The processes in an operating system must be protected from one another’s
tải về 252.86 Kb. Chế độ xem pdf
|
| 632
Chapter 14 Protection the list of gates. This scheme allows processes with limited access rights to call procedures in lower rings that have more access rights, but only in a carefully controlled manner. The main disadvantage of the ring (or hierarchical) structure is that it does not allow us to enforce the need-to-know principle. In particular, if an object must be accessible in domain D j but not accessible in domain D i , then we must have j < i. But this requirement means that every segment accessible in D i is also accessible in D j . The MULTICS protection system is generally more complex and less efficient than are those used in current operating systems. If protection interferes with the ease of use of the system or significantly decreases system performance, then its use must be weighed carefully against the purpose of the system. For instance, we would want to have a complex protection system on a computer used by a university to process students’ grades and also used by students for classwork. A similar protection system would not be suited to a computer being used for number crunching, in which performance is of utmost importance. We would prefer to separate the mechanism from the protection policy, allowing the same system to have complex or simple protection depending on the needs of its users. To separate mechanism from policy, we require a more general model of protection. 14.4 Access Matrix Our general model of protection can be viewed abstractly as a matrix, called an access matrix . The rows of the access matrix represent domains, and the columns represent objects. Each entry in the matrix consists of a set of access rights. Because the column defines objects explicitly, we can omit the object name from the access right. The entry access (i,j) defines the set of operations that a process executing in domain D i can invoke on object O j . To illustrate these concepts, we consider the access matrix shown in Figure 14.3. There are four domains and four objects—three files (F 1 , F 2 , F 3 ) and one laser printer. A process executing in domain D 1 can read files F 1 and F 3 . A process executing in domain D 4 has the same privileges as one executing in object printer read read execute read write read write read F 1 D 1 D 2 D 3 D 4 F 2 F 3 domain tải về 252.86 Kb. Chia sẻ với bạn bè của bạn:
|