protection and security in operating systems

INSTITUTE OFAERONAUTICALENGINEERING
(Autonomous)
Dundigal, Hyderabad - 500 043
OPERATING SYSTEMS
Course Code:ACSC12
UNIT-V
1

Operating System
TEXT BOOKS:
1. Abraham Silberschatz, Peter B. Galvin, Greg Gagne,
“Operating System Principles”, 8e, Wiley Student Edition.
2.W. Stallings, “Operating Systems - Internals and Design
Principles”, 6e, Pearson.
REFERENCES:
1. P. C. P. Bhatt, “An Introduction to Operating Systems”, PHI.
.

UNIT-V
Syllabus
Deadlocks – System Model, Deadlock Characterization,
Methods for Handling Deadlocks, Deadlock Prevention,
DeadlockAvoidance, Deadlock Detection and Recovery from
Deadlock.
Protection – System Protection, Goals of Protection,
Principles of Protection, Domain of Protection,Access
Matrix, Implementation ofAccess Matrix,Access Control,
Revocation of Access Rights, Capability-Based Systems,
Language-Based Protection.

Operating Systems 5
Deadlocks
• The Deadlock Problem
• System Model
• Deadlock Characterization
• Methods for Handling Deadlocks
• Deadlock Prevention
• Deadlock Avoidance
• Deadlock Detection
• Recovery from Deadlock

Operating Systems 6
Chapter Objectives
• To develop a description of deadlocks,
which prevent sets of concurrent
processes from completing their tasks
• To present a number of different
methods for preventing or avoiding
deadlocks in a computer system.

Operating Systems 7
Deadlocks
• A set of blocked processes each holding a resource and waiting to
acquire a resource held by another process in the set.
• In a multiprogramming environment, several processes may
compete for a finite number of resources. A process requests
resources; if the resources are not available at that time, the
process enters into a waiting state. Sometimes, a waiting process
is never again able to change its state, because the resources it
has requested are held by some other waiting processes. This
situation is called as Deadlock.

Operating Systems 8
System Model
• Resource types R1, R2, . . ., Rm
CPU cycles, memory space, I/O devices.
• Each process utilizes a resource as follows:
– request : The process requests the resource. If the
request cannot be granted immediately, for e.g, if
the resource is being used by another process, then
the requesting process must wait until it can acquire
the resource.
– Use: The process can operate on the resource for
e.g, if the resource is a printer, the process can print
on the printer.
– Release: The process release the resources.

Operating Systems 9
Deadlock Characterization
Deadlock can arise if four conditions hold simultaneously.
• Mutual exclusion: only one process in a system which cannot be shared
simultaneously by more than one process.
• Hold and wait: a process holding at least one resource is waiting to acquire
additional resources held by other processes.
• No preemption: once a resource is allocated to a particular process that
resource cannot be preempted, the process has to voluntarily should release
the resource and complete the task.
• Circular wait: there exists a set {P0, P1, …, P0} of waiting processes such that P0
is waiting for a resource that is held by P1, P1 is waiting for a resource that is
held by
P2, …, Pn–1 is waiting for a resource that is held by
Pn, and P0 is waiting for a resource that is held by P0.

Operating Systems 10
• If it overcome all the four conditions in a system, then we have
overcome Deadlock
• If at least one condition is overcome, then we can say sometimes
as Deadlock has been overcome.

Resource-Allocation Graph
The Deadlock can easily be identified in the graphical format.
• A graph is represented as a pair i.e., G=(V,E)
• V is partitioned into two types of nodes:
– P = {P1, P2, …, Pn}, the set consisting of all the active
processes in the system.
– R = {R1, R2, …, Rm}, the set consisting of all resource
types in the system.
• E is partitioned into two types:
• request edge – directed edge P1  Rj
• allocation edge – directed edge Rj  Pi

Resource-Allocation Graph (Cont.)
• Process
• Resource Type with 4 instances
• Pi is holding an instance of Rj
Pi
Rj
• Pi requests instance of Rj
Pi
Rj

• The Resource-allocation graph shown in the graph depicts the
following situation
The sets P,R,E.
P={P1,P2,P3}
R={R1,R2,R3,R4}
E={P1->R1 , P2->R3 , R1->P2 , R2->P2 , R2->P1 , R3->P3 }
Resources instances:
One instance of resource type R1
Two instances of resource type R2
Three instances of resource type R4.
Example of a Resource Allocation Graph

• In the above RAG, in resource type R1, we have got single
instance of resource.
• In resource type R2, we have got two instances of resources.
• In resource type R3, we have got single instance of a resource.
• In resource type R4, we have got three instance of a resources.
So, at a particular type of an instance, a resource type R3 is allocated
to process P3 and P3is not waiting for any other resource.
Similarly, process P2 is holding an instance of resource type R1 and
even it is holding an instance of a resource type R2, and it is
waiting for an instance of resource type R3.
Similarly, the process P1 is holding an instance of resource type R2,
and it is waiting for a resource type R1.
---------So, at this particular situation, it doesnot lead to Deadlock.

• The Resource-allocation graph shown in the graph depicts the following
situation
The sets P,R,E.
P={P1,P2,P3}
R={R1,R2,R3,R4}
E={P1->R1 , P2->R3 , R1->P2 , R2->P2 , R2->P1 , R3->P3 , P3->R2}
Three instances of resource type R4.
Example of Resource Allocation Graph With A Deadlock

Resource Allocation Graph With A Deadlock

• The Resource-allocation graph shown in the graph depicts the following
situation
The sets P,R,E.
P={P1,P2,P3,P4}
R={R1,R2}
E={P1->R1 , R1->P2 , R1->P3 , R2->P1 , R2->P4 , P3->R2}
Example of Resource Allocation Graph With A Cycle But No Deadlock

Resource Allocation Graph With A Cycle But No Deadlock

• In the above RAG, the cycle from P1R1P3R2P1, but even
in the presence of this cycle, it does not lead to a deadlock,
because the process P2 and P4 though they r holding the
resource types R1 and R2 but they are not waiting for any other
resource, they will complete their operation and will release the
resources, and whenever they release the resources that
resources are allocated to the requesting processes.
• So, this is an example of RAG even when there is a cycle, then it
does not lead to deadlock.
• However, if every resource type contains a single instance of the
resource in that case existence of a cycle means there is always a
deadlock.
• In the above RAG, if we remove a single instance from R1 and R2,
then there is an existence of deadlock

Basic Facts
• If graph contains no cycles  there can be a deadlock
or may not be a deadlock.
• If graph contains a cycle  there can be a deadlock or
may not be a deadlock.
• If every resource type contains a multiple instance of a
resource, then the existence of cycle means then there
may be a deadlock or may not be a deadlock.
• If every resource type contains a single instance of a
resource, then the existence of cycle means then there
is a deadlock.

Methods for Handling Deadlocks
• Ensure that the system will never enter a deadlock
state.
• Allow the system to enter a deadlock state and
then recover.
• Ignore the problem and pretend that deadlocks
never occur in the system; used by most operating
systems, including UNIX.

Different kinds of strategies
The three different kinds of strategies to overcome deadlock:
1. Deadlock Prevention: Preventing the deadlock from the occurrence.
2. Deadlock Avoidance: Avoiding the deadlock from the occurrence.
3. Deadlock detection and Recovery: In this, we allow the system to allocate
the resources whenever it is available and periodically it check whether
there has been a deadlock or not.
If there is a deadlock, we will try to break
down it.
This will also lead insufficient utilization of resources.

Deadlock Prevention
There will be a restrictions on the processes, the way they request for the resources
• In this, we will try to break either,Mutual Exclusion or hold
and wait, No Preemption, Circular wait.
• Mutual Exclusion – Cannot be broken.i.e., always there is
some resource in a system which is always mutual exclusive.
• Hold and Wait – can be avoided i.e., it means whenever a
process is requesting an additional resource it is holding
some other resource with it.
– For each process it must require all the resources before
its execution.
– A Process must request a resource if it doesn’t have any.
Disadvantages
1. It uses poor utilization of resources but it solves the
deadlock problem.
Operating Systems
2. Starvation is possible.
234

Deadlock Prevention (Cont.)
• No Preemption –can be broken
– If a process that is holding some resources requests another
resource that cannot be immediately allocated to it, then all
resources currently being held are released.
– Preempted resources are added to the list of resources for
which the process is waiting.

• Circular Wait – can be broken if we allow the processes to request a
resource in a particular order.
We define a mapping function:
F:RN i.e., for every resource type I have a corresponding
integer number.
A process while holding a resource type Ri put a request for a resource
type Rj only when F(Rj)>F(Ri).
Before putting a request for Rj, it should release the resource type Ri. So,
if this condition cannot satisfy then the process cannot put the
request for a resource type Rj.

Deadlock Avoidance
Requires that the system has some additional a priori information
available.
• Simplest and most useful model requires that each process
declare the maximum number of resources of each type that it
may need.
• The deadlock-avoidance algorithm dynamically examines the
resource-allocation state to ensure that there can never be a
circular-wait condition.
• Resource-allocation state is defined by the number of available
and allocated resources, and the maximum demands of the
processes.

Safe State
• When a process requests an available resource, system must
decide if immediate allocation leaves the system in a safe state.
• System is in safe state if there exists a safe sequence of all
processes.
• Sequence <P1, P2, …, Pn> is safe if for each Pi, the resources that Pi
can still request can be satisfied by currently available resources +
resources held by all the Pj, with j<I.
– If Pi resource needs are not immediately available, then Pi can
wait until all Pj have finished.
– When Pj is finished, Pi can obtain needed resources, execute,
return allocated resources, and terminate.
– When Pi terminates, Pi+1 can obtain its needed resources, and
so on.

Basic Facts
• If a system is in safe state  no deadlocks.
• If a system is in unsafe state  possibility of
deadlock.
• Avoidance  ensure that a system will never
enter an unsafe state.

Safe, Unsafe , Deadlock State

Banker’s Algorithm
• Multiple instances.
• Each process must a priori claim maximum use.
• When a process requests a resource it may have
to wait.
• When a process gets all its resources it must
return them in a finite amount of time.

Data Structures for the Banker’s Algorithm
Let n = number of processes, and m = number of resources types.
• Available: Vector of length m. If available [j] = k, there are
k instances of resource type Rj available.
• Max: n x m matrix. If Max [i,j] = k, then process Pi may
request at most k instances of resource type Rj.
• Allocation: n x m matrix. If Allocation[i,j] = k then Pi is
currently allocated k instances of Rj.
• Need: n x m matrix. If Need[i,j] = k, then Pi may need k
more instances of Rj to complete its task.
Need [i,j] = Max[i,j] – Allocation [i,j].

Safety Algorithm
1. Let Work and Finish be vectors of length m and n,
respectively. Initialize:
Work = Available
Finish [i] = false for i - 1,2,3, …, n.
2. Find and i such that both:
(a) Finish [i] = false
(b) Needi  Work
If no such i exists, go to step 4.
3. Work = Work + Allocationi
Finish[i] = true
go to step 2.
4. If Finish [i] == true for all i, then the system is in a safe
state.

Resource-Request Algorithm for Process Pi
Request = request vector for process Pi. If Requesti [j] = k then process
Pi wants k instances of resource type Rj.
1. If Requesti  Needi go to step 2. Otherwise, raise error condition,
since process has exceeded its maximum claim.
2. If Requesti  Available, go to step 3. Otherwise Pi must wait,
since resources are not available.
3. Pretend to allocate requested resources to Pi by modifying the
state as follows:
Available = Available - Requesti;
Allocationi = Allocationi + Requesti;
Needi = Needi – Requesti;
 If safe  the resources are allocated to Pi.
 If unsafe  Pi must wait, and the old resource-allocation
state is restored

Example of Banker’s Algorithm
• 5 processes P0 through P4; 3 resource types A
(10 instances),
B (5instances, and C (7 instances).
• Snapshot at time T0:
Allocation Max Available
A B C A B C A B C
P0 0 1 0 7 5 3 3 3 2
P1 2 0 0 3 2 2
P2 3 0 2 9 0 2
P3 2 1 1 2 2 2
P4 0 0 2 4 3 3

Example (Cont.)
• The content of the matrix. Need is defined to be Max –
Allocation.
Need
A B C
P0 7 4 3
P1 1 2 2
P2 6 0 0
P3 0 1 1
P4 4 3 1
• The system is in a safe state since the sequence < P1, P3, P4, P2,
P0> satisfies safety criteria.

Example P1 Request (1,0,2) (Cont.)
• Check that Request  Available (that is, (1,0,2)  (3,3,2)  true.
Allocation Need Available
A B C A B C A B C
P0 0 1 0 7 4 3 2 3 0
P1 3 0 2 0 2 0
P2 3 0 1 6 0 0
P3 2 1 1 0 1 1
P4 0 0 2 4 3 1
• Executing safety algorithm shows that sequence <P1, P3, P4, P0,
P2> satisfies safety requirement.
• Can request for (3,3,0) by P4 be granted?
• Can request for (0,2,0) by P0 be granted?

Deadlock Detection
• Allow system to enter deadlock state
• Detection algorithm
• Recovery scheme

Single Instance of Each Resource Type
• Maintain wait-for graph
– Nodes are processes.
– Pi  Pj if Pi is waiting for Pj.
• Periodically invoke an algorithm that searches for a cycle
in the graph.
• An algorithm to detect a cycle in a graph requires an order
of n2 operations, where n is the number of vertices in the
graph.

Resource-Allocation Graph and Wait-for Graph
Resource-Allocation Graph Corresponding wait-for graph

Several Instances of a Resource Type
• Available: A vector of length m indicates the
number of available resources of each type.
• Allocation: An n x m matrix defines the number of resources of
each type currently allocated to each process.
• Request: An n x m matrix indicates the current request of each
process. If Request [ij] = k, then process Pi is requesting k more
instances of resource type. Rj.

Detection Algorithm
1. Let Work and Finish be vectors of length m and n,
respectively Initialize:
(a) Work = Available
(b) For i = 1,2, …, n, if Allocationi  0, then
Finish[i] = false;otherwise, Finish[i] = true.
2. Find an index i such that both:
(a) Finish[i] == false
(b) Requesti  Work
If no such i exists, go to step 4.

Detection Algorithm (Cont.)
3. Work = Work + Allocationi
Finish[i] = true
go to step 2.
4. If Finish[i] == false, for some i, 1  i  n, then the
system is in deadlock state. Moreover, if Finish[i] ==
false, then Pi is deadlocked.
Algorithm requires an order of O(m x n2) operations to
detect whether the system is in deadlocked state.

Example of Detection Algorithm
• Five processes P0 through P4;three resource types
A (7 instances), B (2 instances), and C (6 instances).
• Snapshot at time T0:
Allocation Request Available
A B C A B C A B C
P0 0 1 0 0 0 0 0 0 0
P1 2 0 0 2 0 2
P2 3 0 3 0 0 0
P3 2 1 1 1 0 0
P4 0 0 2 0 0 2
• Sequence <P0, P2, P3, P1, P4> will result in Finish[i] =
true for all i.

Example (Cont.)
• P2 requests an additional instance of type C.
Request
A B C
P0 0 0 0
P1 2 0 1
P2 0 0 1
P3 1 0 0
P4 0 0 2
• State of system?
– Can reclaim resources held by process P0, but insufficient
resources to fulfill other processes; requests.
– Deadlock exists, consisting of processes P1, P2, P3, and P4.

Detection-Algorithm Usage
• When, and how often, to invoke depends on:
– How often a deadlock is likely to occur?
– How many processes will need to be rolled back?
• one for each disjoint cycle
• If detection algorithm is invoked arbitrarily, there may
be many cycles in the resource graph and so we would
not be able to tell which of the many deadlocked
processes “caused” the deadlock.

Recovery from Deadlock: Process Termination
• Abort all deadlocked processes.
• Abort one process at a time until the deadlock cycle is eliminated.
• In which order should we choose to abort?
– Priority of the process.
– How long process has computed, and how much longer to
completion.
– Resources the process has used.
– Resources process needs to complete.
– How many processes will need to be terminated.
– Is process interactive or batch?

Recovery from Deadlock: Resource Preemption
• Selecting a victim – minimize cost.
• Rollback – return to some safe state, restart process for
that state.
• Starvation – same process may always be picked as
victim, include number of rollback in cost factor.

Overview
• Goals of Protection
• Principles of Protection
• Domain of Protection
• Access Matrix
• Implementation ofAccess Matrix
• Access Control
• Revocation ofAccess Rights
• Capability-Based Systems
• Language-Based Protection

 Operating system uses two sets of techniques to computer
threats to information namely:
1. Protection
2. Security
Protection: It involves guarding a user’s data programs against
interference by other authorized users of the system.
Security: It involves guarding a users' data programs against
interference by external entities. E.g.: unauthorized persons

Protection
• It refers to a mechanism for controlling the
access of programs, processes, or users to
the resources defined by a computer system.
• Protection is required against the shared
memory , logical space etc.
• The most obvious is the need to prevent
mischievous, intentional violation of an
access restriction by a user.

Goals of Protection
• To ensure that each shared resource is used
only in accordance with the system policies,
which may be set either by system designer or
by system administrator.

Goals of Protection
• In one protection model, computer consists
of a collection of objects, hardware or
software
• Each object has a unique name and can be
accessed through a well-defined
operations
set of
• Protection problem - ensure that each object
is accessed correctly and only by those
processes that are allowed to do so.

Goals of Protection
• The role of protection in a computer system is to
provide a mechanism for the enforcement of the
policies governing resource use.
• These policies can be established in a variety of
ways. Some are fixed in the design of the
system, while others are formulated by the
management of a system.
• Policies for resource use may vary by
application, and they may change over time.

Principles of Protection
• Guiding principle – principle of least privilege
– Programs, users and systems should be given just enough privileges to
perform their tasks
– Limits damage if entity has a bug, gets abused
– Can be static (during life of system, during life of process)
– Or dynamic (changed by process as needed) – domain switching, privilege
escalation(RBAC)
• Must consider “grain” aspect
– Rough-grained privilege management easier, simpler, but least privilege now
done in large chunks
• For example, traditional Unix processes either have abilities of the
associated user, or of root
– Fine-grained management more complex, more overhead, but more
protective
• File ACL lists, RBAC
• Domain can be user, process, procedure

Domain Structure
• Access-right = <object-name, rights-set>
where rights-set is a subset of all valid operations that can be performed
on the object
• Domain = set of access-rights

Domains
• A domain can be realized in a variety of ways:
• Each user may be a domain.
– The set of objects that can be accessed depends on the identity of the
user.
– Domain switching occurs when the user is changed—generally when
one user logs out and another user logs in.
• Each process may be a domain.
– The set of objects that can be accessed depends on the identity of the
process.
– Domain switching occurs when one process sends a message to
another process and then waits for a response.
• Each procedure may be a domain.
– The set of objects that can be accessed corresponds to the local
variables defined within the procedure.
– Domain switching occurs when a procedure call is made.

• Domain = user-id
• Domain switch accomplished via file system
• Each file has associated with it a domain bit (setuid bit)
• When file is executed and setuid = on, then user-id is set to
owner of the file being executed
• When execution completes user-id is reset
• Domain switch accomplished via passwords
– su command temporarily switches to another user’s domain when
other domain’s password provided
• Domain switching via commands
– sudo command prefix executes specified command in another
domain (if original domain has privilege or password given)
Domain Implementation (UNIX)

Access Matrix
• View protection as a matrix (access matrix)
• Rows represent domains
• Columns represent objects
• When a user creates a new object ,a column is added to the
access matrix
• Access(i, j) is the set of operations that a process executing in
Domaini can invoke on Objectj

Access Matrix

Access Matrix
• The access matrix provides an appropriate
mechanism for defining and implementing strict
control for both the static and dynamic association
between processes and domains.
• When we switch a process from one domain to
another, we are executing an operation (switch) on an
object (the domain).
• Processes should be able to switch from one
domain to another.
• A process executing in domain D2 can switch to
domain D3 or to domain D4.

Access Matrix of Figure A
with Domains as Objects

• If a process in Domain Di tries to do “op” on object Oj, then “op” must
be in the access matrix
• User who creates object can define access column for that object
• Can be expanded to dynamic protection
– Operations to add, delete access rights
– Special access rights:
• owner of Oi
• copy op from Oi to Oj (denoted by “*”)
• control – Di can modify Dj access rights
• transfer – switch from domain Di to Dj
– Copy and Owner applicable to an object
– Control applicable to domain object
Use of Access Matrix

Access Matrix with Copy Rights

• The ability to copy an access right from one
domain (or row) of the access matrix to another
is denoted by an asterisk (*) appended to the
access right.
• The copy right allows the copying of the access
right only within the column (that is, for the
object) for which the right is defined.
• A process executing in domain D2 can copy the
read operation into any entry associated with file
F2.

• A right is copied from access(i, j) to access(k,j);
it is then removed from access(i,j). This action
is a transfer of a right, rather than a copy.
• Propagation of the copy right may be limited.
That is, when the right R* is copied from
access(i,j) to access(k,j), only the right R (not
R*) is created.
• A process executing in domain Dk cannot
further copy the right R.

Access Matrix With Owner Rights

Access Matrix With Owner Rights
• If access(i,j) includes the owner right, then a
process executing in domain Di, can add and
remove any right in any entry in column j.
• For example, in Figure , domain Di is the
owner of F1, and thus can add and delete any
valid right in column F1.

Access Matrix With Control Rights
• The copy and owner rights allow a process to change the
entries in a column.
• Amechanism is also needed to change the entries in a row.
• The control right is applicable only to domain objects. If access(i,j)
includes the control right, then a process executing in domain Di
can remove any access right from row j.
• For example, suppose that, we include the control right in
access(D2, D4).
• Then, a process executing in domain D2 could modify domain
D4.

Modified Access Matrix of Figure B

Implementation of Access Matrix
• Global table
– Store ordered triples < domain, object, rights-set > in table
– Arequested operation M on object Oj within domain Di ->
search table for < Di, Oj, Rk >
• with M ∈ Rk
– But table could be large -> won’t fit in main memory
– Additional I/O is required

• Access lists for objects(ACL)
– Each column implemented as an access list for one object
– Resulting per-object list consists of ordered pairs< domain,
rights-set > defining all domains with non-empty set of
access rights for the object
– Easily extended to contain default set -> If M ∈ default set,
also allow access

• Capability Lists for Domains
– Instead of object-based, list is domain based
– Acapability list for a domain is a list of objects together with
the operations allowed on those objects.

• Lock Key Mechanism
– Compromise between access lists and capability lists
– Each object has a list of unique bit patterns, called
locks.
– Similarly, each domain has a list of unique bit patterns,
called keys.
– A process executing in a domain can access an object
only if that domain has a key that matches one of the
locks of the object.

ACL and Capability List
• Each column =Access-control list for one object
Defines who can perform what operation
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
• Each Row = Capability List (like a key)
For each domain, what operations allowed on what objects
Object F1 – Read
Object F4 – Read, Write, Execute
Object F5 – Read, Write, Delete, Copy

• Many trade-offs to consider
– Global table is simple, but can be large
– Access lists correspond to needs of users
• Determining set of access rights for domain non-localized so difficult
• Every access to an object must be checked
– Many objects and access rights -> slow
– Capability lists useful for localizing information for a given process
• But revocation capabilities can be inefficient
– Lock-key effective and flexible, keys can be passed freely from domain to domain, easy
revocation
• Most systems use combination of access lists and capabilities
– First access to an object -> access list searched
• If allowed, capability created and attached to process
– Additional accesses need not be checked
• After last access, capability destroyed
• Consider file system withACLs per file
Comparison of Implementations

Access Control
• Protection can be applied to non-file resources
• Solaris 10 provides role-based access control (RBAC) to implement least
privilege
– Privilege is right to execute system call or use an option within a
system call
– Can be assigned to processes
– Users assigned roles granting access to privileges and programs
• Enable role via password to gain its privileges
– Similar to access matrix

Role-based Access Control in Solaris 10

• Various options to remove the access right of a domain to an object
– Immediate vs. delayed
– Selective vs. general
– Partial vs. total
– Temporary vs. permanent
• Access List – Delete access rights from access list
– Simple – search access list and remove entry
– Immediate, general or selective, total or partial, permanent or temporary
• Capability List – Scheme required to locate capability in the system before capability can be
revoked
– Reacquisition – periodic delete, with require and denial if revoked
– Back-pointers – set of pointers from each object to all capabilities of that object (Multics)
– Indirection – capability points to global table entry which points to object – delete entry
from global table, not selective (CAL)
– Keys – unique bits associated with capability, generated when capability created
• Master key associated with object, key matches master key for access
• Revocation – create new master key
• Policy decision of who can create and modify keys – object owner or others?
Revocation of Access Rights

What is capability?
• Suppose we design a computer system so that in order to
access an object, a program must have a special token.
• This token designates an object and gives the program the
authority to perform a specific set of actions (such as
reading or writing) on that object.
• Such a token is known as a capability

What is capability
• Capabilities can be delegated.
• Capabilities can be copied.

• Fixed set of access rights known to and interpreted by the system
– i.e. read, write, or execute each memory segment
– User can declare other auxiliary rights and register those with protection system
– Accessing process must hold capability and know name of operation
– Rights amplification allowed by trustworthy procedures for a specific type
• Interpretation of user-defined rights performed solely by user's
program; system provides access protection for use of these rights
• Operations on objects defined procedurally – procedures are objects
accessed indirectly by capabilities
• Solves the problem of mutually suspicious subsystems
– Includes library of prewritten security routines
Capability-Based Systems-Hydra

• Specification of protection in a programming language allows the
high-level description of policies for the allocation and use of
resources
• Language implementation can provide software for protection
enforcement when automatic hardware- supported checking is
unavailable
• Interpret protection specifications to generate calls on whatever
protection system is provided by the hardware and the operating
system.
Language-Based Protection

• Protection is handled by the Java Virtual Machine (JVM)
• A class is assigned a protection domain when it is loaded by the
JVM
• The protection domain indicates what operations the class can (and
cannot) perform
• If a library method is invoked that performs a privileged operation,
the stack is inspected to ensure the operation can be performed by
the library.
Protection in Java 2

protection and security in operating systems

More Related Content

protection and security in operating systems