Chapter 14-2 ProtectionChapter 14-2: ProtectionObjectivesImplementation of Access MatrixSlide 5Global TableAccess Lists for ObjectsCapability Lists for DomainsLock and Key MechanismsRevocation of Access RightsSlide 11Language-Based ProtectionSlide 13Langauge-based Protection (more)Compiler-Based EnforcementCompiler-based Enforcement - 2Enforcement only by a Protection KernelSlide 18SummaryProtection in JavaProtection in Java - moreA Definition - JVMA Definition - Digital SignatureEnd of Chapter 14.2Chapter 14-2 ProtectionChapter 14-2 Protection14.2Silberschatz, Galvin and Gagne ©2005Operating System ConceptsChapter 14-2: ProtectionChapter 14-2: ProtectionChapter 14-1Goals of Protection Principles of ProtectionDomain of Protection Access Matrix Chapter 14.2Implementation of Access Matrix Access ControlRevocation of Access Rights Language-Based Protection14.3Silberschatz, Galvin and Gagne ©2005Operating System ConceptsObjectivesObjectivesDiscuss the Implementation of Access Matrix approachDiscuss Revocation of Access RightsConsider Language-based protectionCompiler-based, and Protection in Java14.4Silberschatz, Galvin and Gagne ©2005Operating System ConceptsImplementation of Access Matrix14.5Silberschatz, Galvin and Gagne ©2005Operating System ConceptsImplementation of Access MatrixSo, we know about these access matrices, but how can we actually use them to implement and enforce protection?We will consider four approaches:A Global TableAccess Lists for ObjectsCapability Lists for Domains, andLocks and Key Mechanisms14.6Silberschatz, Galvin and Gagne ©2005Operating System ConceptsGlobal TableSimplest approach, but not in widespread use due to some inherent limitations.Idea is to have sets of ordered triples <domain, object, rights-set>.When some Operation M is executed on an Object O with Domain D, the global table is searched for this triple such that M ε R, where R is the ‘rights-set’. If found, the operation may continueIf not found, an exception is raised.There is a real downslides to this simplicity.Size of Global Table. Specifically, as one can imagine, the Global Table can be very largeConsequently, it usually cannot be kept in primary memoryIf we have processes with many input/output operations, for example, we will have seriously degraded overall system performance. There are other issues here too, but this is the primary one.14.7Silberschatz, Galvin and Gagne ©2005Operating System ConceptsAccess Lists for ObjectsThis approach is often used as a component of a solution.Here we have a list of ordered pairs that is associated with each object. For each object, we have a pair: <domain, rights-set>.This list for each object cites domains and their appropriate rights-set (of course, the rights-set set may vary from domain to domain).Importantly, if we use this approach, the list of ordered pairs is accompanied by a default set of access-rights.As it turns out, it is the default set that is usually checked first.If some process, M, is found in the default set, access is allowed.If not, then the larger, more involved access list consisting of sets of ordered pairs is searched.14.8Silberschatz, Galvin and Gagne ©2005Operating System ConceptsCapability Lists for DomainsA capability list for a specific domain is simply a list of objects coupled with the operations allowed on those objects.A capability itself simply refers to some kind of object.This object (capability) is represented by a physical name or an address.The notion of a capability is used a lot in protection schemes. So, operationally, when we have some kind of operation, M, that needs to take place on some object.Access to Capability List. It is important to note here that the capability list for a domain is never accessed nor is it permitted to be accessed by the process executing in this domain.Thus the capability list for a domain is a protected object and it is maintained by the OS.The capability list is accessed only indirectly by the user.So a user may never have direct access to a capability list and thus has no opportunity to modify the capability list. Also, please note that capabilities are special objects and are not to be considered data. Both hardware and/or firmware ensure that these objects are safeguarded from being migrated into an address space of a user process. Most systems use some kind of combination of access lists and capabilities.14.9Silberschatz, Galvin and Gagne ©2005Operating System ConceptsLock and Key MechanismsCompromise. The Lock and Key Mechanism approach is another approach that finds itself as a compromise between access lists and capability lists.In this scheme, each object is given a unique bit pattern called a lock and each domain has a list of unique bit patterns called keys.So, an executing process in a specific domain may only have access to an object for which its key matches a lock of an object in that domain.Again, most systems use a combination of access lists and capability lists.14.10Silberschatz, Galvin and Gagne ©2005Operating System ConceptsRevocation of Access RightsRevocation of Access Rights14.11Silberschatz, Galvin and Gagne ©2005Operating System ConceptsRevocation of Access RightsRevocation of Access RightsAccess Rights can be revoked.Differences in Revocation. There are differences in revoking access rights when comparing implementation using Access Lists and Capability Lists.Access List – Rights can be deleted right from access list.These are pretty simple.Simple ImmediateCapability List – Here, there is a scheme required to locate capability in the system before capability can be revoked.This approach is much more involved, and you might consider reading through these issues.I won’t pursue this further.14.12Silberschatz, Galvin and Gagne ©2005Operating System ConceptsLanguage-Based Protection14.13Silberschatz, Galvin and Gagne ©2005Operating System ConceptsLanguage-Based ProtectionProtection implementation – given the data structures, ordered-triples, ordered pairs, lists of access rights, etc. – is often accommodated via kernel software. But some languages, such as Java, provide additional (often more flexible levels) of protection. Kernel Protection. If we are considering protection via the kernel, recognize that “…
View Full Document