14.3
Domain of Protection
631
ring 0
ring 1
ring N – 1
• • •
Figure 14.2 MULTICS ring structure.
to control reading, writing, and execution. The association between segments
and rings is a policy decision with which we are not concerned here.
A
current-ring-number counter
is associated with each process, iden-
tifying the ring in which the process is executing currently. When a process is
executing in ring i, it cannot access a segment associated with ring j (j < i). It
can access a segment associated with ring k (k ≥ i). The type of access, however,
is restricted according to the access bits associated with that segment.
Domain switching in
MULTICS
occurs when a process crosses from one ring
to another by calling a procedure in a different ring. Obviously, this switch must
be done in a controlled manner; otherwise, a process could start executing in
ring 0, and no protection would be provided. To allow controlled domain
switching, we modify the ring field of the segment descriptor to include the
following:
•
Access bracket
. A pair of integers, b1 and b2, such that b1 ≤ b2.
•
Limit
. An integer b3 such that b3 > b2.
•
List of gates
. Identifies the entry points (or
gates
) at which the segments
may be called.
If a process executing in ring i calls a procedure (or segment) with access bracket
(b1,b2), then the call is allowed if b1 ≤ i ≤ b2, and the current ring number of
the process remains i. Otherwise, a trap to the operating system occurs, and
the situation is handled as follows:
•
If i < b1, then the call is allowed to occur, because we have a transfer to a
ring (or domain) with fewer privileges. However, if parameters are passed
that refer to segments in a lower ring (that is, segments not accessible to
the called procedure), then these segments must be copied into an area
that can be accessed by the called procedure.
•
If i > b2, then the call is allowed to occur only if b3 is greater than or equal
to i and the call has been directed to one of the designated entry points in
Chia sẻ với bạn bè của bạn: |
