Protection in Multics

Introduction (分时,动态加载)

  • Multics is a time-sharing OS begun in 1965 and used until 2000
  • Primary usage was with a mainframe and multiple terminals
  • CPUs, memory, I/O controllers, disk drives could be added or removed while the system is running.

Contribution

  • Segmented and Virtual Memory
  • Shared Memory multiprocessing
  • Hierarchical file System
  • Online reconfiguration
  • Reference Monitor
  • Protection Systems
  • Projection Domain Transitions
  • Multilevel Security Policies

ACL?

  • Files are created, deleted, or modified more frequently than users -> file system uses ACLs
  • Pros: easy for management of single file. Just create file and its ACL; Easy to set up and understand
  • Cons: Slow to check (walk through the list)

Capabilities (have the opposite trade-offs)

  • Capability is as descriptor (file descriptor), which is returned when user open a file and destroyed when close a file

    • Pros: efficient to check and transfer
    • Cons: not as easy to set up; hard to revoke

  • “open file” -> check ACL -> return file descriptor(key or capability) -> descriptor can pass to child process (no need to check the access all the time)

More Principles

  • Permission rather than exclusion
  • Check every access to every object
  • Design out secret
  • Principle of least Privilege
    • That’s reason why you should not run as root even you could do

Segments and ACLs

  • Windows can list who can access this file, while Unix can’t.
  • Multics uses ACLs on segments (e.g. files).
  • ACLs therefore provide a uniform mechanism for
    • protecting data
    • controlling execution
  • How are these ACLs different than in Unix?

Protected Subsystems

  • What is a protected subsystem?
    • a kind of subdomain
    • collection of procedures and data that can only be used via designated entry points
      • You can’t access the device directly, but OS provide you the system call(this is the entry point) to access the device.

Rings of protection

  • Multics imposes a nesting constraint on all subsystems which operate within a single process: each subsystem is assigned a number, between 0 and 7
  • The hardware permits a subsystem to use all of those descriptors containing pro- tected subsystem numbers greater than or equal to its own.

Why associate protection with the descriptor instead of the data?

User Authentication

results matching ""

    No results matching ""