Module18: Protection(保护) Goals of protection(保护的目的) Domain of protection(保护域) ● Access Matrⅸx(存取矩阵) mplementation of Access Matrix(存取矩阵的实现) ° Revocation of Access Rights(取消存取权限) Capability-Based Systems(基于权限的系统) Language-Based Protection(基于语言的保护 Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.1 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Module 18: Protection(保护) • Goals of Protection (保护的目的) • Domain of Protection (保护域) • Access Matrix (存取矩阵) • Implementation of Access Matrix (存取矩阵的实现) • Revocation of Access Rights (取消存取权限) • Capability-Based Systems (基于权限的系统) • Language-Based Protection(基于语言的保护)
Protection(保护) Operating system consists of a collection of objects, hardware or software(操作系统由一组对象、硬件或者软件构成) Each object has a unique name and can be accessed through a well-defined set of operations.(每个对象都具有唯一的名称,并 且可以通过一组良好定义的操作访问) Protection problem -ensure that each object is accessed correctly and only by those processes that are allowed to do so (保护问题——确认每个对象均被正确的访问、并且只被那些得 到授权的进程访问) Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.2 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Protection(保护) • Operating system consists of a collection of objects, hardware or software(操作系统由一组对象、硬件或者软件构成) • Each object has a unique name and can be accessed through a well-defined set of operations.(每个对象都具有唯一的名称,并 且可以通过一组良好定义的操作访问) • Protection problem - ensure that each object is accessed correctly and only by those processes that are allowed to do so. (保护问题——确认每个对象均被正确的访问、并且只被那些得 到授权的进程访问)
Domain structure(域的结构) 限集>ht=(访问权= ( 1 Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.3 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Domain Structure(域的结构) • Access-right = (访问权=) Rights-set is a subset of all valid operations that can be performed on the object. (权限集是所有可能作用于某个对象的 操作集合的一个子集) • Domain = set of access-rights (域=访问权限的集合)
Domain Implementation(域的实现) System consists of2 domains:(系统由2个域构成) User(用户) Supervisor(管理者) ●UNⅨ Domain=user-id(域=用户标识) Domain switch accomplished via file systen.(域变换通过 文件系统完成) Each file has associated with it a domain bit (setuid bit) (每一个文件均和一个域的信息位相联系: setuid位) When file is executed and setuid on. then user-id is set to owner of the file being executed. When execution completes user-id is reset.(当文件被执行并且 setuid 为on,于是用户标识被设置成该文件的属主。当执行完 之后用户标识被重置) Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.4 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Domain Implementation (域的实现) • System consists of 2 domains:(系统由2个域构成) – User(用户) – Supervisor(管理者) • UNIX – Domain = user-id(域=用户标识) – Domain switch accomplished via file system. (域变换通过 文件系统完成) Each file has associated with it a domain bit (setuid bit). (每一个文件均和一个域的信息位相联系:setuid位) When file is executed and setuid = on, then user-id is set to owner of the file being executed. When execution completes user-id is reset. (当文件被执行并且setuid 为on,于是用户标识被设置成该文件的属主。当执行完 之后用户标识被重置)
Multics Rings(多环) Let D; and D, be any two domain rings.(令D和D为任意两个域 的环)一 ring O ring 1 ring N-1 Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.5 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Multics Rings(多环) • Let Di and Dj be any two domain rings.(令Di 和 Dj 为任意两个域 的环) • If j < I Di Dj
Access matriⅸx(存取矩阵) object printer domain read read D2 print D read execute rea d read D write write Figure 1 Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.6 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Access Matrix(存取矩阵) Figure 1
Use of access matrix(存取矩阵的使用) If a process in Domain Di tries to do"op" on object then op"must be in the access matrix(若一个在域D中的进程试图对对象O作 操作“op”,“op”必须在访问矩阵中) ° Can be expanded to dynamic protection.(可以扩展到动态保护 Operations to add, delete access rights.(增加、删除访问权 限的操作) Special access rights:(特殊访问权限) owner of o1(O1的属主) y。 p from o, to O(从o到o的拷贝) contro/- D, can modify access rights(控制:D1能更 新D的访问权限) transfer- switch from domain d to d/(变换:域D1到域 D的切换) Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.7 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Use of Access Matrix(存取矩阵的使用) • If a process in Domain Di tries to do “op” on object then “op” must be in the access matrix.(若一个在域Di中的进程试图对对象Oj作 操作“op”,“op”必须在访问矩阵中) • Can be expanded to dynamic protection.(可以扩展到动态保护 ) – Operations to add, delete access rights.(增加、删除访问权 限的操作) – Special access rights:(特殊访问权限) owner of Oi( Oi 的属主) copy op from Oi to Oj(从Oi 到Oj的拷贝) control – Di can modify access rights( 控制: Di 能更 新Dj的访问权限) transfer – switch from domain Di to Dj(变换:域Di 到域 Dj的切换)
Use of access matrix(cont)(存取矩阵的使用续) ° Access matrixⅸ design separates mechanism from policy.(存取矩 阵的设计使得机制与策略相分离) Mechanism(机制) Operating system provides Access-matrix rules. (Bi 作系统提供存取矩阵和规则) If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced. 存取矩阵仅被授权的智能体操纵,并且规则被严格的遵 守) Policy(策略) User dictates policy.(用户授予策略) Who can access what object and in what mode.(谁能 在哪种模式下访问那一个对象) Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.8 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Use of Access Matrix (Cont.)(存取矩阵的使用 续) • Access matrix design separates mechanism from policy.(存取矩 阵的设计使得机制与策略相分离) – Mechanism (机制) Operating system provides Access-matrix + rules.(操 作系统提供存取矩阵和规则) If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.( 存取矩阵仅被授权的智能体操纵,并且规则被严格的遵 守) – Policy(策略) User dictates policy.(用户授予策略) Who can access what object and in what mode.(谁能 在哪种模式下访问那一个对象)
Implementation of Access Matrix(存取矩阵的实现) Each column= Access-control list for one object(每一列为一个 对象的存取控制列表,定义了谁能做什么操作) Defines who can perform what operation Domain 1= read Write Domain 2= Read Domain 3= read Each row= Capability List( like a key)(每一行为存取权列表, 对于每一个域,允许什么操作作用于那些对象) For each domain, what operations allowed on what objects Object 1-Read Object 4-Read, Write, EXecute Object 5-Read, Write, Delete, Copy Applied Operating System Concepts Silberschatz, Galvin, and Gagne @1999
18.9 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Implementation of Access Matrix(存取矩阵的实现) • Each column = Access-control list for one object (每一列为一个 对象的存取控制列表,定义了谁能做什么操作) Defines who can perform what operation. Domain 1 = Read, Write Domain 2 = Read Domain 3 = Read • Each Row = Capability List (like a key)(每一行为存取权列表, 对于每一个域,允许什么操作作用于那些对象) For each domain, what operations allowed on what objects. Object 1 – Read Object 4 – Read, Write, Execute Object 5 – Read, Write, Delete, Copy
Access Matrix of Figure 1 With Domains as objects (图1的存取矩阵,包含域和对象) object laser printer domain read switch prin switch I switch read execute read read switch write write Fiqure 2 Applied Operating System Concepts 18 Silberschatz, Galvin, and Gagne @1999
18.10 Silberschatz, Galvin, and Gagne ©1999 Applied Operating System Concepts Access Matrix of Figure 1 With Domains as Objects (图1的存取矩阵,包含域和对象) Figure 2