Silberschatz,Galvin,and Gagne?199918.1Applied Operating System Concepts
Module 18,Protection(保护)
Goals of Protection (保护的目的)
Domain of Protection (保护域)
Access Matrix (存取矩阵)
Implementation of Access Matrix (存取矩阵的实现)
Revocation of Access Rights (取消存取权限)
Capability-Based Systems (基于权限的系统)
Language-Based Protection(基于语言的保护)
Silberschatz,Galvin,and Gagne?199918.2Applied Operating System Concepts
Protection(保护)
Operating system consists of a collection of objects,hardware or
software(操作系统由一组对象、硬件或者软件构成)
Each object has a unique name and can be accessed through a
well-defined set of operations.(每个对象都具有唯一的名称,并且可以通过一组良好定义的操作访问)
Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so.
(保护问题 —— 确认每个对象均被正确的访问、并且只被那些得到授权的进程访问)
Silberschatz,Galvin,and Gagne?199918.3Applied Operating System Concepts
Domain Structure(域的结构)
Access-right = <object-name,rights-set>(访问权 =<对象名,权限集 >)
Rights-set is a subset of all valid operations that can be
performed on the object,(权限集是所有可能作用于某个对象的操作集合的一个子集)
Domain = set of access-rights (域 =访问权限的集合)
Silberschatz,Galvin,and Gagne?199918.4Applied Operating System Concepts
Domain Implementation (域的实现)
System consists of 2 domains:(系统由 2个域构成)
– User(用户)
– Supervisor(管理者)
UNIX
– Domain = user-id(域 =用户标识)
– Domain switch accomplished via file system,(域变换通过文件系统完成)
Each file has associated with it a domain bit (setuid bit).
(每一个文件均和一个域的信息位相联系,setuid位)
When file is executed and setuid = on,then user-id is
set to owner of the file being executed,When execution
completes user-id is reset,(当文件被执行并且 setuid
为 on,于是用户标识被设置成该文件的属主。当执行完之后用户标识被重置)
Silberschatz,Galvin,and Gagne?199918.5Applied Operating System Concepts
Multics Rings(多环)
Let Di and Dj be any two domain rings.(令 Di 和 Dj 为任意两个域的环)
If j < I? Di? Dj
Silberschatz,Galvin,and Gagne?199918.6Applied Operating System Concepts
Access Matrix(存取矩阵)
Figure 1
Silberschatz,Galvin,and Gagne?199918.7Applied Operating System Concepts
Use of Access Matrix(存取矩阵的使用)
If a process in Domain Di tries to do,op” on object then,op” must
be in the access matrix.(若一个在域 Di中的进程试图对对象 Oj作操作,op”,,op”必须在访问矩阵中)
Can be expanded to dynamic protection.(可以扩展到动态保护
)
– Operations to add,delete access rights.(增加、删除访问权限的操作)
– Special access rights:(特殊访问权限 )
owner of Oi( Oi 的属主)
copy op from Oi to Oj(从 Oi 到 Oj的拷贝)
control – Di can modify access rights( 控制,Di 能更新 Dj的访问权限)
transfer – switch from domain Di to Dj(变换:域 Di 到域
Dj的切换)
Silberschatz,Galvin,and Gagne?199918.8Applied Operating System Concepts
Use of Access Matrix (Cont.)(存取矩阵的使用 续)
Access matrix design separates mechanism from policy.(存取矩阵的设计使得机制与策略相分离)
– Mechanism (机制)
Operating system provides Access-matrix + rules.(操作系统提供存取矩阵和规则)
If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced.(
存取矩阵仅被授权的智能体操纵,并且规则被严格的遵守)
– Policy(策略)
User dictates policy.(用户授予策略)
Who can access what object and in what mode.(谁能在哪种模式下访问那一个对象)
Silberschatz,Galvin,and Gagne?199918.9Applied Operating System Concepts
Implementation of Access Matrix(存取矩阵的实现)
Each column = Access-control list for one object (每一列为一个对象的存取控制列表,定义了谁能做什么操作)
Defines who can perform what operation.
Domain 1 = Read,Write
Domain 2 = Read
Domain 3 = Read
Each Row = Capability List (like a key)(每一行为存取权列表,
对于每一个域,允许什么操作作用于那些对象)
For each domain,what operations allowed on what objects.
Object 1 – Read
Object 4 – Read,Write,Execute
Object 5 – Read,Write,Delete,Copy
Silberschatz,Galvin,and Gagne?199918.10Applied Operating System Concepts
Access Matrix of Figure 1 With Domains as Objects
(图 1的存取矩阵,包含域和对象)
Figure 2
Silberschatz,Galvin,and Gagne?199918.11Applied Operating System Concepts
Access Matrix with Copy Rights
( copy权的存取矩阵)
Silberschatz,Galvin,and Gagne?199918.12Applied Operating System Concepts
Access Matrix With Owner Rights
属主权的存取矩阵
Silberschatz,Galvin,and Gagne?199918.13Applied Operating System Concepts
Modified Access Matrix of Figure 2
更新的存取矩阵
Silberschatz,Galvin,and Gagne?199918.14Applied Operating System Concepts
Revocation of Access Rights(存取权限的取消)
Access List – Delete access rights from access list.(存取列表:
从存取列表中删除访问权)
– Simple (简易)
– Immediate(直接)
Capability List – Scheme required to locate capability in the
system before capability can be revoked.(存取能力列表:当权限被废除之前需要在系统中定位存取能力)
– Reacquisition(再获得)
– Back-pointers(回指指针)
– Indirection(间接)
– Keys(关键)
Silberschatz,Galvin,and Gagne?199918.15Applied Operating System Concepts
Capability-Based Systems (基于权限的系统)
Hydra
– Fixed set of access rights known to and interpreted by the
system.(已知的固定权限集合由系统解释)
– Interpretation of user-defined rights performed solely by user?s
program; system provides access protection for use of these
rights.(用户定义权限由用户程序独立解释,系统提供这些权限的存取保护)
Cambridge CAP System (剑桥的 CAP系统)
– Data capability - provides standard read,write,execute of
individual storage segments associated with object.(数据权限
:对于和某个对象关联的私有存储段提供标准的读、写、执行
)
– Software capability -interpretation left to the subsystem,
through its protected procedures.(软件权限:通过子系统的受保护过程解释)
Silberschatz,Galvin,and Gagne?199918.16Applied Operating System Concepts
Language-Based Protection(基于语言的保护)
Specification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.(在程序设计语言中定义保护,在高层描述分配和使用资源的策略)
Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.(在硬件不支持自动的保护检查时,编程语言的实现能够提供强制保护的软件设施)
Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.(解释保护说明生成基于各种保护系统调用,这些保护系统由硬件和操作系统提供)
Module 18,Protection(保护)
Goals of Protection (保护的目的)
Domain of Protection (保护域)
Access Matrix (存取矩阵)
Implementation of Access Matrix (存取矩阵的实现)
Revocation of Access Rights (取消存取权限)
Capability-Based Systems (基于权限的系统)
Language-Based Protection(基于语言的保护)
Silberschatz,Galvin,and Gagne?199918.2Applied Operating System Concepts
Protection(保护)
Operating system consists of a collection of objects,hardware or
software(操作系统由一组对象、硬件或者软件构成)
Each object has a unique name and can be accessed through a
well-defined set of operations.(每个对象都具有唯一的名称,并且可以通过一组良好定义的操作访问)
Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so.
(保护问题 —— 确认每个对象均被正确的访问、并且只被那些得到授权的进程访问)
Silberschatz,Galvin,and Gagne?199918.3Applied Operating System Concepts
Domain Structure(域的结构)
Access-right = <object-name,rights-set>(访问权 =<对象名,权限集 >)
Rights-set is a subset of all valid operations that can be
performed on the object,(权限集是所有可能作用于某个对象的操作集合的一个子集)
Domain = set of access-rights (域 =访问权限的集合)
Silberschatz,Galvin,and Gagne?199918.4Applied Operating System Concepts
Domain Implementation (域的实现)
System consists of 2 domains:(系统由 2个域构成)
– User(用户)
– Supervisor(管理者)
UNIX
– Domain = user-id(域 =用户标识)
– Domain switch accomplished via file system,(域变换通过文件系统完成)
Each file has associated with it a domain bit (setuid bit).
(每一个文件均和一个域的信息位相联系,setuid位)
When file is executed and setuid = on,then user-id is
set to owner of the file being executed,When execution
completes user-id is reset,(当文件被执行并且 setuid
为 on,于是用户标识被设置成该文件的属主。当执行完之后用户标识被重置)
Silberschatz,Galvin,and Gagne?199918.5Applied Operating System Concepts
Multics Rings(多环)
Let Di and Dj be any two domain rings.(令 Di 和 Dj 为任意两个域的环)
If j < I? Di? Dj
Silberschatz,Galvin,and Gagne?199918.6Applied Operating System Concepts
Access Matrix(存取矩阵)
Figure 1
Silberschatz,Galvin,and Gagne?199918.7Applied Operating System Concepts
Use of Access Matrix(存取矩阵的使用)
If a process in Domain Di tries to do,op” on object then,op” must
be in the access matrix.(若一个在域 Di中的进程试图对对象 Oj作操作,op”,,op”必须在访问矩阵中)
Can be expanded to dynamic protection.(可以扩展到动态保护
)
– Operations to add,delete access rights.(增加、删除访问权限的操作)
– Special access rights:(特殊访问权限 )
owner of Oi( Oi 的属主)
copy op from Oi to Oj(从 Oi 到 Oj的拷贝)
control – Di can modify access rights( 控制,Di 能更新 Dj的访问权限)
transfer – switch from domain Di to Dj(变换:域 Di 到域
Dj的切换)
Silberschatz,Galvin,and Gagne?199918.8Applied Operating System Concepts
Use of Access Matrix (Cont.)(存取矩阵的使用 续)
Access matrix design separates mechanism from policy.(存取矩阵的设计使得机制与策略相分离)
– Mechanism (机制)
Operating system provides Access-matrix + rules.(操作系统提供存取矩阵和规则)
If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced.(
存取矩阵仅被授权的智能体操纵,并且规则被严格的遵守)
– Policy(策略)
User dictates policy.(用户授予策略)
Who can access what object and in what mode.(谁能在哪种模式下访问那一个对象)
Silberschatz,Galvin,and Gagne?199918.9Applied Operating System Concepts
Implementation of Access Matrix(存取矩阵的实现)
Each column = Access-control list for one object (每一列为一个对象的存取控制列表,定义了谁能做什么操作)
Defines who can perform what operation.
Domain 1 = Read,Write
Domain 2 = Read
Domain 3 = Read
Each Row = Capability List (like a key)(每一行为存取权列表,
对于每一个域,允许什么操作作用于那些对象)
For each domain,what operations allowed on what objects.
Object 1 – Read
Object 4 – Read,Write,Execute
Object 5 – Read,Write,Delete,Copy
Silberschatz,Galvin,and Gagne?199918.10Applied Operating System Concepts
Access Matrix of Figure 1 With Domains as Objects
(图 1的存取矩阵,包含域和对象)
Figure 2
Silberschatz,Galvin,and Gagne?199918.11Applied Operating System Concepts
Access Matrix with Copy Rights
( copy权的存取矩阵)
Silberschatz,Galvin,and Gagne?199918.12Applied Operating System Concepts
Access Matrix With Owner Rights
属主权的存取矩阵
Silberschatz,Galvin,and Gagne?199918.13Applied Operating System Concepts
Modified Access Matrix of Figure 2
更新的存取矩阵
Silberschatz,Galvin,and Gagne?199918.14Applied Operating System Concepts
Revocation of Access Rights(存取权限的取消)
Access List – Delete access rights from access list.(存取列表:
从存取列表中删除访问权)
– Simple (简易)
– Immediate(直接)
Capability List – Scheme required to locate capability in the
system before capability can be revoked.(存取能力列表:当权限被废除之前需要在系统中定位存取能力)
– Reacquisition(再获得)
– Back-pointers(回指指针)
– Indirection(间接)
– Keys(关键)
Silberschatz,Galvin,and Gagne?199918.15Applied Operating System Concepts
Capability-Based Systems (基于权限的系统)
Hydra
– Fixed set of access rights known to and interpreted by the
system.(已知的固定权限集合由系统解释)
– Interpretation of user-defined rights performed solely by user?s
program; system provides access protection for use of these
rights.(用户定义权限由用户程序独立解释,系统提供这些权限的存取保护)
Cambridge CAP System (剑桥的 CAP系统)
– Data capability - provides standard read,write,execute of
individual storage segments associated with object.(数据权限
:对于和某个对象关联的私有存储段提供标准的读、写、执行
)
– Software capability -interpretation left to the subsystem,
through its protected procedures.(软件权限:通过子系统的受保护过程解释)
Silberschatz,Galvin,and Gagne?199918.16Applied Operating System Concepts
Language-Based Protection(基于语言的保护)
Specification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.(在程序设计语言中定义保护,在高层描述分配和使用资源的策略)
Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.(在硬件不支持自动的保护检查时,编程语言的实现能够提供强制保护的软件设施)
Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.(解释保护说明生成基于各种保护系统调用,这些保护系统由硬件和操作系统提供)
