CS 3733 Operating Systems

Reading: SG 10.4

• Basic terminology
  • Object - any entity that has a name or identity (e.g. processes, CPU, memory segments, files, etc.
  • Right - permission to perform a type of operation on an object.
  • Domain - a set of (object, right) pairs.
  Basic operations for protection:
  • CREATE OBJECT
  • DELETE OBJECT
  • CREATE DOMAIN
  • DELETE DOMAIN
  • INSERT RIGHT
  • REMOVE RIGHT

• A process runs in some protection domain. But a process can switch from one domain to another.
• Domains in Unix
  • Domain of a process is defined by its UID and its GID.
  • If a process exec's a file that has its SETUID or SETGID bit set, the process switches to the domain associated with the owner or group of the file.
  • A process with enough privileges can change its domain explicitly: #include #include int setuid(uid_t uid); int setegid(gid_t egid); int seteuid(uid_t euid); int setgid(gid_t gid);
  • Kernel has its own set of priveleges. In a system call, the process executes with the system priveleges.

• Multics
  • Ring model - inner ring has most privelege.
  • Up to 64 rings deep.
  • Procedures could have a domain that was a different ring than its caller.
  • A trap occurred when one procedure called another that resided in a different domain.

• Methods of keeping track
  • Protection matrix - Table of domain versus object. Each entry gives the rights that domain has to an object. Domains can be modeled as objects with an ENTER right.

  • Access control lists (ACL):
    • Each object has an ordered list of domains and associated rights.
    • Unix represents the ACL by 9 bits.
    • NT
      • has an ACL (access control list) with ACE (access control entries).
      • when user creates an object, three mutually exclusive rules are applied to determine access control list:
        • Caller explicitly supplies ACL.
        • Caller has not supplied ACL and object has a name. System looks in object directory's ACL for ACE's that are marked inherit.
        • If neither of the two, system using default ACL from caller's access token.
  • Capability list:
    • For domain have a list of objects with rights.
    • Since domains are keeping their own rights, they must be tamper proof:
      • Use tagged architecture to indicate capability.
      • Put C-list in the OS.
      • Encript and sign.
      Capabilities have generic rights:
      • Copy capability
      • Duplicate object
      • Remove capability
      • Destroy object

  ---

  SKILL: Understand protection domains

  ---

  Revision Date: 2/6/98

  ---