edu Justin Lubin http://www.cs.cmu.edu/~aldrich/ Darya Melicher Cyrus Omar Alex Potanin Anlun Xu Valerie Zhao 17-396: Language

654 views • 50 slides
Extending xADL with Statechart Behavioral Specification Leila Naslavsky, Lihua Xu, Marcio Dias,

Extending xADL with Statechart Behavioral Specification Leila Naslavsky, Lihua Xu, Marcio Dias,

Extending xADL with Statechart Behavioral Specification Leila Naslavsky, Lihua Xu, Marcio Dias, Hadar Ziv, and Debra J. Richardson Motivation Software Architecture in Dependable Systems Design (guide, analysis and evaluation of

147 views • 10 slides
Capability-based Systems Intel iAPX 432 Presented by Dan Amelang Capabilities Resources are

Capability-based Systems Intel iAPX 432 Presented by Dan Amelang Capabilities Resources are

Capability-based Systems Intel iAPX 432 Presented by Dan Amelang Capabilities Resources are represented by objects Hardware Memory Processor IO Software Services Contexts Ports Capabilities These

254 views • 13 slides
Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking

Trusted Network Communications Architecture 2.0 Overview 20 July 2017 1 Why are we talking about this? The TCGs Trusted Network Communications Workgroup is finalizing publication of the Trusted Network Communications Architecture for

402 views • 8 slides
Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu

Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu

Static Lock Capabilities for Deadlock-Freedom Colin S. Gordon csgordon@cs.washington.edu University of Washington TLDI, January 28, 2012 Joint work with Michael D. Ernst and Dan Grossman Colin S. Gordon (University of Washington) Lock

649 views • 60 slides
Lecture 05:Examples of &amp; Metrics for Process Models 2015-05-11 Prof. Dr. Andreas Podelski,

Lecture 05:Examples of &amp; Metrics for Process Models 2015-05-11 Prof. Dr. Andreas Podelski,

Softwaretechnik / Software-Engineering Lecture 05:Examples of &amp; Metrics for Process Models 2015-05-11 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 05 2015-05-11 main Albert-Ludwigs-Universit at Freiburg, Germany

803 views • 57 slides
Software Development: Software Development: Tools and Processes Tools and Processes Lecture -

Software Development: Software Development: Tools and Processes Tools and Processes Lecture -

Software Development: Software Development: Tools and Processes Tools and Processes Lecture - - 4: Introduction to CMMI Framework 4: Introduction to CMMI Framework Lecture 1 1 Process Improvement Framework What do we understand by

403 views • 23 slides
Evaluating Systems Information Assurance Fall 2010 Reading Material Chapter 21 Computer

Evaluating Systems Information Assurance Fall 2010 Reading Material Chapter 21 Computer

Evaluating Systems Information Assurance Fall 2010 Reading Material Chapter 21 Computer Security: Art and Science The orange book and the whole rainbow series http://nsi.org/Library/Compsec/orangebo.txt The common criteria

685 views • 31 slides

More recommend