14.15
Discuss the strengths and weaknesses of implementing an access matrix
using access lists that are associated with objects.
14.16
Discuss the strengths and weaknesses of implementing an access matrix
using capabilities that are associated with domains.
14.17
Explain why a capability-based system such as Hydra provides greater
flexibility than the ring-protection scheme in enforcing protection
policies.
652
Chapter 14
Protection
14.18
Discuss the need for rights amplification in Hydra. How does this
practice compare with the cross-ring calls in a ring-protection scheme?
14.19
What is the need-to-know principle? Why is it important for a protec-
tion system to adhere to this principle?
14.20
Discuss which of the following systems allow module designers to
enforce the need-to-know principle.
a. The
MULTICS
ring-protection scheme
b. Hydra’s capabilities
c.
JVM
’s stack-inspection scheme
14.21
Describe how the Java protection model would be compromised if a
Java program were allowed to directly alter the annotations of its stack
frame.
14.22
How are the access-matrix facility and the role-based access-control
facility similar? How do they differ?
14.23
How does the principle of least privilege aid in the creation of protection
systems?
14.24
How can systems that implement the principle of least privilege still
have protection failures that lead to security violations?
Bibliographical Notes
The access-matrix model of protection between domains and objects was
developed by [Lampson (1969)] and [Lampson (1971)]. [Popek (1974)] and
[Saltzer and Schroeder (1975)] provided excellent surveys on the subject
of protection. [Harrison et al. (1976)] used a formal version of the access-
matrix model to enable them to prove properties of a protection system
mathematically.
The concept of a capability evolved from Iliffe’s and Jodeit’s codewords,
which were implemented in the Rice University computer ([Iliffe and Jodeit
(1962)]). The term capability was introduced by [Dennis and Horn (1966)].
The Hydra system was described by [Wulf et al. (1981)]. The
CAP
system
was described by [Needham and Walker (1977)]. [Organick (1972)] discussed
the
MULTICS
ring-protection system.
Revocation was discussed by [Redell and Fabry (1974)], [Cohen and
Jefferson (1975)], and [Ekanadham and Bernstein (1979)]. The principle of
separation of policy and mechanism was advocated by the designer of
Hydra ([Levin et al. (1975)]). The confinement problem was first discussed
by [Lampson (1973)] and was further examined by [Lipner (1975)].
The use of higher-level languages for specifying access control was sug-
gested first by [Morris (1973)], who proposed the use of the
seal
and
unseal
operations discussed in Section 14.9. [Kieburtz and Silberschatz (1978)],
[Kieburtz and Silberschatz (1983)], and [McGraw and Andrews (1979)] pro-
posed various language constructs for dealing with general dynamic-resource-
management schemes. [Jones and Liskov (1978)] considered how a static access-
Chia sẻ với bạn bè của bạn: |
