Notes for November 17, 1999
- Greetings and Felicitations!
- Puzzle of the Day
- Privilege in OSes
- None (original IBM OS; protect with password, or anyone can read it)
- Fence, base and bounds registers; relocation
- Tagged architectures
- Memory management based schemes: segmentation, paging, and paged
- Different forms of access control
- UNIX method
- ACLs: describe, revocation issue
- MULTICS rings
- MULTICS ring mechanism
- MULTICS rings: used for both data and procedures; rights are REWA
- (b1, b2) access bracket - can
access freely;
(b3, b4)
call bracket - can call segment through gate;
so if a's access bracket is (32,35) and its call bracket is
then assuming permission mode (REWA) allows access, a procedure in:
rings 0-31: can access a, but ring-crossing fault occurs
rings 32-35: can access a, no ring-crossing fault
rings 36-39: can access a, provided a valid gate is used as an
entry point
rings 40-63: cannot access a
- If the procedure is accessing a data segment d,
no call bracket allowed; given the above, assuming permission mode
(REWA) allows access, a procedure in:
rings 0-32: can access d
rings 33-35: can access d, but cannot write to it (W or A)
rings 36-63: cannot access d
- Capabilities
- Capability-based addressing: show picture of accessing object
- Show process limiting access by not inheriting all parent's
- Revocation: use of a global descriptor table
- Lock and Key
- Associate with each object a lock; associate with each process that
has access to object a key (it's a cross between ACLs and C-Lists)
- Example: use crypto (Gifford). X object enciphered with key K.
Associate an opener R with X. Then:
OR-Access: K can be recovered with any Di
in a list of n deciphering transformations, so
R = (E1(K), E2(K), ...,
and any process with access to any of the Di's can access the file
AND-Access: need all n deciphering functions to get K:
R = (E1(E2(...En(K))...)
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 11/24/99