Protection in Multics

Introduction (分时,动态加载)

  • Multics is a time-sharing OS begun in 1965 and used until 2000
  • Primary usage was with a mainframe and multiple terminals
  • CPUs, memory, I/O controllers, disk drives could be added or removed while the system is running.

Contribution

  • Segmented and Virtual Memory
    • virtual address space is implemented by an array of descriptor, called descriptor segment
  • Shared Memory multiprocessing
  • Hierarchical file System
  • Online reconfiguration
  • Reference Monitor
  • Protection Systems
  • Projection Domain Transitions
  • Multilevel Security Policies

Virtual Address Space

  • segment descriptor list defines the virtual address space
    • every reference to the virtual memory specifies both a segment number(as index into descriptor lists) and a word number within the segment(==offset)
  • map segment into memory
    • Mapped memory VS explicit I/O:
      • Mapped memory: write file directly to memory after modification, efficient bypassing the file system cache, used in server a lot.
      • Explicit I/O: system call to modify your file, the chance of erode your file is low, easy to sharing between file.
  • Descriptor contains:
    • [basic descriptor == physical address and size of the segment]
    • [3 permission bit, read, write and execute]
    • [entry point of protected subsystem](a collection of procedures and databases)
    • [controls on which protected subsystem may use this descriptor]
  • each descriptor points to one segment : defines access
    • ring it runs in *
  • using hardware-checked call,
      • same cost in execution time
      • easy for user to develop its own program
    • hardware also provided to automatically check the address of all arguments as they are used

Protected Subsystems

  • What is a protected subsystem?
    • a kind of subdomain
    • collection of procedures and data that can only be used via designated entry points
      • You can’t access the device directly, but OS provide you the system call(this is the entry point) to access the device.
    • gate : entry points

Rings of protection

  • Multics imposes a nesting constraint on all subsystems which operate within a single process: each subsystem is assigned a number, between 0 and 7
  • The hardware permits a subsystem to use all of those descriptors containing pro- tected subsystem numbers greater than or equal to its own.
  • subsystem 4 could only used descriptors containing subsystem 4-7(大概是可以call to the entry points of subsystem 0-4)
  • Checked by hardware

Terminology

Segment --- ACL

Storage is logically organized in segments. A segment is also the unit of separate protection. Associated with each segment is an ACL, access control list, name of users permitted to reference the segment)

Process --- Principal Identifier

Each process is associated with a principal identifier(name of individual, responsible for the actions of the process)

Process ---- Segment

Whenever the process attempts to access a segment, the principal identifier of the process is compared with those appearing in the access control list of the object.

Access Control List v.s. Capability List

ACL

  • Files are created, deleted, or modified more frequently than users -> file system uses ACLs
  • Pros: easy for management of single file. Just create file and its ACL; Easy to set up and understand
  • Cons: Slow to check (walk through the list)

Capabilities (have the opposite trade-offs)

  • Capability is as descriptor (file descriptor), which is returned when user open a file and destroyed when close a file

    • Pros: efficient to check and transfer
    • Cons: not as easy to set up; hard to revoke

  • “open file” -> check ACL -> return file descriptor(key or capability, capability list in file descriptor which encode right to access the file) -> descriptor can pass to child process (no need to check the access all the time) ⇒ a conversion between ACL-C-list

More Principles

  • Permission rather than exclusion
    • (Base the protection mechanisms on permission rather than exclusion. Safe.)
  • Check every access to every object
    • (Check every access to every object for current authority. Might change in future.)
  • Design out secret
    • (Be aware of potential attackers)
  • Principle of least Privilege
    • Program and every privileged user should operate using the least amount of privilege
    • That’s reason why you should not run as root even you could do

Segments and ACLs

  • Windows can list who can access this file, while Unix can’t.
  • Multics uses ACLs on segments (e.g. files).
  • ACLs therefore provide a uniform mechanism for
    • protecting data
    • controlling execution
  • How are these ACLs different than in Unix?
Question: Why associate protection with the descriptor instead of the data?
Question: Mechanism HYDRA and Multics use to implement protection

HYDRA: capabilities

Multics: ACLs for data on disk and descriptors for data in memory with hardware support.

Question: What are the trade-offs
  • HYDRA:
    • pro: flexibility (make it possible to build various security systems) , finer-grained protection
    • con: overhead (every access to any object requires trapping into the kernel)
  • Multics:
    • pro: performance (hardware support)
    • con: portability (hardware support may not be available), coarser-grained protection

results matching ""

    No results matching ""