操作系统课件：第14章 保护

Silberschatz,Galvin and Gagne 200218.1Operating System ConceptsModule 14:Protection 第十四章第十四章 保护保护nGoals of Protection 保护目标nDomain of Protection 保护域 nAccess Matrix 访问矩阵nImplementation of Access Matrix 访问矩阵的实现nRevocation of Access Rights 访问权限的撤回nCapability-Based Systems 基于权限的系统nLanguage-Based Protection 基于语言的保护Silberschatz,Galvin and Gagne 200218.2Operating System ConceptsProtection 保护保护nOperating system consists of a collection of objects,hardware or software.操作系统由一组对象、硬件或者软件构成。nEach object has a unique name and can be accessed through a well-defined set of operations.每个对象都具有唯一的名称，并且可以通过一组良好定义的操作访问。nProtection problem-ensure that each object is accessed correctly and only by those processes that are allowed to do so.保护问题确认每个对象均被正确的访问、并且只被那些得到授权的进程访问。Silberschatz,Galvin and Gagne 200218.3Operating System ConceptsDomain Structure 域的结构域的结构nAccess-right=访问权=where rights-set is a subset of all valid operations that can be performed on the object.权限集是所有可能作用于某个对象的操作集合的一个子集。nDomain=set of access-rights 域=访问权限的集合Silberschatz,Galvin and Gagne 200218.4Operating System ConceptsDomain Implementation (UNIX)域的实现域的实现(UNIX)nSystem consists of 2 domains 系统由2个域组成:FUser 用户FSupervisor 管理者nUNIX FDomain=user-id 域 用户标识FDomain switch accomplished via file system.域的切换通过文件系统完成。4Each file has associated with it a domain bit(setuid bit).每一个文件均和一个域的信息位相联系：setuid位。4When file is executed and setuid=on,then user-id is set to owner of the file being executed.When execution completes user-id is reset.当文件被执行并且setuid=on，于是用户标识被设置成该文件的属主。当执行完之后用户标识被重置。Silberschatz,Galvin and Gagne 200218.5Operating System ConceptsDomain Implementation(Multics)域的实现域的实现(Multics)nLet Di and Dj be any two domain rings.令Di 和 Dj 为任意两个域的环。nIf j I Di DjMultics RingsSilberschatz,Galvin and Gagne 200218.6Operating System ConceptsAccess Matrix 访问矩阵访问矩阵nView protection as a matrix(access matrix)将保护模型抽象为一个矩阵（访问矩阵）nRows represent domains 行代表域nColumns represent objects 列代表对象nAccess(i,j)is the set of operations that a process executing in Domaini can invoke on Objectj访问条目(i,j)定义了在域Di中执行的进程在调用对象Oj时被允许执行的操作的集合。Silberschatz,Galvin and Gagne 200218.7Operating System ConceptsAccess Matrix 访问矩阵访问矩阵Figure ASilberschatz,Galvin and Gagne 200218.8Operating System ConceptsUse of Access Matrix 访问矩阵的使用访问矩阵的使用nIf a process in Domain Di tries to do“op”on object Oj,then“op”must be in the access matrix.若一个在域Di中的进程试图对对象Oj作操作“op”，“op”必须在访问矩阵中。nCan be expanded to dynamic protection.可以扩展到动态保护。FOperations to add,delete access rights.增加，删除访问权限的操作。FSpecial access rights 特殊的访问权限:4owner of Oi Oi的属主4copy op from Oi to Oj 从Oi 到Oj的拷贝4control Di can modify Dj access rights控制Di 能更新Dj的访问权限4transfer switch from domain Di to Dj变换域Di 到域 Dj的切换Silberschatz,Galvin and Gagne 200218.9Operating System ConceptsUse of Access Matrix(Cont.)访问矩阵的使用（续）访问矩阵的使用（续）nAccess matrix design separates mechanism from policy.存取矩阵的设计使得机制与策略相分离。FMechanism 机制4Operating system provides access-matrix+rules.操作系统提供存取矩阵和规则。4If ensures that the matrix is only manipulated by authorized agents and that rules are strictly enforced.存取矩阵仅被授权的智能体操纵，并且规则被严格的遵守。FPolicy 策略4User dictates policy.用户授予策略。4Who can access what object and in what mode.谁能在哪种模式下访问那一个对象。Silberschatz,Galvin and Gagne 200218.10Operating System ConceptsImplementation of Access Matrix访问矩阵的实现访问矩阵的实现nEach column=Access-control list for one object Defines who can perform what operation.每一列为一个对象的存取控制列表，定义了谁能做什么操作。Domain 1=Read,WriteDomain 2=ReadDomain 3=Read nEach Row=Capability List(like a key)Fore each domain,what operations allowed on what objects.每一行为存取权列表，对于每一个域，允许什么操作作用于那些对象。Object 1 ReadObject 4 Read,Write,ExecuteObject 5 Read,Write,Delete,CopySilberschatz,Galvin and Gagne 200218.11Operating System ConceptsAccess Matrix of Figure A With Domains as Objects将域作为对象的图将域作为对象的图A的访问矩阵的访问矩阵Figure BSilberschatz,Galvin and Gagne 200218.12Operating System ConceptsAccess Matrix with Copy Rights带拷贝权限的访问矩阵带拷贝权限的访问矩阵Silberschatz,Galvin and Gagne 200218.13Operating System ConceptsAccess Matrix With Owner Rights有所有者权限的访问矩阵有所有者权限的访问矩阵Silberschatz,Galvin and Gagne 200218.14Operating System ConceptsModified Access Matrix of Figure B修改图修改图B中的访问矩阵中的访问矩阵Silberschatz,Galvin and Gagne 200218.15Operating System ConceptsRevocation of Access Rights访问权限的撤回访问权限的撤回nAccess List Delete access rights from access list.访问列表从访问列表中删除访问权。FSimple 简单FImmediate 直接nCapability List Scheme required to locate capability in the system before capability can be revoked.存取能力列表当权限被废除之前需要在系统中定位存取能力。FReacquisition 重新获得FBack-pointers 折回指针FIndirection 间接FKeys 钥匙Silberschatz,Galvin and Gagne 200218.16Operating System ConceptsCapability-Based Systems 基于权限的系统基于权限的系统nHydraFFixed set of access rights known to and interpreted by the system.已知的固定权限集合由系统解释。FInterpretation of user-defined rights performed solely by users program;system provides access protection for use of these rights.用户定义权限由用户程序独立解释，系统提供这些权限的存取保护。nCambridge CAP System 剑桥CAP系统FData capability-provides standard read,write,execute of individual storage segments associated with object.数据权限 提供标准的读、写和执行与对象相关连的私有存储段等权限。FSoftware capability-interpretation left to the subsystem,through its protected procedures.软件权限 由一个受保护的过程负责，这个过程可能会被应用程序员写入子系统。Silberschatz,Galvin and Gagne 200218.17Operating System ConceptsLanguage-Based Protection基于语言的保护基于语言的保护nSpecification of protection in a programming language allows the high-level description of policies for the allocation and use of resources.在程序设计语言中定义保护，在高层描述分配和使用资源的策略。nLanguage implementation can provide software for protection enforcement when automatic hardware-supported checking is unavailable.在硬件不支持自动的保护检查时，编程语言的实现能够提供强制保护的软件设施。nInterpret protection specifications to generate calls on whatever protection system is provided by the hardware and the operating system.解释保护说明生成基于各种保护系统调用，这些保护系统由硬件和操作系统提供。Silberschatz,Galvin and Gagne 200218.18Operating System ConceptsProtection in Java 2Java 2的保护的保护nProtection is handled by the Java Virtual Machine(JVM)由JVM来处理保护。nA class is assigned a protection domain when it is loaded by the JVM.JVM装载一个类时，会给该类分配一个保护域。nThe protection domain indicates what operations the class can(and cannot)perform.保护域表示了这个类可以（不可以）做哪些操作。nIf a library method is invoked that performs a privileged operation,the stack is inspected to ensure the operation can be performed by the library.如果调用一个库函数来执行一个特殊的操作，要使用栈检查来确保这个库函数可以执行该操作。Silberschatz,Galvin and Gagne 200218.19Operating System ConceptsStack Inspection 栈检查栈检查