Silberschatz,Galvin,and Gagne?199918.1Applied Operating System Concepts
Module 18,Protection(保护)
Goals of Protection (保护的目的)
Domain of Protection (保护域)
Access Matrix (存取矩阵)
Implementation of Access Matrix (存取矩阵的实现)
Revocation of Access Rights (取消存取权限)
Capability-Based Systems (基于权限的系统)
Language-Based Protection(基于语言的保护)
Silberschatz,Galvin,and Gagne?199918.2Applied Operating System Concepts
Protection(保护)
Operating system consists of a collection of objects,hardware or
software(操作系统由一组对象、硬件或者软件构成)
Each object has a unique name and can be accessed through a
well-defined set of operations.(每个对象都具有唯一的名称,并且可以通过一组良好定义的操作访问)
Protection problem - ensure that each object is accessed
correctly and only by those processes that are allowed to do so.
(保护问题 —— 确认每个对象均被正确的访问、并且只被那些得到授权的进程访问)
Silberschatz,Galvin,and Gagne?199918.3Applied Operating System Concepts
Domain Structure(域的结构)
Access-right = <object-name,rights-set>(访问权 =<对象名,权限集 >)
Rights-set is a subset of all valid operations that can be
performed on the object,(权限集是所有可能作用于某个对象的操作集合的一个子集)
Domain = set of access-rights (域 =访问权限的集合)
Silberschatz,Galvin,and Gagne?199918.4Applied Operating System Concepts
Domain Implementation (域的实现)
System consists of 2 domains:(系统由 2个域构成)
– User(用户)
– Supervisor(管理者)
UNIX
– Domain = user-id(域 =用户标识)
– Domain switch accomplished via file system,(域变换通过文件系统完成)
Each file has associated with it a domain bit (setuid bit).
(每一个文件均和一个域的信息位相联系,setuid位)
When file is executed and setuid = on,then user-id is
set to owner of the file being executed,When execution
completes user-id is reset,(当文件被执行并且 setuid
为 on,于是用户标识被设置成该文件的属主。当执行完之后用户标识被重置)
Silberschatz,Galvin,and Gagne?199918.5Applied Operating System Concepts
Multics Rings(多环)
Let Di and Dj be any two domain rings.(令 Di 和 Dj 为任意两个域的环)
If j < I? Di? Dj
Silberschatz,Galvin,and Gagne?199918.6Applied Operating System Concepts
Access Matrix(存取矩阵)
Figure 1
Silberschatz,Galvin,and Gagne?199918.7Applied Operating System Concepts
Use of Access Matrix(存取矩阵的使用)
If a process in Domain Di tries to do,op” on object then,op” must
be in the access matrix.(若一个在域 Di中的进程试图对对象 Oj作操作,op”,,op”必须在访问矩阵中)
Can be expanded to dynamic protection.(可以扩展到动态保护

– Operations to add,delete access rights.(增加、删除访问权限的操作)
– Special access rights:(特殊访问权限 )
owner of Oi( Oi 的属主)
copy op from Oi to Oj(从 Oi 到 Oj的拷贝)
control – Di can modify access rights( 控制,Di 能更新 Dj的访问权限)
transfer – switch from domain Di to Dj(变换:域 Di 到域
Dj的切换)
Silberschatz,Galvin,and Gagne?199918.8Applied Operating System Concepts
Use of Access Matrix (Cont.)(存取矩阵的使用 续)
Access matrix design separates mechanism from policy.(存取矩阵的设计使得机制与策略相分离)
– Mechanism (机制)
Operating system provides Access-matrix + rules.(操作系统提供存取矩阵和规则)
If ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced.(
存取矩阵仅被授权的智能体操纵,并且规则被严格的遵守)
– Policy(策略)
User dictates policy.(用户授予策略)
Who can access what object and in what mode.(谁能在哪种模式下访问那一个对象)
Silberschatz,Galvin,and Gagne?199918.9Applied Operating System Concepts
Implementation of Access Matrix(存取矩阵的实现)
Each column = Access-control list for one object (每一列为一个对象的存取控制列表,定义了谁能做什么操作)
Defines who can perform what operation.
Domain 1 = Read,Write
Domain 2 = Read
Domain 3 = Read
Each Row = Capability List (like a key)(每一行为存取权列表,
对于每一个域,允许什么操作作用于那些对象)
For each domain,what operations allowed on what objects.
Object 1 – Read
Object 4 – Read,Write,Execute
Object 5 – Read,Write,Delete,Copy
Silberschatz,Galvin,and Gagne?199918.10Applied Operating System Concepts
Access Matrix of Figure 1 With Domains as Objects
(图 1的存取矩阵,包含域和对象)
Figure 2
Silberschatz,Galvin,and Gagne?199918.11Applied Operating System Concepts
Access Matrix with Copy Rights
( copy权的存取矩阵)
Silberschatz,Galvin,and Gagne?199918.12Applied Operating System Concepts
Access Matrix With Owner Rights
属主权的存取矩阵
Silberschatz,Galvin,and Gagne?199918.13Applied Operating System Concepts
Modified Access Matrix of Figure 2
更新的存取矩阵
Silberschatz,Galvin,and Gagne?199918.14Applied Operating System Concepts
Revocation of Access Rights(存取权限的取消)
Access List – Delete access rights from access list.(存取列表:
从存取列表中删除访问权)
– Simple (简易)
– Immediate(直接)
Capability List – Scheme required to locate capability in the
system before capability can be revoked.(存取能力列表:当权限被废除之前需要在系统中定位存取能力)
– Reacquisition(再获得)
– Back-pointers(回指指针)
– Indirection(间接)
– Keys(关键)
Silberschatz,Galvin,and Gagne?199918.15Applied Operating System Concepts
Capability-Based Systems (基于权限的系统)
Hydra
– Fixed set of access rights known to and interpreted by the
system.(已知的固定权限集合由系统解释)
– Interpretation of user-defined rights performed solely by user?s
program; system provides access protection for use of these
rights.(用户定义权限由用户程序独立解释,系统提供这些权限的存取保护)
Cambridge CAP System (剑桥的 CAP系统)
– Data capability - provides standard read,write,execute of
individual storage segments associated with object.(数据权限
:对于和某个对象关联的私有存储段提供标准的读、写、执行

– Software capability -interpretation left to the subsystem,
through its protected procedures.(软件权限:通过子系统的受保护过程解释)
Silberschatz,Galvin,and Gagne?199918.16Applied Operating System Concepts
Language-Based Protection(基于语言的保护)
Specification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources.(在程序设计语言中定义保护,在高层描述分配和使用资源的策略)
Language implementation can provide software for protection
enforcement when automatic hardware-supported checking is
unavailable.(在硬件不支持自动的保护检查时,编程语言的实现能够提供强制保护的软件设施)
Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.(解释保护说明生成基于各种保护系统调用,这些保护系统由硬件和操作系统提供)