分析教案成果ch

1、14.2Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nGoals of Protection nPrinciples of ProtectionnDomain of Protection nAccess Matrix nImplementation of Access Matrix nAccess ControlnRevocation of Access Rights nCapability-Based Systems nLanguage-Based Protecti

2、on14.3Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nDiscuss the goals and principles of protection in a modern computer systemnExplain how protection domains combined with an access matrix are used to specify the resources a process may accessnExamine capabil

3、ity and language-based protection systems14.4Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nOperating system consists of a collection of objects, hardware or softwarenEach object has a unique name and can be accessed through a well-defined set of operations.nP

4、rotection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so.14.5Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nGuiding principle principle of least privilegelPrograms, users and systems should be give

5、n just enough privileges to perform their tasks14.6Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nAccess-right = where rights-set is a subset of all valid operations that can be performed on the object. nDomain = set of access-rights 14.7Silberschatz, Galvin a

6、nd Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nSystem consists of 2 domains:lUserlSupervisornUNIX lDomain = user-idlDomain switch accomplished via file system. 4Each file has associated with it a domain bit (setuid bit).4When file is executed and setuid = on, then user-id is set to

7、 owner of the file being executed. When execution completes user-id is reset. 14.8Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nLet Di and Dj be any two domain rings.nIf j I Di Dj14.9Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Ap

8、r 11, 2005nView protection as a matrix (access matrix)nRows represent domainsnColumns represent objectsnAccess(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj14.10Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 200514.11Silbe

9、rschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nIf a process in Domain Di tries to do “op” on object Oj, then “op” must be in the access matrix.nCan be expanded to dynamic protection.lOperations to add, delete access rights.lSpecial access rights:4owner of Oi4copy o

10、p from Oi to Oj4control Di can modify Dj access rights4transfer switch from domain Di to Dj14.12Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nAccess matrix design separates mechanism from policy.lMechanism 4Operating system provides access-matrix + rules.4If

11、ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.lPolicy4User dictates policy.4Who can access what object and in what mode.14.13Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nEach column = Access-control lis

12、t for one object Defines who can perform what operation.Domain 1 = Read, WriteDomain 2 = ReadDomain 3 = Read nEach Row = Capability List (like a key)Fore each domain, what operations allowed on what objects.Object 1 ReadObject 4 Read, Write, ExecuteObject 5 Read, Write, Delete, Copy14.14Silberschatz

13、, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005Figure B14.15Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 200514.16Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 200514.17Silberschatz, Galvin and Gagne

14、2005Operating System Concepts 7th Edition, Apr 11, 200514.18Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nProtection can be applied to non-file resourcesnSolaris 10 provides role-based access control to implement least privilegelPrivilege is right to execute

15、system call or use an option within a system calllCan be assigned to processeslUsers assigned roles granting access to privileges and programs14.19Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 200514.20Silberschatz, Galvin and Gagne 2005Operating System Concepts 7

16、th Edition, Apr 11, 2005nAccess List Delete access rights from access list.lSimple lImmediatenCapability List Scheme required to locate capability in the system before capability can be revoked.lReacquisitionlBack-pointerslIndirectionlKeys14.21Silberschatz, Galvin and Gagne 2005Operating System Conc

17、epts 7th Edition, Apr 11, 2005nHydralFixed set of access rights known to and interpreted by the system.lInterpretation of user-defined rights performed solely by users program; system provides access protection for use of these rights.nCambridge CAP System lData capability - provides standard read,

18、write, execute of individual storage segments associated with object.lSoftware capability -interpretation left to the subsystem, through its protected procedures. 14.22Silberschatz, Galvin and Gagne 2005Operating System Concepts 7th Edition, Apr 11, 2005nSpecification of protection in a programming language allows the high-level description of policies for the allocation and use of resources.nLanguage implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable.nInterpret protection specifications to generate