Chapter 14-2 ProtectionChapter 14-2: ProtectionObjectivesImplementation of Access MatrixSlide 5Global TableAccess Lists for ObjectsCapability Lists for DomainsLock and Key MechanismsRevocation of Access RightsSlide 11Language-Based ProtectionSlide 13Langauge-based Protection (more)Compiler-Based EnforcementCompiler-based Enforcement - 2Enforcement only by a Protection KernelSlide 18SummaryProtection in JavaProtection in Java - moreA Definition - JVMA Definition - Digital SignatureEnd of Chapter 14.2Chapter 14-2 ProtectionChapter 14-2 Protection14.2Silberschatz, Galvin and Gagne ©2005Operating System ConceptsChapter 14-2: ProtectionChapter 14-2: ProtectionChapter 14-1Goals of Protection Principles of ProtectionDomain of Protection Access Matrix Chapter 14.2Implementation of Access Matrix Access ControlRevocation of Access Rights Language-Based Protection14.3Silberschatz, Galvin and Gagne ©2005Operating System ConceptsObjectivesObjectivesDiscuss the Implementation of Access Matrix approachDiscuss Revocation of Access RightsConsider Language-based protectionCompiler-based, and Protection in Java14.4Silberschatz, Galvin and Gagne ©2005Operating System ConceptsImplementation of Access Matrix14.5Silberschatz, Galvin and Gagne ©2005Operating System ConceptsImplementation of Access MatrixSo, we know about these access matrices, but how can we actually use them to implement and enforce protection?We will consider four approaches:A Global TableAccess Lists for ObjectsCapability Lists for Domains, andLocks and Key Mechanisms14.6Silberschatz, Galvin and Gagne ©2005Operating System ConceptsGlobal TableSimplest approach, but not in widespread use due to some inherent limitations.Idea is to have sets of ordered triples <domain, object, rights-set>.When some Operation M is executed on an Object O with Domain D, the global table is searched for this triple such that M ε R, where R is the ‘rights-set’. If found, the operation may continueIf not found, an exception is raised.There is a real downslides to this simplicity.Size of Global Table. Specifically, as one can imagine, the Global Table can be very largeConsequently, it usually cannot be kept in primary memoryIf we have processes with many input/output operations, for example, we will have seriously degraded overall system performance. There are other issues here too, but this is the primary one.14.7Silberschatz, Galvin and Gagne ©2005Operating System ConceptsAccess Lists for ObjectsThis approach is often used as a component of a solution.Here we have a list of ordered pairs that is associated with each object. For each object, we have a pair: <domain, rights-set>.This list for each object cites domains and their appropriate rights-set (of course, the rights-set set may vary from domain to domain).Importantly, if we use this approach, the list of ordered pairs is accompanied by a default set of access-rights.As it turns out, it is the default set that is usually checked first.If some process, M, is found in the default set, access is allowed.If not, then the larger, more involved access list consisting of sets of ordered pairs is searched.14.8Silberschatz, Galvin and Gagne ©2005Operating System ConceptsCapability Lists for DomainsA capability list for a specific domain is simply a list of objects coupled with the operations allowed on those objects.A capability itself simply refers to some kind of object.This object (capability) is represented by a physical name or an address.The notion of a capability is used a lot in protection schemes. So, operationally, when we have some kind of operation, M, that needs to take place on some object.Access to Capability List. It is important to note here that the capability list for a domain is never accessed nor is it permitted to be accessed by the process executing in this domain.Thus the capability list for a domain is a protected object and it is maintained by the OS.The capability list is accessed only indirectly by the user.So a user may never have direct access to a capability list and thus has no opportunity to modify the capability list. Also, please note that capabilities are special objects and are not to be considered data. Both hardware and/or firmware ensure that these objects are safeguarded from being migrated into an address space of a user process.  Most systems use some kind of combination of access lists and capabilities.14.9Silberschatz, Galvin and Gagne ©2005Operating System ConceptsLock and Key MechanismsCompromise. The Lock and Key Mechanism approach is another approach that finds itself as a compromise between access lists and capability lists.In this scheme, each object is given a unique bit pattern called a lock and each domain has a list of unique bit patterns called keys.So, an executing process in a specific domain may only have access to an object for which its key matches a lock of an object in that domain.Again, most systems use a combination of access lists and capability lists.14.10Silberschatz, Galvin and Gagne ©2005Operating System ConceptsRevocation of Access RightsRevocation of Access Rights14.11Silberschatz, Galvin and Gagne ©2005Operating System ConceptsRevocation of Access RightsRevocation of Access RightsAccess Rights can be revoked.Differences in Revocation. There are differences in revoking access rights when comparing implementation using Access Lists and Capability Lists.Access List – Rights can be deleted right from access list.These are pretty simple.Simple ImmediateCapability List – Here, there is a scheme required to locate capability in the system before capability can be revoked.This approach is much more involved, and you might consider reading through these issues.I won’t pursue this further.14.12Silberschatz, Galvin and Gagne ©2005Operating System ConceptsLanguage-Based Protection14.13Silberschatz, Galvin and Gagne ©2005Operating System ConceptsLanguage-Based ProtectionProtection implementation – given the data structures, ordered-triples, ordered pairs, lists of access rights, etc. – is often accommodated via kernel software. But some languages, such as Java, provide additional (often more flexible levels) of protection. Kernel Protection. If we are considering protection via the kernel, recognize that “…