Page 277 - DCAP103_Principle of operating system
P. 277
Principles of Operating Systems
Notes Capabilities are accomplished by storing on each subject a list of rights the subject has for every
object. This effectively gives each user a keyring. To remove access to a particular object, every
user (subject) that has access to it must be “touched”. A touch is an examination of a user’s
rights to that object and potentially removal of rights. This brings back the problem of sweeping
changes in access rights. Here is what an implementation of capabilities might look like, using
the above example:
Users
Pradip File 1: RWX File 2: R-X File 3: RW-
Sally File 1: --- File 2: RWX File 3: R--
Access restrictions such as access controls lists and capabilities sometimes are not enough. In
some cases, information needs to be tightened further, sometimes by an authority higher than
the owner of the information. For example, the owner of a top secret document in a government
office might deem the information available to many users, but his manager might know the
information should be restricted further than that. In this case, the flow of information needs
to be controlled — secure information cannot flow to a less secure user.
8.2.1 Implementation of Access Matrix
Recall, that an access matrix may be implemented by access control lists or capabilities. These
traditional implementation approaches must be extended in many ways to implement the access-
control properties of distributed applications mentioned above:
Network-Wide Capabilities: A capability no longer references a local object; thus a scheme for
addressing a remote object must be implemented. To address this problem, Amoeba stores in
a capability an encryption of the access rights to and a network-wide id of a protected object.
Replicated Access Lists: A way must be found to replicate access control lists of replicas. Both
Suite and Lotus Notes use the mechanisms provided by the replication system for replicating
objects to also replicate access control lists of these objects.
Application-Defined Objects: Traditional operating systems do not support user-defined
objects, thereby restricting themselves to protecting predefined rights such as file rights. As we
saw above, distributed systems must protect application-defined operations such as connect.
Two approaches have been used to protect application-defined objects. One approach, used in
Hydra, is to develop a kernel that manages application-defined objects, intercepting, and thereby
guarding, all operations on these objects. An alternative approach is to provide access control
in user-space. X servers, Suite dialogue managers and Web browsers are examples of user-level
code implementing access control. The advantage of the second approach is that it can be used
with existing, non object-oriented, operating systems and access checks do not require context
switches to the operating system. However, some form of authentication facility is required to
verify a subject’s identity.
8.2.2 Access Proxies
A general technique for implementing access-control in user-space is to implement for each
protected class a proxy class that has the same interface as the protected class, performs access
checks, and forwards operations to the protected class if these checks succeed.
8.2.3 Stack Check/Modified Name Space
Access control for the process that allows code to be dynamically downloaded into it needs to be
distinguished between local and downloaded code and provide restricted rights to downloaded
code to ensure, for instance, that it does not destroy or leak the contents of local data. Java-
enabled Web browsers illustrate how such a mechanism can be supported. Two approaches
270 LOVELY PROFESSIONAL UNIVERSITY
