CS241 System ProgrammingProtection MechanismsContentAdministrativeProtection DomainProtection Mechanisms Protection DomainsProtection MatrixProtection Matrix with Domains as ObjectsImplementation of Protection MatrixAccess ListsAccess Control ListsCapability Lists / C-ListsCapabilitiesCapability ImplementationsDiscussionSummaryCS241 System ProgrammingProtection MechanismsKlara NahrstedtLecture 273/31/20063/30/2006CS 241 - System Programming, Klara Nahrstedt2Content z Protection Domainsz Access Control z Capabilitiesz Covert Channels3/30/2006CS 241 - System Programming, Klara Nahrstedt3Administrative z MP3 is posted, due April 3, 2006z Quiz 7 is March 31, 2006z Material covered in Quiz 7– R&R Chapter 4 and Chapter 5– Tanenbaum Chapter 5.33/30/2006CS 241 - System Programming, Klara Nahrstedt4Protection Domain z A computer system is a set of processes and objects z Processes and objects have unique names z Objects are abstract data types with well-defined operations z A process operates within a protection domain z A protection domain specifies the resources a process may access and the types of operations that may be invoked on the objects. z The Principle of Least Privilege Need to know: The protection domain of a process should be as small as possible consistent with the need of that process to accomplish its assigned task.3/30/2006CS 241 - System Programming, Klara Nahrstedt5Protection MechanismsProtection DomainsExamples of three protection domains3/30/2006CS 241 - System Programming, Klara Nahrstedt6Protection Matrix3/30/2006CS 241 - System Programming, Klara Nahrstedt7Protection Matrix with Domains as Objects3/30/2006CS 241 - System Programming, Klara Nahrstedt8Implementation of Protection Matrix z Global Tablez Table may be Sparse z Table may be too large to store in main memory (use virtual memory - overhead) z Objects that may be accessed from every Domain need to be entered in every row z Needs a searching operation z In parallel or distributed system, access to table may be bottleneck3/30/2006CS 241 - System Programming, Klara Nahrstedt9Access Lists z Each column in the protection matrix is implemented as an access list for one Object. z Empty entries in Protection Matrix can be discarded. z Storage for access lists is proportional to the number of Objects z It is easy for the owner of the Object to grant access to another Domain or revoke access. z It is easy to determine which processes can access an object. z However, all processes can find out that the Object exists. z ACL entries can be for individual users or for a group of users.3/30/2006CS 241 - System Programming, Klara Nahrstedt10Access Control Lists Use of access control lists - managed file access3/30/2006CS 241 - System Programming, Klara Nahrstedt11Capability Lists / C-Lists z Each row in the access matrix is implemented as a capability list for each Domain. z Empty entries in Access Matrix can be discarded. z Rather than search, a reference to an object can be treated as an index operation into the capability list. z A capability is then just a "protected pointer".3/30/2006CS 241 - System Programming, Klara Nahrstedt12CapabilitiesEach process has a capability list3/30/2006CS 241 - System Programming, Klara Nahrstedt13Capability Implementations z UNIX File System – Each entry in the per process open file descriptor table is a capability. – It is protected and can only be changed by the kernel. – Having an open file descriptor permits access. – This example shows how access lists can be used to achieve simple management of protection and capabilities used to provide efficient access methods.3/30/2006CS 241 - System Programming, Klara Nahrstedt14Discussionz Tradeoff between Access-list and capability list– Give an example for which an access-list should be used– Give an example for which an capability-list should be usedz Hints:– In what cases, access-list takes more space– Which one is easier to delete an object?– Which one is easier to delete a domain?– Access-list is faster for what operations? Similarly, capability-list is faster for what operations?3/30/2006CS 241 - System Programming, Klara Nahrstedt15Summaryz Access Control using lists and capabilities in File Systems is very importantz Lampson showed that protection matrix may not be sufficient and covert channels may exist, especially if parties
View Full Document