ProtectionProtectionButler W. LampsonButler W. LampsonWeina Ge & Divya MuthukumaranOutlineOutline Introduction What is protection What are involved in the protection system Why protection Introduction What is protection What are involved in the protection system Why protection Two abstract models Message system Object systemOutlineOutlineProtectionProtectionDefinitionDefinitionAll the mechanisms that All the mechanisms that controlcontrol the the acce ssacce ss of a of a programprogram to toother things in the systemother things in the systemProtectionProtectionDefinitionDefinitionAll the mechanisms that All the mechanisms that controlcontrol the the acce ssacce ss of a of a programprogram to toother things in the systemother things in the systemCategories of protection mechanismsCategories of protection mechanismsSupervisor/user modeSupervisor/user modeMemory relocation and bounds registerMemory relocation and bounds registerAccess control to file directoriesAccess control to file directoriesPassword logonPassword logon……Protection (Cont.)Protection (Cont.)Different systems can adopt different protectionDifferent systems can adopt different protectionmechanismsmechanismsProtection (Cont.)Protection (Cont.)Different systems can adopt different protectionDifferent systems can adopt different protectionmechanismsmechanismsA single system can also have various methodsA single system can also have various methodsto protect targets that of different characteristicsto protect targets that of different characteristicslow-level hardware protection: TCPlow-level hardware protection: TCPhigh-level user interaction: passwordhigh-level user interaction: passwordProtection (Cont.)Protection (Cont.)Why protection?Why protection?friendly and infallible users?friendly and infallible users?Protection (Cont.)Protection (Cont.)Why protection?Why protection?friendly and infallible users?friendly and infallible users?the real world is the real world is dangerousdangerous!!DON’T openthe door!Protection (Cont.)Protection (Cont.)Why protection?Why protection?friendly and infallible users?friendly and infallible users?the real world is the real world is dangerousdangerous!!DON’T openthe door!single usersingle processsingle usermulti-processmulti-usermulti-processesMotivationMotivationKeep the harm from spreadingKeep the harm from spreadingCategories of inflictionCategories of inflictionDestroy of modifying others dataDestroy of modifying others dataAccessing (Accessing (r/wr/w) without permission) without permissionDegrading the service another user gets (storage, CPU time)Degrading the service another user gets (storage, CPU time)MotivationMotivationKeep the harm from spreadingKeep the harm from spreadingCategories of inflictionCategories of inflictionDestroy of modifying others dataDestroy of modifying others dataAccessing (Accessing (r/wr/w) without permission) without permissionDegrading the service another user gets (storage, CPU time)Degrading the service another user gets (storage, CPU time)Different protection environments for contextsDifferent protection environments for contextsprotection context, environment, state, capability list, ring,protection context, environment, state, capability list, ring,domaindomainMessage systemMessage systemA primitive protection systemA primitive protection systemProcessesProcessesTwo characteristics:Two characteristics:Complete isolation - eComplete isolation - each process is a single domainach process is a single domainSharing via message passingSharing via message passingMessage systemMessage systemA primitive protection systemA primitive protection systemProcessesProcessesTwo characteristics:Two characteristics:Complete isolation - eComplete isolation - each process is a single domainach process is a single domainSharing via message passingSharing via message passingMessageMessageIdentification of the senderIdentification of the senderCannot be forged Cannot be forged –– supplied by the system supplied by the systemDataDataSubroutine mechanismSubroutine mechanismScenarioScenarioA Bparameterreturn valueSubroutine mechanismSubroutine mechanismScenarioScenarioProtect the Protect the ‘‘entryentry’’B: the supervisor & A : the userB: the supervisor & A : the userB determines where to wait for AB determines where to wait for A’’s messages messageA Bparameterreturn valueSubroutine mechanismSubroutine mechanismScenarioScenarioProtect the Protect the ‘‘entryentry’’B: the supervisor & A : the userB: the supervisor & A : the userB determines where to wait for AB determines where to wait for A’’s messages messageProtect the Protect the ‘‘returnreturn’’B returns extra messagesB returns extra messagesIgnored because A knows exactly when to expect the returned messageIgnored because A knows exactly when to expect the returned messageB never returnsB never returnscheck t1, t2check t1, t2A Bparameterreturn valuet2CABt1reliableSubroutine mechanismSubroutine mechanismScenarioScenarioProtect the Protect the ‘‘entryentry’’B: the supervisor & A : the userB: the supervisor & A : the userB determines where to wait for AB determines where to wait for A’’s messages messageProtect the Protect the ‘‘returnreturn’’B returns extra messagesB returns extra messagesIgnored because A knows exactly when to expect the returned messageIgnored because A knows exactly when to expect the returned messageB never returnsB never returnscheck t1, t2check t1, t2A Bparameterreturn valuet2CABt1reliableDisadvantagesDisadvantagesNo control over a runaway processNo control over a runaway processCannot force a process to do anythingCannot force a process to do anythingCannot destroy itCannot destroy itInconvenient to share informationInconvenient to share informationhave to share and check process nameshave to share and check process
View Full Document